From 5333f390b0e45ffc818f85a175133e02163c8976 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 30 Aug 2024 08:07:18 +0000 Subject: [PATCH 01/74] wip --- Cargo.lock | 70 ++++++++++++---------- Cargo.toml | 9 +-- libcrux-ml-kem/fuzz/.gitignore | 4 ++ libcrux-ml-kem/fuzz/Cargo.toml | 21 +++++++ libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs | 14 +++++ 5 files changed, 83 insertions(+), 35 deletions(-) create mode 100644 libcrux-ml-kem/fuzz/.gitignore create mode 100644 libcrux-ml-kem/fuzz/Cargo.toml create mode 100644 libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs diff --git a/Cargo.lock b/Cargo.lock index a1c59cba6..5b4005df5 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -143,7 +143,7 @@ dependencies = [ "regex", "rustc-hash", "shlex", - "syn 2.0.75", + "syn 2.0.76", "which", ] @@ -191,9 +191,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.13" +version = "1.1.15" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72db2f7947ecee9b03b510377e8bb9077afa27176fdbff55c51027e976fdcc48" +checksum = "57b6a275aa2903740dc87da01c62040406b8812552e97129a63ea8850a17c6e6" dependencies = [ "jobserver", "libc", @@ -319,7 +319,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -483,7 +483,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -702,7 +702,7 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" +source = "git+https://github.com/hacspec/hax/?branch=main#503591c020c485c283f7a40d0c139029ac7ceca5" dependencies = [ "hax-lib-macros 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", "num-bigint", @@ -712,7 +712,7 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" +source = "git+https://github.com/hacspec/hax/#503591c020c485c283f7a40d0c139029ac7ceca5" dependencies = [ "hax-lib-macros 0.1.0-pre.1 (git+https://github.com/hacspec/hax/)", "num-bigint", @@ -722,33 +722,33 @@ dependencies = [ [[package]] name = "hax-lib-macros" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" +source = "git+https://github.com/hacspec/hax/?branch=main#503591c020c485c283f7a40d0c139029ac7ceca5" dependencies = [ "hax-lib-macros-types 0.1.0-pre.1 (git+https://github.com/hacspec/hax/?branch=main)", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] name = "hax-lib-macros" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" +source = "git+https://github.com/hacspec/hax/#503591c020c485c283f7a40d0c139029ac7ceca5" dependencies = [ "hax-lib-macros-types 0.1.0-pre.1 (git+https://github.com/hacspec/hax/)", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] name = "hax-lib-macros-types" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" +source = "git+https://github.com/hacspec/hax/?branch=main#503591c020c485c283f7a40d0c139029ac7ceca5" dependencies = [ "proc-macro2", "quote", @@ -760,7 +760,7 @@ dependencies = [ [[package]] name = "hax-lib-macros-types" version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#096f0eb5c5eeefd65ad48e37b824bf6f4661c843" +source = "git+https://github.com/hacspec/hax/#503591c020c485c283f7a40d0c139029ac7ceca5" dependencies = [ "proc-macro2", "quote", @@ -1051,6 +1051,14 @@ dependencies = [ "serde_json", ] +[[package]] +name = "libcrux-ml-kem-fuzz" +version = "0.0.0" +dependencies = [ + "libcrux-ml-kem", + "libfuzzer-sys", +] + [[package]] name = "libcrux-platform" version = "0.0.2-alpha.3" @@ -1239,7 +1247,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -1401,12 +1409,12 @@ dependencies = [ [[package]] name = "prettyplease" -version = "0.2.20" +version = "0.2.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f12335488a2f3b0a83b14edad48dca9879ce89b2edd10e80237e4e852dd645e" +checksum = "479cf940fbbb3426c32c5d5176f62ad57549a0bb84773423ba8be9d089f5faba" dependencies = [ "proc-macro2", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -1475,9 +1483,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.36" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] @@ -1594,18 +1602,18 @@ checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2" [[package]] name = "rustc_version" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92" dependencies = [ "semver", ] [[package]] name = "rustix" -version = "0.38.34" +version = "0.38.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f" +checksum = "a85d50532239da68e9addb745ba38ff4612a242c1c7ceea689c4bc7c2f43c36f" dependencies = [ "bitflags", "errno", @@ -1672,7 +1680,7 @@ checksum = "a5831b979fd7b5439637af1752d535ff49f4860c0f341d1baeb6faf0f4242170" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -1771,9 +1779,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.75" +version = "2.0.76" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6af063034fc1935ede7be0122941bafa9bacb949334d090b77ca98b5817c7d9" +checksum = "578e081a14e0cefc3279b0472138c513f37b41a08d5a3cca9b6e4e8ceb6cd525" dependencies = [ "proc-macro2", "quote", @@ -1892,7 +1900,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", "wasm-bindgen-shared", ] @@ -1926,7 +1934,7 @@ checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -1960,7 +1968,7 @@ checksum = "4b8220be1fa9e4c889b30fd207d4906657e7e90b12e0e6b0c8b8d8709f5de021" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -2118,7 +2126,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] [[package]] @@ -2138,5 +2146,5 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.76", ] diff --git a/Cargo.toml b/Cargo.toml index 3bd1be7a9..838c2cade 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,6 +8,7 @@ members = [ "benchmarks", "fuzz", "libcrux-ml-kem", + "libcrux-ml-kem/fuzz", "libcrux-sha3", "libcrux-ml-dsa", "libcrux-intrinsics", @@ -56,7 +57,7 @@ exclude = [ [lib] crate-type = ["staticlib", "cdylib", "lib"] -bench = false # so libtest doesn't eat the arguments for criterion +bench = false # so libtest doesn't eat the arguments for criterion [build-dependencies] libcrux-platform = { version = "=0.0.2-alpha.3", path = "sys/platform" } @@ -98,12 +99,12 @@ wasm-bindgen-test = "0.3" getrandom = { version = "0.2", features = ["js"] } [features] -hacspec = [] # TODO: #7 Use specs instead of efficient implementations +hacspec = [] # TODO: #7 Use specs instead of efficient implementations rand = [] wasm = ["wasm-bindgen", "getrandom"] log = ["dep:log"] -tests = [] # Expose functions for testing. -experimental = [] # Expose experimental APIs. +tests = [] # Expose functions for testing. +experimental = [] # Expose experimental APIs. [profile.release] lto = "fat" diff --git a/libcrux-ml-kem/fuzz/.gitignore b/libcrux-ml-kem/fuzz/.gitignore new file mode 100644 index 000000000..1a45eee77 --- /dev/null +++ b/libcrux-ml-kem/fuzz/.gitignore @@ -0,0 +1,4 @@ +target +corpus +artifacts +coverage diff --git a/libcrux-ml-kem/fuzz/Cargo.toml b/libcrux-ml-kem/fuzz/Cargo.toml new file mode 100644 index 000000000..bb90026a9 --- /dev/null +++ b/libcrux-ml-kem/fuzz/Cargo.toml @@ -0,0 +1,21 @@ +[package] +name = "libcrux-ml-kem-fuzz" +version = "0.0.0" +publish = false +edition = "2021" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +libfuzzer-sys = "0.4" + +[dependencies.libcrux-ml-kem] +path = ".." + +[[bin]] +name = "keygen" +path = "fuzz_targets/keygen.rs" +test = false +doc = false +bench = false diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs b/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs new file mode 100644 index 000000000..5af308d21 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs @@ -0,0 +1,14 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE { + // We need enough entropy. + return; + } + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + let _ = core::hint::black_box(mlkem768::generate_key_pair(randomness)); +}); From d4049e3f35e2a16e30681633dd5cc73808d61ee6 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 30 Aug 2024 10:15:10 +0200 Subject: [PATCH 02/74] fuzzers for ml-kem --- libcrux-ml-kem/fuzz/Cargo.toml | 14 ++++++++++++ libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs | 25 ++++++++++++++++++++++ libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs | 23 ++++++++++++++++++++ libcrux-sha3/src/lib.rs | 1 + 4 files changed, 63 insertions(+) create mode 100644 libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs create mode 100644 libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs diff --git a/libcrux-ml-kem/fuzz/Cargo.toml b/libcrux-ml-kem/fuzz/Cargo.toml index bb90026a9..ccb5bed0d 100644 --- a/libcrux-ml-kem/fuzz/Cargo.toml +++ b/libcrux-ml-kem/fuzz/Cargo.toml @@ -19,3 +19,17 @@ path = "fuzz_targets/keygen.rs" test = false doc = false bench = false + +[[bin]] +name = "encaps" +path = "fuzz_targets/encaps.rs" +test = false +doc = false +bench = false + +[[bin]] +name = "decaps" +path = "fuzz_targets/decaps.rs" +test = false +doc = false +bench = false diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs new file mode 100644 index 000000000..f2aaa8a28 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs @@ -0,0 +1,25 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE { + // Not enough entropy + return; + } + + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + + let key_pair = mlkem768::generate_key_pair(randomness); + + let mut randomness = [0u8; ENCAPS_SEED_SIZE]; + randomness.copy_from_slice( + &data[KEY_GENERATION_SEED_SIZE..KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE], + ); + + let (ct, _ss) = mlkem768::encapsulate(key_pair.public_key(), randomness); + + let _ = core::hint::black_box(mlkem768::decapsulate(key_pair.private_key(), &ct)); +}); diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs new file mode 100644 index 000000000..9ead66c04 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs @@ -0,0 +1,23 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE { + // Not enough entropy + return; + } + + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + + let key_pair = mlkem768::generate_key_pair(randomness); + + let mut randomness = [0u8; ENCAPS_SEED_SIZE]; + randomness.copy_from_slice( + &data[KEY_GENERATION_SEED_SIZE..KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE], + ); + + let _ = core::hint::black_box(mlkem768::encapsulate(key_pair.public_key(), randomness)); +}); diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index e4f7e33bc..d112e05e0 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -936,6 +936,7 @@ pub mod avx2 { absorb_final, squeeze_first_three_blocks, squeeze_next_block, KeccakState as GenericState, }; + #[cfg(feature = "simd256")] use crate::generic_keccak::{squeeze_first_block, squeeze_first_five_blocks}; #[cfg(feature = "simd256")] use libcrux_intrinsics::avx2::*; From 4db4adc7185e3eee80b80c463389b3529d245468 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Sun, 22 Sep 2024 18:00:06 +0200 Subject: [PATCH 03/74] fstar extraction for ml-dsa --- libcrux-ml-dsa/Cargo.toml | 4 +- libcrux-ml-dsa/hax.py | 172 + .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 540 +++ .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 73 + .../extraction/Libcrux_ml_dsa.Constants.fsti | 43 + .../Libcrux_ml_dsa.Encoding.Commitment.fst | 170 + .../Libcrux_ml_dsa.Encoding.Commitment.fsti | 28 + .../Libcrux_ml_dsa.Encoding.Error.fst | 243 + .../Libcrux_ml_dsa.Encoding.Error.fsti | 40 + .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 194 + .../Libcrux_ml_dsa.Encoding.Gamma1.fsti | 30 + .../Libcrux_ml_dsa.Encoding.Signature.fst | 356 ++ .../Libcrux_ml_dsa.Encoding.Signature.fsti | 37 + .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 328 ++ .../Libcrux_ml_dsa.Encoding.Signing_key.fsti | 34 + .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 180 + .../Libcrux_ml_dsa.Encoding.T0.fsti | 36 + .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 129 + .../Libcrux_ml_dsa.Encoding.T1.fsti | 26 + ...bcrux_ml_dsa.Encoding.Verification_key.fst | 166 + ...crux_ml_dsa.Encoding.Verification_key.fsti | 29 + .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 460 ++ ...Libcrux_ml_dsa.Hash_functions.Portable.fst | 13 + ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 439 ++ ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 58 + ...ibcrux_ml_dsa.Hash_functions.Shake256.fsti | 106 + ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 383 ++ .../extraction/Libcrux_ml_dsa.Matrix.fst | 473 ++ .../extraction/Libcrux_ml_dsa.Matrix.fsti | 90 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti | 28 + .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti | 28 + .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti | 28 + .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 47 + .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 108 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti | 28 + .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti | 28 + .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti | 28 + .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 47 + .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 108 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti | 28 + .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti | 28 + .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 47 + .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti | 28 + .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 47 + .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 108 + ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 56 + ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 47 + ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 57 + ...sa.Ml_dsa_generic.Instantiations.Neon.fsti | 48 + ...Ml_dsa_generic.Instantiations.Portable.fst | 56 + ...l_dsa_generic.Instantiations.Portable.fsti | 47 + ...rux_ml_dsa.Ml_dsa_generic.Multiplexing.fst | 100 + ...ux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti | 37 + .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 777 ++++ .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 85 + .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 696 +++ .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 148 + .../extraction/Libcrux_ml_dsa.Polynomial.fst | 260 ++ .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 55 + .../extraction/Libcrux_ml_dsa.Sample.fst | 1286 ++++++ .../extraction/Libcrux_ml_dsa.Sample.fsti | 117 + .../extraction/Libcrux_ml_dsa.Samplex4.fst | 2080 +++++++++ .../extraction/Libcrux_ml_dsa.Samplex4.fsti | 106 + .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 350 ++ .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 50 + ...x_ml_dsa.Simd.Avx2.Encoding.Commitment.fst | 151 + ..._ml_dsa.Simd.Avx2.Encoding.Commitment.fsti | 7 + ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 251 ++ ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 37 + ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 311 ++ ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 40 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst | 128 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti | 15 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst | 134 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti | 12 + .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 139 + .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 26 + ...md.Avx2.Rejection_sample.Less_than_eta.fst | 149 + ...d.Avx2.Rejection_sample.Less_than_eta.fsti | 10 + ...jection_sample.Less_than_field_modulus.fst | 142 + ...ection_sample.Less_than_field_modulus.fsti | 12 + ...md.Avx2.Rejection_sample.Shuffle_table.fst | 107 + ...d.Avx2.Rejection_sample.Shuffle_table.fsti | 140 + .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 462 ++ ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 674 +++ ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 83 + ..._dsa.Simd.Portable.Encoding.Commitment.fst | 69 + ...dsa.Simd.Portable.Encoding.Commitment.fsti | 7 + ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 339 ++ ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 46 + ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 785 ++++ ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 52 + ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 714 +++ ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 23 + ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 148 + ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 18 + .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 843 ++++ .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 40 + .../Libcrux_ml_dsa.Simd.Portable.Sample.fst | 123 + .../Libcrux_ml_dsa.Simd.Portable.Sample.fsti | 13 + .../Libcrux_ml_dsa.Simd.Portable.fsti | 347 ++ .../extraction/Libcrux_ml_dsa.Simd.Traits.fst | 11 + .../Libcrux_ml_dsa.Simd.Traits.fsti | 196 + .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 16 + .../extraction/Libcrux_ml_dsa.Types.fsti | 45 + .../fstar/extraction/Libcrux_ml_dsa.Utils.fst | 37 + .../extraction/Libcrux_ml_dsa.Utils.fsti | 8 + .../proofs/fstar/extraction/Makefile | 3 + .../proofs/fstar/extraction/dep.graph | 3894 +++++++++++++++++ 117 files changed, 23283 insertions(+), 2 deletions(-) create mode 100755 libcrux-ml-dsa/hax.py create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Makefile create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/dep.graph diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index 3f8c04df1..6be06c20c 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -29,8 +29,8 @@ criterion = "0.5" pqcrypto-dilithium = { version = "0.5.0" } #, default-features = false [features] -simd128 = [] -simd256 = [] +simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"] +simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"] [[bench]] name = "manual44" diff --git a/libcrux-ml-dsa/hax.py b/libcrux-ml-dsa/hax.py new file mode 100755 index 000000000..d6183de4f --- /dev/null +++ b/libcrux-ml-dsa/hax.py @@ -0,0 +1,172 @@ +#! /usr/bin/env python3 + +import os +import argparse +import subprocess +import sys + + +def shell(command, expect=0, cwd=None, env={}): + subprocess_stdout = subprocess.DEVNULL + + print("Env:", env) + print("Command: ", end="") + for i, word in enumerate(command): + if i == 4: + print("'{}' ".format(word), end="") + else: + print("{} ".format(word), end="") + + print("\nDirectory: {}".format(cwd)) + + os_env = os.environ + os_env.update(env) + + ret = subprocess.run(command, cwd=cwd, env=os_env) + if ret.returncode != expect: + raise Exception("Error {}. Expected {}.".format(ret, expect)) + + +class extractAction(argparse.Action): + + def __call__(self, parser, args, values, option_string=None) -> None: + # Extract platform interfaces + include_str = "+:** -**::x86::init::cpuid -**::x86::init::cpuid_count" + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "80", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd="../sys/platform", + env=hax_env, + ) + + # Extract intrinsics interfaces + include_str = "+:**" + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "-C", + "--features", + "simd128,simd256", + ";", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "80", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd="../libcrux-intrinsics", + env=hax_env, + ) + + # Extract ml-dsa + includes = [ + "+**", + "-libcrux_ml_dsa::hash_functions::portable::*", + "-libcrux_ml_dsa::hash_functions::avx2::*", + "-libcrux_ml_dsa::hash_functions::neon::*", + "+:libcrux_ml_dsa::hash_functions::*::*", + ] + include_str = " ".join(includes) + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "-C", + "--features", + "simd128,simd256", + ";", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "100", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd=".", + env=hax_env, + ) + return None + + +class proveAction(argparse.Action): + + def __call__(self, parser, args, values, option_string=None) -> None: + admit_env = {} + if args.admit: + admit_env = {"OTHERFLAGS": "--admit_smt_queries true"} + shell(["make", "-C", "proofs/fstar/extraction/"], env=admit_env) + return None + + +def parse_arguments(): + parser = argparse.ArgumentParser( + description="Libcrux prove script. " + + "Make sure to separate sub-command arguments with --." + ) + subparsers = parser.add_subparsers() + + extract_parser = subparsers.add_parser( + "extract", help="Extract the F* code for the proofs." + ) + extract_parser.add_argument("extract", nargs="*", action=extractAction) + + prover_parser = subparsers.add_parser( + "prove", + help=""" + Run F*. + + This typechecks the extracted code. + To lax-typecheck use --admit. + """, + ) + prover_parser.add_argument( + "--admit", + help="Admit all smt queries to lax typecheck.", + action="store_true", + ) + prover_parser.add_argument( + "prove", + nargs="*", + action=proveAction, + ) + + if len(sys.argv) == 1: + parser.print_help(sys.stderr) + sys.exit(1) + + return parser.parse_args() + + +def main(): + # Don't print unnecessary Python stack traces. + sys.tracebacklimit = 0 + parse_arguments() + + +if __name__ == "__main__": + main() diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst new file mode 100644 index 000000000..06406f5df --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -0,0 +1,540 @@ +module Libcrux_ml_dsa.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let decompose_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let vector_low:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let vector_high:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ i -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let i:usize = i in + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_dsa.Polynomial.v_SIMD_UNITS_IN_RING_ELEMENT + (fun temp_0_ temp_1_ -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ j -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let j:usize = j in + let low, high:(v_SIMDUnit & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + in + let vector_low:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_low + i + ({ + (vector_low.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_low.[ i + ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + low + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let vector_high:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_high + i + ({ + (vector_high.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_high.[ i + ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + high + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + )) + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + vector_low, vector_high + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let power2round_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (t + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + temp_1_ + in + Rust_primitives.Hax.Folds.fold_enumerated_slice (ring_element + .Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let j, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let t0_unit, t1_unit:(v_SIMDUnit & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 + i + ({ + (t0.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t0.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + t0_unit + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + ({ + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + t1_unit + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + )) + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let shift_left_then_reduce + (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + { + out with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_SHIFT_BY + simd_unit + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + out + +let use_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (re_vector: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (hint.[ i ] <: t_Slice i32) + in + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_dsa.Polynomial.v_SIMD_UNITS_IN_RING_ELEMENT + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result j -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let j:usize = j in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + ({ + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((re_vector.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + result + +let vector_infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + exceeds + (fun exceeds ring_element -> + let exceeds:bool = exceeds in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + exceeds |. + (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound + <: + bool) + <: + bool) + in + exceeds + +let make_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + v_DIMENSION + in + let true_hints:usize = sz 0 in + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + (fun temp_0_ i -> + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let i:usize = i in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ j -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let j:usize = j in + let one_hints_count, current_hint:(usize & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + hint_simd with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint_simd + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + current_hint + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let true_hints:usize = true_hints +! one_hints_count in + hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd + <: + t_Array i32 (sz 256)) + in + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + in + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti new file mode 100644 index 000000000..aa749b797 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -0,0 +1,73 @@ +module Libcrux_ml_dsa.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val decompose_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val power2round_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val vector_infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val make_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti new file mode 100644 index 000000000..64663d6c1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -0,0 +1,43 @@ +module Libcrux_ml_dsa.Constants +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 + +let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 + +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 + +let v_BITS_IN_UPPER_PART_OF_T: usize = + v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T + +/// Number of bytes of entropy required for key generation. +let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32 + +let v_MASK_SEED_SIZE: usize = sz 64 + +let v_MESSAGE_REPRESENTATIVE_SIZE: usize = sz 64 + +let v_REJECTION_SAMPLE_BOUND: usize = sz 576 + +let v_RING_ELEMENT_OF_T0S_SIZE: usize = + (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let v_RING_ELEMENT_OF_T1S_SIZE: usize = + (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let v_SEED_FOR_A_SIZE: usize = sz 32 + +let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64 + +let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 + +/// Number of bytes of entropy required for signing. +let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 + +let v_VERIFIER_CHALLENGE_SEED_SIZE: usize = sz 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst new file mode 100644 index 000000000..8634dfbe9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -0,0 +1,170 @@ +module Libcrux_ml_dsa.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 128uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 192uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 6) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let (offset: usize):usize = sz 0 in + let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + (fun temp_0_ ring_element -> + let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (serialize #v_SIMDUnit v_RING_ELEMENT_SIZE ring_element <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_RING_ELEMENT_SIZE in + offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti new file mode 100644 index 000000000..0becaf037 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 4 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 6 + +val serialize + (#v_SIMDUnit: Type0) + (v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst new file mode 100644 index 000000000..13791781d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -0,0 +1,243 @@ +module Libcrux_ml_dsa.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 3) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize + (#v_SIMDUnit: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> Core.Slice.impl__chunks #u8 serialized (sz 3) + | 4uy -> Core.Slice.impl__chunks #u8 serialized (sz 4) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_ETA + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Slice.Iter.t_Chunks u8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 serialized v_RING_ELEMENT_SIZE + <: + Core.Slice.Iter.t_Chunks u8) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialize #v_SIMDUnit v_ETA bytes + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + ring_elements diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti new file mode 100644 index 000000000..1c5ff5310 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -0,0 +1,40 @@ +module Libcrux_ml_dsa.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 3 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 4 + +val serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize + (#v_SIMDUnit: Type0) + (v_ETA: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst new file mode 100644 index 000000000..8a0fb95e9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -0,0 +1,194 @@ +module Libcrux_ml_dsa.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat 0uy v_OUTPUT_BYTES in + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let serialized:t_Array u8 v_OUTPUT_BYTES = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 18) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_BYTES) + in + serialized + | 19uy -> + let serialized:t_Array u8 v_OUTPUT_BYTES = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 20) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_BYTES) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> Core.Slice.impl__chunks #u8 serialized (sz 18) + | 19uy -> Core.Slice.impl__chunks #u8 serialized (sz 20) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA1_EXPONENT + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti new file mode 100644 index 000000000..af09de778 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 18 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 20 + +val serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst new file mode 100644 index 000000000..49c7979b3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -0,0 +1,356 @@ +module Libcrux_ml_dsa.Encoding.Signature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__deserialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let commitment_hash, rest_of_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 (serialized <: t_Slice u8) v_COMMITMENT_HASH_SIZE + in + let signer_response_serialized, hint_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + rest_of_serialized + (v_GAMMA1_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A + in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_COLUMNS_IN_A + (fun signer_response temp_1_ -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let _:usize = temp_1_ in + true) + signer_response + (fun signer_response i -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response + i + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (signer_response_serialized.[ { + Core.Ops.Range.f_start = i *! v_GAMMA1_RING_ELEMENT_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + v_ROWS_IN_A + in + let previous_true_hints_seen:usize = sz 0 in + let i:usize = sz 0 in + let malformed_hint:bool = false in + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & + usize & + bool & + usize) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & + usize & + bool & + usize) = + temp_0_ + in + (i <. v_ROWS_IN_A <: bool) && (~.malformed_hint <: bool)) + (hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + (fun temp_0_ -> + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & + usize & + bool & + usize) = + temp_0_ + in + let current_true_hints_seen:usize = + cast (hint_serialized.[ v_MAX_ONES_IN_HINT +! i <: usize ] <: u8) <: usize + in + let malformed_hint:bool = + if + current_true_hints_seen <. previous_true_hints_seen || + previous_true_hints_seen >. v_MAX_ONES_IN_HINT + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + let j:usize = previous_true_hints_seen in + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & + bool) = + temp_0_ + in + (~.malformed_hint <: bool) && (j <. current_true_hints_seen <: bool)) + (hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + (fun temp_0_ -> + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & + bool) = + temp_0_ + in + let malformed_hint:bool = + if + j >. previous_true_hints_seen && + (hint_serialized.[ j ] <: u8) <=. + (hint_serialized.[ j -! sz 1 <: usize ] <: u8) + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + if ~.malformed_hint + then + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (hint.[ i ] + <: + t_Array i32 (sz 256)) + (cast (hint_serialized.[ j ] <: u8) <: usize) + 1l + <: + t_Array i32 (sz 256)) + in + let j:usize = j +! sz 1 in + hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) + else + hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + in + if ~.malformed_hint + then + let previous_true_hints_seen:usize = current_true_hints_seen in + let i:usize = i +! sz 1 in + hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize) + else + hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + in + let i:usize = previous_true_hints_seen in + let i, malformed_hint:(usize & bool) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let i, malformed_hint:(usize & bool) = temp_0_ in + (i <. v_MAX_ONES_IN_HINT <: bool) && (~.malformed_hint <: bool)) + (i, malformed_hint <: (usize & bool)) + (fun temp_0_ -> + let i, malformed_hint:(usize & bool) = temp_0_ in + let malformed_hint:bool = + if (hint_serialized.[ i ] <: u8) <>. 0uy + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + let i:usize = i +! sz 1 in + i, malformed_hint <: (usize & bool)) + in + if malformed_hint + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Ml_dsa_generic.VerificationError_MalformedHintError + <: + Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + <: + Core.Result.t_Result + (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError + else + Core.Result.Result_Ok + ({ + Libcrux_ml_dsa.Ml_dsa_generic.f_commitment_hash + = + Core.Result.impl__unwrap #(t_Array u8 v_COMMITMENT_HASH_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_COMMITMENT_HASH_SIZE) + #FStar.Tactics.Typeclasses.solve + commitment_hash + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Core.Array.t_TryFromSliceError); + Libcrux_ml_dsa.Ml_dsa_generic.f_signer_response = signer_response; + Libcrux_ml_dsa.Ml_dsa_generic.f_hint = hint + } + <: + Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + <: + Core.Result.t_Result + (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError + +let impl__serialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: + Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + = + let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE in + let offset:usize = sz 0 in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (self.Libcrux_ml_dsa.Ml_dsa_generic.f_commitment_hash <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_COMMITMENT_HASH_SIZE in + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_COLUMNS_IN_A + (fun temp_0_ temp_1_ -> + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let _:usize = temp_1_ in + true) + (offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + (fun temp_0_ i -> + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let i:usize = i in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + (self.Libcrux_ml_dsa.Ml_dsa_generic.f_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_GAMMA1_RING_ELEMENT_SIZE in + offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + in + let true_hints_seen:usize = sz 0 in + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (fun temp_0_ i -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let i:usize = i in + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self + .Libcrux_ml_dsa.Ml_dsa_generic.f_hint.[ i ] + <: + t_Array i32 (sz 256)) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let j, hint:(usize & i32) = temp_1_ in + if hint =. 1l <: bool + then + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + (offset +! true_hints_seen <: usize) + (cast (j <: usize) <: u8) + in + let true_hints_seen:usize = true_hints_seen +! sz 1 in + signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize) + else signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + ((offset +! v_MAX_ONES_IN_HINT <: usize) +! i <: usize) + (cast (true_hints_seen <: usize) <: u8) + in + signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + in + signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti new file mode 100644 index 000000000..a3b5fb565 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Encoding.Signature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val impl__deserialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure + (Core.Result.t_Result + (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val impl__serialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: + Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNATURE_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst new file mode 100644 index 000000000..a24840641 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -0,0 +1,328 @@ +module Libcrux_ml_dsa.Encoding.Signing_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_SIGNING_KEY_SIZE + in + let offset:usize = sz 0 in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_A + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_signing + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 64) + verification_key + verification_key_hash + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (verification_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit ring_element <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + signing_key_serialized + +let deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + = + let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit v_ROWS_IN_A t0_serialized + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_signing + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 64)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 64)) + #FStar.Tactics.Typeclasses.solve + verification_key_hash + <: + Core.Result.t_Result (t_Array u8 (sz 64)) Core.Array.t_TryFromSliceError), + s1_as_ntt, + s2_as_ntt, + t0_as_ntt + <: + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti new file mode 100644 index 000000000..b3a5e4ce9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti @@ -0,0 +1,34 @@ +module Libcrux_ml_dsa.Encoding.Signing_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + : Prims.Pure + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst new file mode 100644 index 000000000..87f2457a2 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -0,0 +1,180 @@ +module Libcrux_ml_dsa.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 416) = Rust_primitives.Hax.repeat 0uy (sz 416) in + let serialized:t_Array u8 (sz 416) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 416)) + in + serialized + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + Core.Slice.impl__chunks #u8 serialized (sz 13) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Slice.Iter.t_Chunks u8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 + serialized + Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE + <: + Core.Slice.Iter.t_Chunks u8) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialize #v_SIMDUnit bytes + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + ring_elements diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti new file mode 100644 index 000000000..d77a07950 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -0,0 +1,36 @@ +module Libcrux_ml_dsa.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 416)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst new file mode 100644 index 000000000..9b57c286b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -0,0 +1,129 @@ +module Libcrux_ml_dsa.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.repeat 0uy (sz 320) in + let serialized:t_Array u8 (sz 320) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 320)) + in + serialized + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + Core.Slice.impl__chunks #u8 serialized (sz 10) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti new file mode 100644 index 000000000..7e8a9c325 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -0,0 +1,26 @@ +module Libcrux_ml_dsa.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 320)) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst new file mode 100644 index 000000000..d18e2554d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -0,0 +1,166 @@ +module Libcrux_ml_dsa.Encoding.Verification_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_VERIFICATION_KEY_SIZE + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (verification_key_serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_A + <: + t_Slice u8) + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (t1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun verification_key_serialized temp_1_ -> + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + verification_key_serialized + in + let _:usize = temp_1_ in + true) + verification_key_serialized + (fun verification_key_serialized temp_1_ -> + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + verification_key_serialized + in + let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + temp_1_ + in + let offset:usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize) + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (verification_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.T1.serialize #v_SIMDUnit ring_element <: t_Slice u8) + <: + t_Slice u8) + in + verification_key_serialized) + in + verification_key_serialized + +let deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let seed_for_A, serialized_remaining:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun t1 temp_1_ -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let _:usize = temp_1_ in + true) + t1 + (fun t1 i -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit + (serialized_remaining.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + t1 + <: + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti new file mode 100644 index 000000000..934c2fcbe --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti @@ -0,0 +1,29 @@ +module Libcrux_ml_dsa.Encoding.Verification_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + : Prims.Pure + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti new file mode 100644 index 000000000..57f4ceb8f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -0,0 +1,460 @@ +module Libcrux_ml_dsa.Hash_functions.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_Shake128x4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = + let list = + [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (sz 0) + (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input0 + input1 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (sz 1) + (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input2 + input3 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + { f_state = state } <: t_Shake128x4); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ sz 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 + } + <: + t_Shake128x4 + in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ sz 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 + } + <: + t_Shake128x4 + in + let out2:t_Array u8 (sz 840) = tmp1 in + let out3:t_Array u8 (sz 840) = tmp2 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out4: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ sz 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 + } + <: + t_Shake128x4 + in + let out0:t_Array u8 (sz 168) = tmp1 in + let out1:t_Array u8 (sz 168) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ sz 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 + } + <: + t_Shake128x4 + in + let out2:t_Array u8 (sz 168) = tmp1 in + let out3:t_Array u8 (sz 168) = tmp2 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +/// Neon SHAKE 256 x4 state +type t_Shake256x4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = + let list = + [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (sz 0) + (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ sz 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input0 + input1 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (sz 1) + (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ sz 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input2 + input3 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + { f_state = state } <: t_Shake256x4); + f_squeeze_first_block_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_post + = + (fun + (self: t_Shake256x4) + (out4: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block + = + (fun (self: t_Shake256x4) -> + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ sz 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 + } + <: + t_Shake256x4 + in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ sz 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 + } + <: + t_Shake256x4 + in + let out2:t_Array u8 (sz 136) = tmp1 in + let out3:t_Array u8 (sz 136) = tmp2 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake256x4) + (out4: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block + = + (fun (self: t_Shake256x4) -> + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ sz 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 + } + <: + t_Shake256x4 + in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ sz 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 + } + <: + t_Shake256x4 + in + let out2:t_Array u8 (sz 136) = tmp1 in + let out3:t_Array u8 (sz 136) = tmp2 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = + Libcrux_sha3.Neon.X2.shake256 input0 input1 out0 out1 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = + Libcrux_sha3.Neon.X2.shake256 input2 input3 out2 out3 + in + let out2:t_Array u8 v_OUT_LEN = tmp0 in + let out3:t_Array u8 v_OUT_LEN = tmp1 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst new file mode 100644 index 000000000..fd24408ba --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst @@ -0,0 +1,13 @@ +module Libcrux_ml_dsa.Hash_functions.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let init_absorb__init_absorb (input: t_Slice u8) = + let state:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake128_init () + in + let state:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake128_absorb_final state input + in + state diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti new file mode 100644 index 000000000..792c20833 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -0,0 +1,439 @@ +module Libcrux_ml_dsa.Hash_functions.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val init_absorb__init_absorb (input: t_Slice u8) + : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) + +/// Portable SHAKE 128 x4 state. +/// We're using a portable implementation so this is actually sequential. +type t_Shake128X4 = { + f_state0:Libcrux_sha3.Portable.t_KeccakState; + f_state1:Libcrux_sha3.Portable.t_KeccakState; + f_state2:Libcrux_sha3.Portable.t_KeccakState; + f_state3:Libcrux_sha3.Portable.t_KeccakState +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128X4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state0:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input0 in + let state1:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input1 in + let state2:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input2 in + let state3:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input3 in + { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } + <: + t_Shake128X4); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state0 out0 + in + let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in + let out0:t_Array u8 (sz 840) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state1 out1 + in + let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in + let out1:t_Array u8 (sz 840) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state2 out2 + in + let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in + let out2:t_Array u8 (sz 840) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state3 out3 + in + let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in + let out3:t_Array u8 (sz 840) = tmp1 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128X4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128X4) + (out4: + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128X4) -> + let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state0 out0 + in + let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in + let out0:t_Array u8 (sz 168) = tmp1 in + let _:Prims.unit = () in + let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state1 out1 + in + let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in + let out1:t_Array u8 (sz 168) = tmp1 in + let _:Prims.unit = () in + let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state2 out2 + in + let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in + let out2:t_Array u8 (sz 168) = tmp1 in + let _:Prims.unit = () in + let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = + Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state3 out3 + in + let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in + let out3:t_Array u8 (sz 168) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) + in + self, hax_temp_output + <: + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +/// Portable SHAKE 256 state +type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake256 out input in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb + = + (fun (input: t_Slice u8) -> + let state:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_init () + in + let state:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_absorb_final state input + in + { f_state = state } <: t_Shake256); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out + in + let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in + let out:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out + in + let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in + let out:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + +/// Portable SHAKE 256 x4 state. +/// We're using a portable implementation so this is actually sequential. +type t_Shake256X4 = { + f_state0:Libcrux_sha3.Portable.t_KeccakState; + f_state1:Libcrux_sha3.Portable.t_KeccakState; + f_state2:Libcrux_sha3.Portable.t_KeccakState; + f_state3:Libcrux_sha3.Portable.t_KeccakState +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256X4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state0:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_init () + in + let state0:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_absorb_final state0 input0 + in + let state1:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_init () + in + let state1:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_absorb_final state1 input1 + in + let state2:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_init () + in + let state2:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_absorb_final state2 input2 + in + let state3:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_init () + in + let state3:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_absorb_final state3 input3 + in + { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } + <: + t_Shake256X4); + f_squeeze_first_block_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_first_block_post + = + (fun + (self: t_Shake256X4) + (out4: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block + = + (fun (self: t_Shake256X4) -> + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state0 out0 + in + let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in + let out0:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state1 out1 + in + let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in + let out1:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state2 out2 + in + let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in + let out2:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state3 out3 + in + let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in + let out3:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + in + self, hax_temp_output + <: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake256X4) + (out4: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block + = + (fun (self: t_Shake256X4) -> + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state0 out0 + in + let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in + let out0:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state1 out1 + in + let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in + let out1:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state2 out2 + in + let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in + let out2:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state3 out3 + in + let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in + let out3:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + in + self, hax_temp_output + <: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let out0:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out0 input0 in + let out1:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out1 input1 in + let out2:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out2 input2 in + let out3:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out3 input3 in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti new file mode 100644 index 000000000..e6657fd8b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Hash_functions.Shake128 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// When sampling matrix A we always want to do 4 absorb/squeeze calls in +/// parallel. +class t_XofX4 (v_Self: Type0) = { + f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_post x0 x1 x2 x3 result); + f_squeeze_first_five_blocks_pre: + v_Self -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) + -> Type0; + f_squeeze_first_five_blocks_post: + v_Self -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) + -> Type0; + f_squeeze_first_five_blocks: + x0: v_Self -> + x1: t_Array u8 (sz 840) -> + x2: t_Array u8 (sz 840) -> + x3: t_Array u8 (sz 840) -> + x4: t_Array u8 (sz 840) + -> Prims.Pure + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) + (f_squeeze_first_five_blocks_pre x0 x1 x2 x3 x4) + (fun result -> f_squeeze_first_five_blocks_post x0 x1 x2 x3 x4 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +let v_BLOCK_SIZE: usize = Rust_primitives.Hax.dropped_body + +let v_FIVE_BLOCKS_SIZE: usize = Rust_primitives.Hax.dropped_body diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti new file mode 100644 index 000000000..6ad902487 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -0,0 +1,106 @@ +module Libcrux_ml_dsa.Hash_functions.Shake256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake256_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake256:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake256_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result); + f_init_absorb_pre:t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 + -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); + f_squeeze_first_block_pre:v_Self -> Type0; + f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; + f_squeeze_first_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) + (f_squeeze_first_block_pre x0) + (fun result -> f_squeeze_first_block_post x0 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +class t_XofX4 (v_Self: Type0) = { + f_shake256_pre: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN + -> Type0; + f_shake256_post: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + -> Type0; + f_shake256: + v_OUT_LEN: usize -> + x0: t_Slice u8 -> + x1: t_Slice u8 -> + x2: t_Slice u8 -> + x3: t_Slice u8 -> + x4: t_Array u8 v_OUT_LEN -> + x5: t_Array u8 v_OUT_LEN -> + x6: t_Array u8 v_OUT_LEN -> + x7: t_Array u8 v_OUT_LEN + -> Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + (f_shake256_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) + (fun result -> f_shake256_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result); + f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_post x0 x1 x2 x3 result); + f_squeeze_first_block_pre:v_Self -> Type0; + f_squeeze_first_block_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_first_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_first_block_pre x0) + (fun result -> f_squeeze_first_block_post x0 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +let v_BLOCK_SIZE: usize = Rust_primitives.Hax.dropped_body diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti new file mode 100644 index 000000000..4ab73b742 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -0,0 +1,383 @@ +module Libcrux_ml_dsa.Hash_functions.Simd256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// AVX2 SHAKE 128 state +/// This only implements the XofX4 API. For the single Xof, the portable +/// version is used. +type t_Shake128x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = + Libcrux_sha3.Avx2.X4.Incremental.init () + in + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = + Libcrux_sha3.Avx2.X4.Incremental.shake128_absorb_final state input0 input1 input2 input3 + in + { f_state = state } <: t_Shake128x4); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze_first_five_blocks self.f_state + out0 + out1 + out2 + out3 + in + let self:t_Shake128x4 = { self with f_state = tmp0 } <: t_Shake128x4 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out4: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & + t_Array u8 (sz 168) & + t_Array u8 (sz 168) & + t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze_next_block self.f_state + out0 + out1 + out2 + out3 + in + let self:t_Shake128x4 = { self with f_state = tmp0 } <: t_Shake128x4 in + let out0:t_Array u8 (sz 168) = tmp1 in + let out1:t_Array u8 (sz 168) = tmp2 in + let out2:t_Array u8 (sz 168) = tmp3 in + let out3:t_Array u8 (sz 168) = tmp4 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +/// AVX2 SHAKE 256 state +type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake256 out input in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb + = + (fun (input: t_Slice u8) -> + let state:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_init () + in + let state:Libcrux_sha3.Portable.t_KeccakState = + Libcrux_sha3.Portable.Incremental.shake256_absorb_final state input + in + { f_state = state } <: t_Shake256); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out + in + let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in + let out:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = + Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out + in + let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in + let out:t_Array u8 (sz 136) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + +/// AVX2 SHAKE 256 x4 state. +type t_Shake256x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = + Libcrux_sha3.Avx2.X4.Incremental.init () + in + let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = + Libcrux_sha3.Avx2.X4.Incremental.shake256_absorb_final state input0 input1 input2 input3 + in + { f_state = state } <: t_Shake256x4); + f_squeeze_first_block_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_post + = + (fun + (self: t_Shake256x4) + (out4: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block + = + (fun (self: t_Shake256x4) -> + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Avx2.X4.Incremental.shake256_squeeze_first_block self.f_state + out0 + out1 + out2 + out3 + in + let self:t_Shake256x4 = { self with f_state = tmp0 } <: t_Shake256x4 in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in + let out2:t_Array u8 (sz 136) = tmp3 in + let out3:t_Array u8 (sz 136) = tmp4 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake256x4) + (out4: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block + = + (fun (self: t_Shake256x4) -> + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Avx2.X4.Incremental.shake256_squeeze_next_block self.f_state + out0 + out1 + out2 + out3 + in + let self:t_Shake256x4 = { self with f_state = tmp0 } <: t_Shake256x4 in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in + let out2:t_Array u8 (sz 136) = tmp3 in + let out3:t_Array u8 (sz 136) = tmp4 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & + t_Array u8 v_OUT_LEN) = + Libcrux_sha3.Avx2.X4.shake256 input0 input1 input2 input3 out0 out1 out2 out3 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let out2:t_Array u8 v_OUT_LEN = tmp2 in + let out3:t_Array u8 v_OUT_LEN = tmp3 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst new file mode 100644 index 000000000..0f4339ffb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -0,0 +1,473 @@ +module Libcrux_ml_dsa.Matrix +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let vector_times_ring_element + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_enumerated_slice (vector + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i, vector_ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + vector_ring_element + ring_element + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result + +let add_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result + +let compute_A_times_mask + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask.[ j ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let compute_As1_plus_s2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s2.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let compute_w_approx + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (signer_response: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (signer_response.[ j ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Arithmetic.shift_left_then_reduce #v_SIMDUnit + 13l + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + verifier_challenge_as_ntt + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + challenge_times_t1_shifted + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let subtract_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti new file mode 100644 index 000000000..7db4128e6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti @@ -0,0 +1,90 @@ +module Libcrux_ml_dsa.Matrix +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val vector_times_ring_element + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val add_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ŷ) +val compute_A_times_mask + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ŝ₁) + s₂ +val compute_As1_plus_s2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +val compute_w_approx + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (signer_response: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst new file mode 100644 index 000000000..509e88d8d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti new file mode 100644 index 000000000..1d6fe01a4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst new file mode 100644 index 000000000..dde09c019 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti new file mode 100644 index 000000000..c5bdb978b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst new file mode 100644 index 000000000..f2d057a8d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) + 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti new file mode 100644 index 000000000..7ba47d54b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst new file mode 100644 index 000000000..67dbd6274 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti new file mode 100644 index 000000000..d65be504b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -0,0 +1,108 @@ +module Libcrux_ml_dsa.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 + +let v_COLUMNS_IN_A: usize = sz 4 + +let v_COMMITMENT_HASH_SIZE: usize = sz 32 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 2 + +let v_GAMMA1_EXPONENT: usize = sz 17 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l + +let v_MAX_ONES_IN_HINT: usize = sz 80 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 4 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Sign with ML-DSA 44 +/// Sign a `message` with the ML-DSA `signing_key`. +/// This function returns an [`MLDSA44Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA 44 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA44KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst new file mode 100644 index 000000000..648b44510 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti new file mode 100644 index 000000000..f41aace41 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst new file mode 100644 index 000000000..1c1514f47 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti new file mode 100644 index 000000000..eb81be76c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst new file mode 100644 index 000000000..c9ab1e214 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti new file mode 100644 index 000000000..b5c26b486 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst new file mode 100644 index 000000000..341061f58 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l + (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti new file mode 100644 index 000000000..83c31586c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -0,0 +1,108 @@ +module Libcrux_ml_dsa.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 5 + +let v_COMMITMENT_HASH_SIZE: usize = sz 48 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 4 + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_MAX_ONES_IN_HINT: usize = sz 55 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 6 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Sign with ML-DSA 65 +/// Sign a `message` with the ML-DSA `signing_key`. +/// This function returns an [`MLDSA65Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA 65 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA65KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst new file mode 100644 index 000000000..1c3b64645 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti new file mode 100644 index 000000000..f25f9942d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst new file mode 100644 index 000000000..9e532f279 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti new file mode 100644 index 000000000..641e980e2 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst new file mode 100644 index 000000000..13e4c439b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti new file mode 100644 index 000000000..b78af1d81 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Signature +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst new file mode 100644 index 000000000..5832b01ba --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l + (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti new file mode 100644 index 000000000..37261368b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -0,0 +1,108 @@ +module Libcrux_ml_dsa.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 7 + +let v_COMMITMENT_HASH_SIZE: usize = sz 64 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 2 + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_MAX_ONES_IN_HINT: usize = sz 75 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 8 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Sign with ML-DSA 87 +/// Sign a `message` with the ML-DSA `signing_key`. +/// This function returns an [`MLDSA87Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA 87 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA87KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst new file mode 100644 index 000000000..f1d04a708 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -0,0 +1,56 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Simd.Avx2 in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti new file mode 100644 index 000000000..355f93167 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Simd.Avx2 in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst new file mode 100644 index 000000000..8ad351c0a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -0,0 +1,57 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti new file mode 100644 index 000000000..4d54e6657 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -0,0 +1,48 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst new file mode 100644 index 000000000..8f87565ff --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -0,0 +1,56 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti new file mode 100644 index 000000000..c6251bc23 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Simd.Portable in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst new file mode 100644 index 000000000..fb34aaa53 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst @@ -0,0 +1,100 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key + message randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key message randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key message randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key_serialized message signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key_serialized message signature_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti new file mode 100644 index 000000000..d5f53af3d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst new file mode 100644 index 000000000..42ac5d9d0 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -0,0 +1,777 @@ +module Libcrux_ml_dsa.Ml_dsa_generic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + let open Libcrux_sha3.Portable.Incremental in + () + +let t_SigningError_cast_to_repr (x: t_SigningError) = + match x with | SigningError_RejectionSamplingError -> isz 0 + +let t_VerificationError_cast_to_repr (x: t_VerificationError) = + match x with + | VerificationError_MalformedHintError -> isz 0 + | VerificationError_SignerResponseExceedsBoundError -> isz 1 + | VerificationError_CommitmentHashesDontMatchError -> isz 3 + +let generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + = + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let seed_expanded:t_Array u8 (sz 128) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 128) + (randomness <: t_Slice u8) + seed_expanded + in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34)) + in + let s1, s2:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + v_ETA + v_COLUMNS_IN_A + v_ROWS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) seed_for_error_vectors <: t_Array u8 (sz 66)) + in + let t:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_As1_plus_s2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A a_as_ntt s1 s2 + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit v_ROWS_IN_A t + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + seed_for_a + t1 + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE seed_for_a seed_for_signing + (verification_key_serialized <: t_Slice u8) s1 s2 t0 + in + signing_key_serialized, verification_key_serialized + <: + (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + +let sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + let seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt:(t_Array + u8 (sz 32) & + t_Array u8 (sz 32) & + t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Signing_key.deserialize_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + signing_key + in + let v_A_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8) + <: + t_Array u8 (sz 34)) + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + () + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (verification_key_hash <: t_Slice u8) + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = + Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + message + in + let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + message_representative + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let message_representative:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + () + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (seed_for_signing <: t_Slice u8) + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = + Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + mask_seed + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let v_BETA:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let tmp0, out:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + v_COLUMNS_IN_A + v_GAMMA1_EXPONENT + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) (mask_seed <: t_Slice u8) + <: + t_Array u8 (sz 66)) + domain_separator_for_mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + out + in + let v_A_times_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_A_times_mask #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + v_A_as_ntt + mask + in + let w0, commitment:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + v_ROWS_IN_A + v_GAMMA2 + v_A_times_mask + in + let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE + in + let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_ROWS_IN_A + v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE + commitment + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + () + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (message_representative <: t_Slice u8) + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = + Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & + t_Array u8 v_COMMITMENT_HASH_SIZE) = + Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + commitment_hash_candidate + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge_as_ntt:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + v_ONES_IN_VERIFIER_CHALLENGE + (Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + (commitment_hash_candidate.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end + = + Libcrux_ml_dsa.Constants.v_VERIFIER_CHALLENGE_SEED_SIZE + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + <: + t_Array u8 (sz 32)) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + v_COLUMNS_IN_A + s1_as_ntt + verifier_challenge_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + v_ROWS_IN_A + s2_as_ntt + verifier_challenge_as_ntt + in + let signer_response_candidate:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit v_COLUMNS_IN_A mask challenge_times_s1 + in + let w0_minus_challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit v_ROWS_IN_A w0 challenge_times_s2 + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signer_response_candidate + ((1l <. v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A)) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND in + let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) = + Core.Option.Option_Some signer_response_candidate + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A))) + in + match + match commitment_hash with + | Core.Option.Option_Some commitment_hash -> + Core.Result.Result_Ok commitment_hash + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err (SigningError_RejectionSamplingError <: t_SigningError) + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) t_SigningError + with + | Core.Result.Result_Ok commitment_hash -> + (match + match signer_response with + | Core.Option.Option_Some signer_response -> + Core.Result.Result_Ok signer_response + <: + Core.Result.t_Result + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err (SigningError_RejectionSamplingError <: t_SigningError) + <: + Core.Result.t_Result + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + t_SigningError + with + | Core.Result.Result_Ok signer_response -> + (match + match hint with + | Core.Option.Option_Some hint -> + Core.Result.Result_Ok hint + <: + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err (SigningError_RejectionSamplingError <: t_SigningError) + <: + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) t_SigningError + with + | Core.Result.Result_Ok hint -> + let signature:t_Array u8 v_SIGNATURE_SIZE = + Libcrux_ml_dsa.Encoding.Signature.impl__serialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + ({ + f_commitment_hash = commitment_hash; + f_signer_response = signer_response; + f_hint = hint + } + <: + t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) + in + Core.Result.Result_Ok + (Libcrux_ml_dsa.Types.MLDSASignature signature + <: + Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + t_SigningError + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + t_SigningError) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError + ) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError + +let verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let seed_for_A, t1:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + verification_key_serialized + in + match + Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + signature_serialized + with + | Core.Result.Result_Ok signature -> + if + ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signature.f_signer_response + ((2l <. commitment_hash + then + Core.Result.Result_Err + (VerificationError_CommitmentHashesDontMatchError <: t_VerificationError) + <: + Core.Result.t_Result Prims.unit t_VerificationError + else + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit t_VerificationError + else + Core.Result.Result_Err + (VerificationError_SignerResponseExceedsBoundError <: t_VerificationError) + <: + Core.Result.t_Result Prims.unit t_VerificationError + | Core.Result.Result_Err err -> + Core.Result.Result_Err err <: Core.Result.t_Result Prims.unit t_VerificationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti new file mode 100644 index 000000000..ab1fbac41 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -0,0 +1,85 @@ +module Libcrux_ml_dsa.Ml_dsa_generic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + let open Libcrux_sha3.Portable.Incremental in + () + +type t_SigningError = | SigningError_RejectionSamplingError : t_SigningError + +val t_SigningError_cast_to_repr (x: t_SigningError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +type t_VerificationError = + | VerificationError_MalformedHintError : t_VerificationError + | VerificationError_SignerResponseExceedsBoundError : t_VerificationError + | VerificationError_CommitmentHashesDontMatchError : t_VerificationError + +val t_VerificationError_cast_to_repr (x: t_VerificationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair. +val generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +type t_Signature + (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { + f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; + f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A; + f_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A +} + +val sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst new file mode 100644 index 000000000..090794afe --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -0,0 +1,696 @@ +module Libcrux_ml_dsa.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i -! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i -! sz 4 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i +! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i -! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i -! sz 2 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i +! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_at_layer_3_plus + (#v_SIMDUnit: Type0) + (v_LAYER: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let step:usize = sz 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let j:usize = j in + let a_minus_b:v_SIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] + <: + v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] + <: + v_SIMDUnit) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit + a_minus_b + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re) + in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_montgomery + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_0_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_1_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_2_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let i:usize = i in + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply_by_constant #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + 41978l + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + re + +let ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i +! sz 4 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i +! sz 2 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let (re, zeta_i), hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let ntt_at_layer_3_plus + (#v_SIMDUnit: Type0) + (v_LAYER: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let step:usize = sz 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let j:usize = j in + let t:v_SIMDUnit = + Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] + <: + v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + t + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + t + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re) + in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let ntt + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = sz 0 in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_2_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_1_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + ntt_at_layer_0_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + re + +let ntt_multiply_montgomery + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (out.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti new file mode 100644 index 000000000..0891f1e5a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -0,0 +1,148 @@ +module Libcrux_ml_dsa.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = + let list = + [ + 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; + 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; + 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); + (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; + 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); + (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); + (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; + 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); + (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); + (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); + 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); + (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; + (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; + (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); + 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; + 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); + 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); + (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); + (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); + (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); + 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; + 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; + 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; + (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; + (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); + (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); + 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; + 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; + 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); + 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); + (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; + (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); + Rust_primitives.Hax.array_of_list 256 list + +val invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_3_plus + (#v_SIMDUnit: Type0) + (v_LAYER: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_montgomery + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_3_plus + (#v_SIMDUnit: Type0) + (v_LAYER: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_multiply_montgomery + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst new file mode 100644 index 000000000..0159b63b5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -0,0 +1,260 @@ +module Libcrux_ml_dsa.Polynomial +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__ZERO + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (_: Prims.unit) + = + { + f_simd_units + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_ZERO #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + () + <: + v_SIMDUnit) + (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit + +let impl__add + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let sum:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (sum.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun sum temp_1_ -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let i:usize = i in + { + sum with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + sum + +let impl__from_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (array: t_Slice i32) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #i32 array <: usize) >=. sz 256 <: bool) + in + () + in + let array_chunks:Core.Slice.Iter.t_Chunks i32 = + Core.Slice.impl__chunks #i32 array Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_SIMD_UNITS_IN_RING_ELEMENT + (fun temp_0_ temp_1_ -> + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & + t_PolynomialRingElement v_SIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (array_chunks, result <: (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + (fun temp_0_ i -> + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & + t_PolynomialRingElement v_SIMDUnit) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks i32 & Core.Option.t_Option (t_Slice i32)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks i32) + #FStar.Tactics.Typeclasses.solve + array_chunks + in + let array_chunks:Core.Slice.Iter.t_Chunks i32 = tmp0 in + array_chunks, + ({ + result with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice i32) out <: t_Slice i32) + <: + v_SIMDUnit) + } + <: + t_PolynomialRingElement v_SIMDUnit) + <: + (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + in + result + +let impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Array v_SIMDUnit + (sz 32)) + #FStar.Tactics.Typeclasses.solve + self.f_simd_units + <: + Core.Array.Iter.t_IntoIter v_SIMDUnit (sz 32)) + exceeds + (fun exceeds simd_unit -> + let exceeds:bool = exceeds in + let simd_unit:v_SIMDUnit = simd_unit in + exceeds |. + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + bound + <: + bool) + <: + bool) + in + exceeds + +let impl__subtract + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let difference:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let difference:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (difference.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun difference temp_1_ -> + let difference:t_PolynomialRingElement v_SIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:t_PolynomialRingElement v_SIMDUnit = difference in + let i:usize = i in + { + difference with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + difference + +let impl__to_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range result + ({ + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #i32 + (result.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice i32) + <: + t_Slice i32) + <: + t_Array i32 (sz 256)) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti new file mode 100644 index 000000000..a52502981 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -0,0 +1,55 @@ +module Libcrux_ml_dsa.Polynomial +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + +type t_PolynomialRingElement + (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { f_simd_units:t_Array v_SIMDUnit (sz 32) } + +val impl__ZERO: + #v_SIMDUnit: Type0 -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__add + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__from_i32_array + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (array: t_Slice i32) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val impl__subtract + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__to_i32_array + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst new file mode 100644 index 000000000..e523ed72c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -0,0 +1,1286 @@ +module Libcrux_ml_dsa.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) = + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + let domain_separator:u16 = domain_separator +! 1us in + let hax_temp_output:t_Array u8 (sz 66) = seed in + domain_separator, hax_temp_output <: (u16 & t_Array u8 (sz 66)) + +let rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + = + let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | 4uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | _ -> + (out, sampled <: (t_Array i32 (sz 263) & usize)), + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + <: + ((t_Array i32 (sz 263) & usize) & bool) + in + sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 24) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_field_modulus #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + = + let done:bool = false in + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + (fun temp_0_ byte -> + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + temp_0_ + in + let byte:u8 = byte in + if ~.done <: bool + then + let sample_at:usize = cast (byte <: u8) <: usize in + let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = + if sample_at <=. out_index + then + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + out_index + (result.[ sample_at ] <: i32) + in + let out_index:usize = out_index +! sz 1 in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + sample_at + (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) + in + let signs:u64 = signs >>! 1l in + out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + in + let done:bool = + out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) + in + done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) + else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + in + let hax_temp_output:bool = done in + out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) + +let sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_NUMBER_OF_ONES: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed: t_Array u8 (sz 32)) + = + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed <: t_Slice u8) + in + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let signs:u64 = + Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) + <: + t_Array u8 (sz 8)) + in + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let out_index:usize = + (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! v_NUMBER_OF_ONES + in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + out_index + signs + result + in + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) + = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = + temp_0_ + in + ~.done <: bool) + (done, out_index, result, signs, state + <: + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + (fun temp_0_ -> + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = + temp_0_ + in + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness <: t_Slice u8) out_index signs result + in + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + done, out_index, result, signs, state + <: + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) + +let sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) + (seed_base: t_Array u8 (sz 66)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + = + let seed0:t_Array u8 (sz 66) = seed_base in + let seed0:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 64) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 65) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 66) = seed0 in + let seed1:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 64) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 65) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 66) = seed0 in + let seed2:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 64) + (cast (domain_seperator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 65) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 66) = seed0 in + let seed3:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 64) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 65) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let tmp0, out4:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + let out0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._1 <: t_Slice u8) sampled0 out0 + in + let sampled0:usize = tmp0 in + let out0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._2 <: t_Slice u8) sampled1 out1 + in + let sampled1:usize = tmp0 in + let out1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._3 <: t_Slice u8) sampled2 out2 + in + let sampled2:usize = tmp0 in + let out2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._4 <: t_Slice u8) sampled3 out3 + in + let sampled3:usize = tmp0 in + let out3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out4 in + let + done0, done1, done2, done3, out0, out1, out2, out3, sampled0, sampled1, sampled2, sampled3, state:( + bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256)) + (fun temp_0_ -> + let + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + let tmp0, out4:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + let done0, out0, sampled0:(bool & t_Array i32 (sz 263) & usize) = + if ~.done0 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._1 <: t_Slice u8) + sampled0 + out0 + in + let sampled0:usize = tmp0 in + let out0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out4 in + done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + else done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + in + let done1, out1, sampled1:(bool & t_Array i32 (sz 263) & usize) = + if ~.done1 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._2 <: t_Slice u8) + sampled1 + out1 + in + let sampled1:usize = tmp0 in + let out1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out4 in + done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + else done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + in + let done2, out2, sampled2:(bool & t_Array i32 (sz 263) & usize) = + if ~.done2 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._3 <: t_Slice u8) + sampled2 + out2 + in + let sampled2:usize = tmp0 in + let out2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out4 in + done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + else done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + in + if ~.done3 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._4 <: t_Slice u8) + sampled3 + out3 + in + let sampled3:usize = tmp0 in + let out3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out4 in + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) + else + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out0 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out1 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out2 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out3 <: t_Slice i32) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let sample_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) + (seed0: t_Array u8 (sz 34)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + = + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 32) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 33) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = seed0 in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 32) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 33) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = seed0 in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 32) + (cast (domain_seperator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 33) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = seed0 in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 32) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 33) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake128 = + Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let randomness0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + randomness0 + randomness1 + randomness2 + randomness3 + in + let state:v_Shake128 = tmp0 in + let randomness0:t_Array u8 (sz 840) = tmp1 in + let randomness1:t_Array u8 (sz 840) = tmp2 in + let randomness2:t_Array u8 (sz 840) = tmp3 in + let randomness3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + let coefficients0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness0 <: t_Slice u8) + sampled0 + coefficients0 + in + let sampled0:usize = tmp0 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness1 <: t_Slice u8) + sampled1 + coefficients1 + in + let sampled1:usize = tmp0 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness2 <: t_Slice u8) + sampled2 + coefficients2 + in + let sampled2:usize = tmp0 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness3 <: t_Slice u8) + sampled3 + coefficients3 + in + let sampled3:usize = tmp0 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out in + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128)) + (fun temp_0_ -> + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + temp_0_ + in + let tmp0, out:(v_Shake128 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake128 = tmp0 in + let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out + in + let coefficients0, done0, sampled0:(t_Array i32 (sz 263) & bool & usize) = + if ~.done0 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._1 <: t_Slice u8) + sampled0 + coefficients0 + in + let sampled0:usize = tmp0 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out in + coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + in + let coefficients1, done1, sampled1:(t_Array i32 (sz 263) & bool & usize) = + if ~.done1 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._2 <: t_Slice u8) + sampled1 + coefficients1 + in + let sampled1:usize = tmp0 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out in + coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + in + let coefficients2, done2, sampled2:(t_Array i32 (sz 263) & bool & usize) = + if ~.done2 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._3 <: t_Slice u8) + sampled2 + coefficients2 + in + let sampled2:usize = tmp0 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out in + coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + in + if ~.done3 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._4 <: t_Slice u8) + sampled3 + coefficients3 + in + let sampled3:usize = tmp0 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out in + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) + else + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients0 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients1 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients2 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients3 <: t_Slice i32) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed: t_Array u8 (sz 66)) + = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out:t_Array u8 (sz 576) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 576) + (seed <: t_Slice u8) + out + in + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) + | 19uy -> + let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out:t_Array u8 (sz 640) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 640) + (seed <: t_Slice u8) + out + in + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (v_DIMENSION v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed: t_Array u8 (sz 66)) + (domain_separator: u16) + = + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((v_DIMENSION =. sz 4 <: bool) || (v_DIMENSION =. sz 5 <: bool) || + (v_DIMENSION =. sz 7 <: bool)) + in + () + in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed0:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed1:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed2:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed3:t_Array u8 (sz 66) = out4 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out2:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) & + t_Array u8 (sz 576)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256X4 + #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + in + let out0:t_Array u8 (sz 576) = tmp0 in + let out1:t_Array u8 (sz 576) = tmp1 in + let out2:t_Array u8 (sz 576) = tmp2 in + let out3:t_Array u8 (sz 576) = tmp3 in + let _:Prims.unit = () in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 0) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out0 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 1) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out1 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 2) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out2 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 3) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out3 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + mask + | 19uy -> + let out0:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out1:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out2:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out3:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 640) & t_Array u8 (sz 640) & t_Array u8 (sz 640) & + t_Array u8 (sz 640)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256X4 + #FStar.Tactics.Typeclasses.solve (sz 640) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + in + let out0:t_Array u8 (sz 640) = tmp0 in + let out1:t_Array u8 (sz 640) = tmp1 in + let out2:t_Array u8 (sz 640) = tmp2 in + let out3:t_Array u8 (sz 640) = tmp3 in + let _:Prims.unit = () in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 0) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out0 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 1) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out1 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 2) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out2 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 3) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out3 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + mask + | _ -> mask + in + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + Rust_primitives.Hax.Folds.fold_range (sz 4) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (domain_separator, mask, seed + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66))) + (fun temp_0_ i -> + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + temp_0_ + in + let i:usize = i in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + let domain_separator:u16 = domain_separator +! 1us in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + i + (sample_mask_ring_element #v_SIMDUnit #v_Shake256 v_GAMMA1_EXPONENT seed + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + domain_separator, mask, seed + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66))) + in + let hax_temp_output:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + mask + in + domain_separator, hax_temp_output + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti new file mode 100644 index 000000000..72d069c00 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) + : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (v_ETA: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_NUMBER_OF_ONES: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (v_ETA: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256 |} + (seed_base: t_Array u8 (sz 66)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + : Prims.Pure + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} + (seed0: t_Array u8 (sz 34)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + : Prims.Pure + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_GAMMA1_EXPONENT: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed: t_Array u8 (sz 66)) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (v_DIMENSION v_GAMMA1_EXPONENT: usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed: t_Array u8 (sz 66)) + (domain_separator: u16) + : Prims.Pure + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst new file mode 100644 index 000000000..c6103d0bf --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -0,0 +1,2080 @@ +module Libcrux_ml_dsa.Samplex4 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_domain_separator (row column: u8) = + (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample_s1_and_s2_4_by_4_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._4 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2_5_by_6_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 8us + 9us + 10us + 11us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._3 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2_7_by_8_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 5) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 6) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 8us + 9us + 10us + 11us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 12us + 13us + 14us + 15us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 6) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 7) four._3 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2 + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed: t_Array u8 (sz 66)) + = + match + (cast (v_S1_DIMENSION <: usize) <: u8), (cast (v_S2_DIMENSION <: usize) <: u8) <: (u8 & u8) + with + | 4uy, 4uy -> + sample_s1_and_s2_4_by_4_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | 5uy, 6uy -> + sample_s1_and_s2_5_by_6_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | 7uy, 8uy -> + sample_s1_and_s2_7_by_8_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti new file mode 100644 index 000000000..d6a4fdf92 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti @@ -0,0 +1,106 @@ +module Libcrux_ml_dsa.Samplex4 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val generate_domain_separator (row column: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_4_by_4_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_6_by_5_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_8_by_7_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val sample_s1_and_s2_4_by_4_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2_5_by_6_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2_7_by_8_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2 + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst new file mode 100644 index 000000000..5049aad21 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -0,0 +1,350 @@ +module Libcrux_ml_dsa.Simd.Avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs + +let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 + in + let minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) + in + let low_within_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 + low + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + gamma2 + in + let low_equals_minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpeq_epi32 low minus_gamma2 + in + let low_equals_minus_gamma2_and_high_is_nonzero:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high + in + let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound + low_equals_minus_gamma2_and_high_is_nonzero + in + let hints_mask:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + hints + <: + u8) + in + (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize), + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: Libcrux_intrinsics.Avx2_extract.t_Vec256 + ) + <: + (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) = + let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit + in + let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) + in + let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound + in + let result:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound + in + if result =. 1l then false else true + +let simd_multiply_i32_and_return_high (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 lhs rhs + in + let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + lhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi32 + prod02 + prod13 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs + +let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit + in + let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1 + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 + in + let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 + in + let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask + in + let field_modulus_and_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 mask + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask + in + r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let r0, r1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + decompose v_GAMMA2 r + in + let all_zeros:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () + in + let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 + in + let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints + in + let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints + in + let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints + in + match v_GAMMA2 with + | 95232l -> + let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l + in + let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints + in + let greater_than_or_equal_to_max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max + in + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints + all_zeros + greater_than_or_equal_to_max + | 261888l -> + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti new file mode 100644 index 000000000..4bdf5d796 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -0,0 +1,50 @@ +module Libcrux_ml_dsa.Simd.Avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + +val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val simd_multiply_i32_and_return_high (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (constant: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst new file mode 100644 index 000000000..5f1406970 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst @@ -0,0 +1,151 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 4uy -> + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy + 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let serialized:t_Array u8 (sz 19) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + adjacent_4_combined + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + | 6uy -> + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined + in + let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s < + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti new file mode 100644 index 000000000..58e2355b6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti @@ -0,0 +1,7 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst new file mode 100644 index 000000000..a8ea63851 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -0,0 +1,251 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool) + in + () + in + let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32) + (cast (bytes.[ sz 2 ] <: u8) <: i32) + (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized + | 4uy -> deserialize_to_unsigned_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + let unsigned:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + deserialize_to_unsigned v_ETA serialized + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ( + cast (v_ETA <: usize) <: i32) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + unsigned + +let serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_eta_is_2___ETA + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + simd_unit + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 29l 0l 29l 0l 29l 0l 29l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 29l adjacent_2_combined + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 0s 0s 0s 0s 0s 0s (1s < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti new file mode 100644 index 000000000..11a0e04cf --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst new file mode 100644 index 000000000..c7012e6cb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -0,0 +1,311 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 2; + Core.Ops.Range.f_end = sz 18 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y + 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1 + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + +let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool) + in + () + in + let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 20 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y + 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1 + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + +let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_gamma1_is_2_pow_17___GAMMA1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + simd_unit + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 14l adjacent_2_combined + in + let every_second_element:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_2_combined + in + let every_second_element_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 36l every_second_element + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_2_combined every_second_element_shifted + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 25 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 9; + Core.Ops.Range.f_end = sz 25 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + +let serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_gamma1_is_2_pow_19___GAMMA1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + simd_unit + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_2_combined + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y + 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y + 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 26 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti new file mode 100644 index 000000000..09917efd7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -0,0 +1,40 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst new file mode 100644 index 000000000..cf9feff51 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -0,0 +1,128 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let interval_end:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let serialized_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8) + in + let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y) + (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y + 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + change_interval coefficients + +let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval simd_unit in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 19l 0l 19l 0l 19l 0l 19l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 19l adjacent_2_combined + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 4l 2l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 6l 0l 6l 0l 6l 0l 6l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 6l adjacent_4_combined + in + let second_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_4_combined + in + let least_12_bits_shifted_up:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 52l second_4_combined + in + let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_4_combined least_12_bits_shifted_up + in + let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 bits_sequential + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 0L 0L 12L 0L + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 bits_sequential + in + let serialized:t_Array u8 (sz 16) = + Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized bits_sequential + in + Core.Result.impl__unwrap #(t_Array u8 (sz 13)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 13)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 13)) Core.Array.t_TryFromSliceError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti new file mode 100644 index 000000000..6ecaf9832 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti @@ -0,0 +1,15 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst new file mode 100644 index 000000000..5c03793af --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst @@ -0,0 +1,134 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_2_combined + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined + in + let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let serialized:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 5; + Core.Ops.Range.f_end = sz 21 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 10)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 10)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) + +let deserialize (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 bytes, sz 10 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let bytes_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let bytes_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range bytes_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (bytes_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + bytes + <: + t_Slice u8) + in + let bytes_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes_extended <: t_Slice u8) + in + let bytes_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 bytes_loaded + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 9y 8y (-1y) (-1y) 8y 7y (-1y) + (-1y) 7y 6y (-1y) (-1y) 6y 5y (-1y) (-1y) 4y 3y (-1y) (-1y) 3y 2y (-1y) (-1y) 2y 1y (-1y) + (-1y) 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti new file mode 100644 index 000000000..53c46df38 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val deserialize (bytes: t_Slice u8) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst new file mode 100644 index 000000000..861879085 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -0,0 +1,139 @@ +module Libcrux_ml_dsa.Simd.Avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let invert_ntt_at_layer_0_ + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta3 0l zeta2 0l zeta1 0l zeta0 0l + in + let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) 1l (-1l) 1l (-1l) 1l (-1l) 1l + in + let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 177l simd_unit + in + let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs + in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by + in + let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas + in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l sums products + +let invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 0l 0l zeta0 zeta0 0l 0l + in + let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) 1l 1l (-1l) (-1l) 1l 1l + in + let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 78l simd_unit + in + let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs + in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by + in + let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas + in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 204l sums products + +let invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta zeta zeta zeta 0l 0l 0l 0l + in + let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) (-1l) (-1l) 1l 1l 1l 1l + in + let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 78l simd_unit + in + let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs + in + let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by + in + let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas + in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products + +let ntt_at_layer_0_ + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg zeta3 <: i32) + zeta3 + (Core.Ops.Arith.Neg.neg zeta2 <: i32) + zeta2 + (Core.Ops.Arith.Neg.neg zeta1 <: i32) + zeta1 + (Core.Ops.Arith.Neg.neg zeta0 <: i32) + zeta0 + in + let zeta_multipliers:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l simd_unit + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multipliers zetas + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l simd_unit + in + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 rhs lhs + +let ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg zeta1 <: i32) + (Core.Ops.Arith.Neg.neg zeta1 <: i32) + zeta1 + zeta1 + (Core.Ops.Arith.Neg.neg zeta0 <: i32) + (Core.Ops.Arith.Neg.neg zeta0 <: i32) + zeta0 + zeta0 + in + let zeta_multipliers:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l simd_unit + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multipliers zetas + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l simd_unit + in + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 rhs lhs + +let ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) = + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg zeta <: i32) + (Core.Ops.Arith.Neg.neg zeta <: i32) + (Core.Ops.Arith.Neg.neg zeta <: i32) + (Core.Ops.Arith.Neg.neg zeta <: i32) + zeta + zeta + zeta + zeta + in + let zeta_multipliers:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 238l simd_unit + in + let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multipliers zetas + in + let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 68l simd_unit + in + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 rhs lhs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti new file mode 100644 index 000000000..4a6421e31 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -0,0 +1,26 @@ +module Libcrux_ml_dsa.Simd.Avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val invert_ntt_at_layer_0_ + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst new file mode 100644 index 000000000..67e806244 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst @@ -0,0 +1,149 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient + in + let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients_mod_5_:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 coefficients quotient + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (v_ETA <: usize) <: i32) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients_mod_5_ + | 4uy -> + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (v_ETA <: usize) <: i32) + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + coefficients + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = + let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input + in + let (interval_boundary: i32):i32 = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> 15l + | 4uy -> 9l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let compare_with_interval_boundary:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + interval_boundary + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + potential_coefficients + in + let good:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + compare_with_interval_boundary + <: + u8) + in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + shift_interval v_ETA potential_coefficients + in + let lower_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half + <: + i32) + <: + usize ] + in + let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) + in + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted + in + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + lower_coefficients + <: + t_Slice i32) + in + let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in + let upper_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half + <: + i32) + <: + usize ] + in + let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + upper_coefficients + <: + t_Slice i32) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__i32__count_ones good_upper_half <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i32 & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti new file mode 100644 index 000000000..b18b2e3aa --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti @@ -0,0 +1,10 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) + : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + +val sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst new file mode 100644 index 000000000..f3d66cf87 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst @@ -0,0 +1,142 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let bytestream_to_potential_coefficients (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 serialized, sz 24 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized_extended:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_to serialized_extended + ({ Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize + ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_u8 (serialized_extended <: t_Slice u8) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y + (-1y) 2y 1y 0y (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 bytestream_to_potential_coefficients__COEFFICIENT_MASK + + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let sample (input: t_Slice u8) (output: t_Slice i32) = + let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + bytestream_to_potential_coefficients input + in + let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 field_modulus potential_coefficients + in + let good:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + compare_with_field_modulus + <: + u8) + in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let lower_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half + <: + i32) + <: + usize ] + in + let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) + in + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients + in + let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + lower_coefficients + <: + t_Slice i32) + in + let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in + let upper_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half + <: + i32) + <: + usize ] + in + let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients + in + let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + upper_coefficients + <: + t_Slice i32) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__i32__count_ones good_upper_half <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i32 & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti new file mode 100644 index 000000000..8d297cab8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let bytestream_to_potential_coefficients__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val sample (input: t_Slice u8) (output: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst new file mode 100644 index 000000000..97a40a5a5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst @@ -0,0 +1,107 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let is_bit_set (number: usize) (bit_position: u8) = + ((number &. (sz 1 <>! bit_position <: usize) =. sz 1 + +let generate_shuffle_table (_: Prims.unit) = + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 255uy (sz 16) <: t_Array u8 (sz 16)) + (sz 16) + in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 1 < + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in + let _:usize = temp_1_ in + true) + byte_shuffles + (fun byte_shuffles bit_pattern -> + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in + let bit_pattern:usize = bit_pattern in + let byte_shuffles_index:usize = sz 0 in + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & usize) = + Rust_primitives.Hax.Folds.fold_range 0uy + 4uy + (fun temp_0_ temp_1_ -> + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & + usize) = + temp_0_ + in + let _:u8 = temp_1_ in + true) + (byte_shuffles, byte_shuffles_index <: (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) + (fun temp_0_ bit_position -> + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & + usize) = + temp_0_ + in + let bit_position:u8 = bit_position in + if is_bit_set bit_pattern bit_position <: bool + then + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + (bit_position *! 4uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 1uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 2uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 3uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + byte_shuffles, byte_shuffles_index + <: + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize) + else + byte_shuffles, byte_shuffles_index + <: + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) + in + byte_shuffles) + in + byte_shuffles diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti new file mode 100644 index 000000000..9586d3a7b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti @@ -0,0 +1,140 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) = + let list = + [ + (let list = + [ + 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + +val is_bit_set (number: usize) (bit_position: u8) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val generate_shuffle_table: Prims.unit + -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti new file mode 100644 index 000000000..d9f635c5d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -0,0 +1,462 @@ +module Libcrux_ml_dsa.Simd.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_AVX2SIMDUnit = { f_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 = + { + f_from_pre = (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_from_post + = + (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_AVX2SIMDUnit) -> true); + f_from + = + fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> + { f_coefficients = coefficients } <: t_AVX2SIMDUnit + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Simd.Traits.t_Operations t_AVX2SIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post = (fun (_: Prims.unit) (out: t_AVX2SIMDUnit) -> true); + f_ZERO + = + (fun (_: Prims.unit) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_from_coefficient_array_pre = (fun (coefficient_array: t_Slice i32) -> true); + f_from_coefficient_array_post + = + (fun (coefficient_array: t_Slice i32) (out: t_AVX2SIMDUnit) -> true); + f_from_coefficient_array + = + (fun (coefficient_array: t_Slice i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_to_coefficient_array_pre = (fun (self: t_AVX2SIMDUnit) -> true); + f_to_coefficient_array_post = (fun (self: t_AVX2SIMDUnit) (out: t_Array i32 (sz 8)) -> true); + f_to_coefficient_array + = + (fun (self: t_AVX2SIMDUnit) -> + let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in + let coefficient_array:t_Array i32 (sz 8) = + Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array + self.f_coefficients + in + coefficient_array); + f_add_pre = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> true); + f_add_post = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + f_add + = + (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs.f_coefficients rhs.f_coefficients + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_subtract_pre = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> true); + f_subtract_post + = + (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + f_subtract + = + (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs.f_coefficients rhs.f_coefficients + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_montgomery_multiply_by_constant_pre + = + (fun (simd_unit: t_AVX2SIMDUnit) (constant: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (constant: i32) (out: t_AVX2SIMDUnit) -> true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: t_AVX2SIMDUnit) (constant: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant simd_unit + .f_coefficients + constant + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_montgomery_multiply_pre = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> true); + f_montgomery_multiply_post + = + (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + f_montgomery_multiply + = + (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs.f_coefficients + rhs.f_coefficients + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_AVX2SIMDUnit) -> true); + f_shift_left_then_reduce_post + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_AVX2SIMDUnit) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY + simd_unit.f_coefficients + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_power2round_pre = (fun (simd_unit: t_AVX2SIMDUnit) -> true); + f_power2round_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (out: (t_AVX2SIMDUnit & t_AVX2SIMDUnit)) -> true); + f_power2round + = + (fun (simd_unit: t_AVX2SIMDUnit) -> + let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit.f_coefficients + in + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + lower, + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + upper + <: + (t_AVX2SIMDUnit & t_AVX2SIMDUnit)); + f_infinity_norm_exceeds_pre = (fun (simd_unit: t_AVX2SIMDUnit) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (bound: i32) (out: bool) -> true); + f_infinity_norm_exceeds + = + (fun (simd_unit: t_AVX2SIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit.f_coefficients bound); + f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) -> true); + f_decompose_post + = + (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (out: (t_AVX2SIMDUnit & t_AVX2SIMDUnit)) -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) -> + let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 simd_unit.f_coefficients + in + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + lower, + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + upper + <: + (t_AVX2SIMDUnit & t_AVX2SIMDUnit)); + f_compute_hint_pre = (fun (v_GAMMA2: i32) (low: t_AVX2SIMDUnit) (high: t_AVX2SIMDUnit) -> true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: t_AVX2SIMDUnit) + (high: t_AVX2SIMDUnit) + (out: (usize & t_AVX2SIMDUnit)) + -> + true); + f_compute_hint + = + (fun (v_GAMMA2: i32) (low: t_AVX2SIMDUnit) (high: t_AVX2SIMDUnit) -> + let count, hint:(usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 + low.f_coefficients + high.f_coefficients + in + count, + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + hint + <: + (usize & t_AVX2SIMDUnit)); + f_use_hint_pre + = + (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (hint: t_AVX2SIMDUnit) -> true); + f_use_hint_post + = + (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (hint: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> + true); + f_use_hint + = + (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (hint: t_AVX2SIMDUnit) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2 + simd_unit.f_coefficients + hint.f_coefficients + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> true); + f_gamma1_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> true); + f_gamma1_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit.f_coefficients); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_commitment_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> true); + f_commitment_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> true); + f_commitment_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize v_OUTPUT_SIZE + simd_unit.f_coefficients); + f_error_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> true); + f_error_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> true); + f_error_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit.f_coefficients); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun (v_ETA: usize) (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_t0_serialize_pre = (fun (simd_unit: t_AVX2SIMDUnit) -> true); + f_t0_serialize_post = (fun (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 (sz 13)) -> true); + f_t0_serialize + = + (fun (simd_unit: t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit.f_coefficients); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post = (fun (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_t1_serialize_pre = (fun (simd_unit: t_AVX2SIMDUnit) -> true); + f_t1_serialize_post = (fun (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 (sz 10)) -> true); + f_t1_serialize + = + (fun (simd_unit: t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit.f_coefficients); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post = (fun (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_ntt_at_layer_0_pre + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true); + f_ntt_at_layer_0_post + = + (fun + (simd_unit: t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: t_AVX2SIMDUnit) + -> + true); + f_ntt_at_layer_0_ + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt_at_layer_0_ simd_unit.f_coefficients + zeta0 + zeta1 + zeta2 + zeta3 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_ntt_at_layer_1_pre = (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + f_ntt_at_layer_1_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_AVX2SIMDUnit) -> true); + f_ntt_at_layer_1_ + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt_at_layer_1_ simd_unit.f_coefficients zeta0 zeta1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_ntt_at_layer_2_pre = (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> true); + f_ntt_at_layer_2_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) (out: t_AVX2SIMDUnit) -> true); + f_ntt_at_layer_2_ + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt_at_layer_2_ simd_unit.f_coefficients zeta + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_invert_ntt_at_layer_0_pre + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_0_ simd_unit.f_coefficients + zeta0 + zeta1 + zeta2 + zeta3 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_invert_ntt_at_layer_1_pre + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + f_invert_ntt_at_layer_1_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_AVX2SIMDUnit) -> true); + f_invert_ntt_at_layer_1_ + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_1_ simd_unit.f_coefficients zeta0 zeta1 + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256)); + f_invert_ntt_at_layer_2_pre = (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_post + = + (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) (out: t_AVX2SIMDUnit) -> true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_2_ simd_unit.f_coefficients zeta + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst new file mode 100644 index 000000000..688929d5d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -0,0 +1,674 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let compute_one_hint (v_GAMMA2 low high: i32) = + if + low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || + low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l + then 1l + else 0l + +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in + fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + +let montgomery_reduce_element (value: i64) = + let t:u64 = + (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! + Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + in + let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in + let k_times_modulus:i64 = + (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) + in + let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + value_high -! c + +let montgomery_multiply_fe_by_fer (fe fer: i32) = + montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) + +let decompose_element (v_GAMMA2 r: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((r >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) + (sz 1) + (let list = ["the representative is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [Core.Fmt.Rt.impl_1__new_display #i32 r <: Core.Fmt.Rt.t_Argument] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let v_ALPHA:i32 = v_GAMMA2 *! 2l in + let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in + let r1:i32 = + match v_ALPHA with + | 190464l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l + in + (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result + | 523776l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l + in + result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in + let r0:i32 = + r0 -! + (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! + 31l + <: + i32) &. + Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + i32) + in + r0, r1 <: (i32 & i32) + +let power2round_element (t: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((t >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) + (sz 1) + (let list = ["t is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [Core.Fmt.Rt.impl_1__new_display #i32 t <: Core.Fmt.Rt.t_Argument] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let t1:i32 = + ((t -! 1l <: i32) +! + (1l <>! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + in + let t0:i32 = t -! (t1 < + if r0 >. 0l + then if r1 =. 43l then 0l else r1 +! hint + else if r1 =. 0l then 43l else r1 -! hint + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never)) + <: + Core.Ops.Control_flow.t_ControlFlow i32 i32) + +let infinity_norm_exceeds (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (bound: i32) = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter + i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + exceeds + (fun exceeds coefficient -> + let exceeds:bool = exceeds in + let coefficient:i32 = coefficient in + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((coefficient >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 + (sz 1) + (sz 1) + (let list = ["coefficient is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [ + Core.Fmt.Rt.impl_1__new_display #i32 coefficient + <: + Core.Fmt.Rt.t_Argument + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let sign:i32 = coefficient >>! 31l in + let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in + let exceeds:bool = exceeds |. (normalized >=. bound <: bool) in + exceeds) + in + exceeds + +let montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (c: i32) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit i -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let i:usize = i in + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + in + simd_unit + +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 (sum.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun sum temp_1_ -> + let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = sum in + let i:usize = i in + { + sum with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + in + sum + +let compute_hint (v_GAMMA2: i32) (low high: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let hint:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let one_hints_count:usize = sz 0 in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 (hint.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize)) + (fun temp_0_ i -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize) = + temp_0_ + in + let i:usize = i in + let hint:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + hint with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + (compute_one_hint v_GAMMA2 + (low.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let one_hints_count:usize = + one_hints_count +! + (cast (hint.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) <: usize) + in + hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize)) + in + one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + +let decompose (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let low:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let high:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let high, low:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 (low.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (high, low + <: + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + (fun temp_0_ i -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + temp_0_ + in + let i:usize = i in + let low_part, high_part:(i32 & i32) = + decompose_element v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + in + let low:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + low with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + low_part + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let high:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + high with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + high_part + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + high, low + <: + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + in + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + ) + +let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (product.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun product temp_1_ -> + let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = product in + let _:usize = temp_1_ in + true) + product + (fun product i -> + let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = product in + let i:usize = i in + { + product with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + (montgomery_reduce_element ((cast (lhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i + ] + <: + i32) + <: + i64) *! + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + in + product + +let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + temp_0_ + in + let i, t:(usize & i32) = temp_1_ in + let t0, t1:(i32 & i32) = power2round_element t in + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + t0_simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + t0 + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + t1_simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + t1 + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + ) + +let shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + = + let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) < + let difference:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = difference in + let i:usize = i in + { + difference with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + in + difference + +let use_hint (v_GAMMA2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 (result.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + <: + usize) + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = result in + let i:usize = i in + { + result with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + i + (use_one_hint v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti new file mode 100644 index 000000000..e03178018 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -0,0 +1,83 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let v_MONTGOMERY_SHIFT: u8 = 32uy + +val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val get_n_least_significant_bits (n: u8) (value: u64) + : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) + +val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_fe_by_fer (fe fer: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val decompose_element (v_GAMMA2 r: i32) + : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (c: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val compute_hint (v_GAMMA2: i32) (low high: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint (v_GAMMA2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst new file mode 100644 index 000000000..3f5d28ef9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -0,0 +1,69 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in + let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3 *! i <: usize) + ((coefficient1 <>! 2l <: u8) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 3 *! i <: usize) +! sz 2 <: usize) + ((coefficient3 <>! 4l <: u8) <: u8) + in + serialized) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti new file mode 100644 index 000000000..e69035f8d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -0,0 +1,7 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst new file mode 100644 index 000000000..12081c1e4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -0,0 +1,339 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let coefficient0:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient2:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient3:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient4:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient5:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient6:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient7:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + <: + u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (((coefficient2 <>! 2l <: u8) + <: + u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 2) + (((coefficient7 <>! 1l <: u8) + <: + u8) + in + serialized + +let serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + (deserialize_when_eta_is_2___ETA -! + (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + (deserialize_when_eta_is_2___ETA -! + (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit + +let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let i, byte:(usize & u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2 *! i <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit) + in + simd_unit + +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> deserialize_when_eta_is_2_ serialized + | 4uy -> deserialize_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti new file mode 100644 index 000000000..4e5cab5bf --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -0,0 +1,46 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let deserialize_when_eta_is_2___ETA: i32 = 2l + +let deserialize_when_eta_is_4___ETA: i32 = 4l + +let serialize_when_eta_is_2___ETA: i32 = 2l + +let serialize_when_eta_is_4___ETA: i32 = 4l + +val serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_2_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_4_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst new file mode 100644 index 000000000..437c5f633 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -0,0 +1,785 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let coefficient2:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32) + in + let coefficient3:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 14l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. + (cast (coefficient2 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + (cast (coefficient2 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. + (cast (coefficient3 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 8 <: usize) + (cast (coefficient3 >>! 10l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 12l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) + serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4 *! i <: usize) + (cast (bytes.[ sz 0 ] <: u8) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4 *! i <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 *! i <: usize ] + <: + i32) |. + ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + ((sz 4 *! i <: usize) +! sz 1 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (sz 4 *! i <: usize) +! + sz 1 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + ((sz 4 *! i <: usize) +! sz 2 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (sz 4 *! i <: usize) +! + sz 2 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + ((sz 4 *! i <: usize) +! sz 3 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (sz 4 *! i <: usize) +! + sz 3 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 7 ] <: u8) <: i32) < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2 *! i <: usize) + (cast (bytes.[ sz 0 ] <: u8) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2 *! i <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 *! i <: usize ] + <: + i32) |. + ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (sz 2 *! i <: usize) +! + sz 1 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti new file mode 100644 index 000000000..65011b702 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -0,0 +1,52 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst new file mode 100644 index 000000000..76175527e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -0,0 +1,714 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let change_t0_interval (t0: i32) = + (1l <>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + (cast (coefficient1 >>! 11l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 4) + ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + (cast (coefficient3 >>! 9l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + (cast (coefficient4 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9) + ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + (cast (coefficient6 >>! 10l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) + in + serialized + +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in + let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in + let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in + let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in + let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in + let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in + let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in + let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in + let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + byte0 + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) |. + (byte1 <>! 5l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) |. + (byte2 <>! 2l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) |. + (byte4 <>! 7l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) |. + (byte5 <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) |. + (byte7 <>! 1l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) |. + (byte9 <>! 6l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) |. + (byte10 <>! 3l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) |. + (byte12 < Prims.l_True) + +let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = + (1l < Prims.l_True) + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst new file mode 100644 index 000000000..8b5aff04a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -0,0 +1,148 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + () + +let serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let serialized:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 3 <: usize) + (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) + in + serialized) + in + serialized + +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let mask:i32 = (1l < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4 *! i <: usize) + ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 < Prims.l_True) + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst new file mode 100644 index 000000000..d53cf3147 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -0,0 +1,843 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] + <: + i32) + zeta0 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] + <: + i32) + zeta3 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta1 zeta2: i32) = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 4 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 0 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 5 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 1 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 6 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 2 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 7 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) -! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ sz 3 ] <: i32) +! t <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + in + simd_unit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti new file mode 100644 index 000000000..aa19ed193 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -0,0 +1,40 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst new file mode 100644 index 000000000..25f533de9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -0,0 +1,123 @@ +module Libcrux_ml_dsa.Simd.Portable.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ byte -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let byte:u8 = byte in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in + let out, sampled:(t_Slice i32 & usize) = + if try_0_ <. 15uy + then + let try_0_:i32 = cast (try_0_ <: u8) <: i32 in + let try_0_mod_5_:i32 = + try_0_ -! (((try_0_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) + in + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (2l -! try_0_mod_5_ <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize) + in + if try_1_ <. 15uy + then + let try_1_:i32 = cast (try_1_ <: u8) <: i32 in + let try_1_mod_5_:i32 = + try_1_ -! (((try_1_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) + in + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (2l -! try_1_mod_5_ <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize)) + in + let hax_temp_output:usize = sampled in + out, hax_temp_output <: (t_Slice i32 & usize) + +let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ byte -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let byte:u8 = byte in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in + let out, sampled:(t_Slice i32 & usize) = + if try_0_ <. 9uy + then + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (4l -! (cast (try_0_ <: u8) <: i32) <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize) + in + if try_1_ <. 9uy + then + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (4l -! (cast (try_1_ <: u8) <: i32) <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize)) + in + let hax_temp_output:usize = sampled in + out, hax_temp_output <: (t_Slice i32 & usize) + +let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 3) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ bytes -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let bytes:t_Slice u8 = bytes in + let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let coefficient:i32 = + (((b2 < Prims.l_True) + +val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti new file mode 100644 index 000000000..84eccd2c7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -0,0 +1,347 @@ +module Libcrux_ml_dsa.Simd.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (sz 8) } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations t_PortableSIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post = (fun (_: Prims.unit) (out: t_PortableSIMDUnit) -> true); + f_ZERO + = + (fun (_: Prims.unit) -> + { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_PortableSIMDUnit); + f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); + f_from_coefficient_array_post = (fun (array: t_Slice i32) (out: t_PortableSIMDUnit) -> true); + f_from_coefficient_array + = + (fun (array: t_Slice i32) -> + { + f_coefficients + = + Core.Result.impl__unwrap #(t_Array i32 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice i32) + #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (array.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + Core.Result.t_Result (t_Array i32 (sz 8)) Core.Array.t_TryFromSliceError) + } + <: + t_PortableSIMDUnit); + f_to_coefficient_array_pre = (fun (self: t_PortableSIMDUnit) -> true); + f_to_coefficient_array_post = (fun (self: t_PortableSIMDUnit) (out: t_Array i32 (sz 8)) -> true); + f_to_coefficient_array + = + (fun (self: t_PortableSIMDUnit) -> + Core.Result.impl__unwrap #(t_Array i32 (sz 8)) + #Core.Convert.t_Infallible + (Core.Convert.f_try_into #(t_Array i32 (sz 8)) + #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + self.f_coefficients + <: + Core.Result.t_Result (t_Array i32 (sz 8)) Core.Convert.t_Infallible)); + f_add_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_add_post + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_add + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); + f_subtract_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_subtract_post + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_subtract + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); + f_montgomery_multiply_by_constant_pre = (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun (simd_unit: t_PortableSIMDUnit) (c: i32) (out: t_PortableSIMDUnit) -> true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); + f_montgomery_multiply_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_montgomery_multiply_post + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_montgomery_multiply + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); + f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> true); + f_shift_left_then_reduce_post + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); + f_power2round_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_power2round_post + = + (fun (simd_unit: t_PortableSIMDUnit) (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) -> true); + f_power2round + = + (fun (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); + f_infinity_norm_exceeds_pre = (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) (out: bool) -> true); + f_infinity_norm_exceeds + = + (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> true); + f_decompose_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: t_PortableSIMDUnit) + (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) + -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); + f_compute_hint_pre + = + (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: t_PortableSIMDUnit) + (high: t_PortableSIMDUnit) + (out: (usize & t_PortableSIMDUnit)) + -> + true); + f_compute_hint + = + (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); + f_use_hint_pre + = + (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> true); + f_use_hint_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: t_PortableSIMDUnit) + (hint: t_PortableSIMDUnit) + (out: t_PortableSIMDUnit) + -> + true); + f_use_hint + = + (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_gamma1_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + true); + f_gamma1_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); + f_commitment_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_commitment_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + true); + f_commitment_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); + f_error_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_error_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + true); + f_error_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun (v_ETA: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); + f_t0_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_t0_serialize_post = (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (sz 13)) -> true); + f_t0_serialize + = + (fun (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized + ); + f_t1_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_t1_serialize_post = (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (sz 10)) -> true); + f_t1_serialize + = + (fun (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized + ); + f_ntt_at_layer_0_pre + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true + ); + f_ntt_at_layer_0_post + = + (fun + (simd_unit: t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: t_PortableSIMDUnit) + -> + true); + f_ntt_at_layer_0_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + f_ntt_at_layer_1_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + f_ntt_at_layer_1_post + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_PortableSIMDUnit) -> true + ); + f_ntt_at_layer_1_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt_at_layer_1_ simd_unit zeta0 zeta1); + f_ntt_at_layer_2_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> true); + f_ntt_at_layer_2_post + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) (out: t_PortableSIMDUnit) -> true); + f_ntt_at_layer_2_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt_at_layer_2_ simd_unit zeta); + f_invert_ntt_at_layer_0_pre + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true + ); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + f_invert_ntt_at_layer_1_pre + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + f_invert_ntt_at_layer_1_post + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_PortableSIMDUnit) -> true + ); + f_invert_ntt_at_layer_1_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); + f_invert_ntt_at_layer_2_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_post + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) (out: t_PortableSIMDUnit) -> true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst new file mode 100644 index 000000000..5bf547714 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst @@ -0,0 +1,11 @@ +module Libcrux_ml_dsa.Simd.Traits +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let montgomery_multiply_by_fer + (#v_S: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_S) + (simd_unit: v_S) + (fer: i32) + = f_montgomery_multiply_by_constant #v_S #FStar.Tactics.Typeclasses.solve simd_unit fer diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti new file mode 100644 index 000000000..4a600bef4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -0,0 +1,196 @@ +module Libcrux_ml_dsa.Simd.Traits +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Operations (v_Self: Type0) = { + [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; + [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; + f_ZERO_pre:Prims.unit -> Type0; + f_ZERO_post:Prims.unit -> v_Self -> Type0; + f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); + f_from_coefficient_array_pre:t_Slice i32 -> Type0; + f_from_coefficient_array_post:t_Slice i32 -> v_Self -> Type0; + f_from_coefficient_array:x0: t_Slice i32 + -> Prims.Pure v_Self + (f_from_coefficient_array_pre x0) + (fun result -> f_from_coefficient_array_post x0 result); + f_to_coefficient_array_pre:v_Self -> Type0; + f_to_coefficient_array_post:v_Self -> t_Array i32 (sz 8) -> Type0; + f_to_coefficient_array:x0: v_Self + -> Prims.Pure (t_Array i32 (sz 8)) + (f_to_coefficient_array_pre x0) + (fun result -> f_to_coefficient_array_post x0 result); + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; + f_add:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); + f_subtract_pre:v_Self -> v_Self -> Type0; + f_subtract_post:v_Self -> v_Self -> v_Self -> Type0; + f_subtract:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); + f_infinity_norm_exceeds_pre:v_Self -> i32 -> Type0; + f_infinity_norm_exceeds_post:v_Self -> i32 -> bool -> Type0; + f_infinity_norm_exceeds:x0: v_Self -> x1: i32 + -> Prims.Pure bool + (f_infinity_norm_exceeds_pre x0 x1) + (fun result -> f_infinity_norm_exceeds_post x0 x1 result); + f_decompose_pre:v_GAMMA2: i32 -> v_Self -> Type0; + f_decompose_post:v_GAMMA2: i32 -> v_Self -> (v_Self & v_Self) -> Type0; + f_decompose:v_GAMMA2: i32 -> x0: v_Self + -> Prims.Pure (v_Self & v_Self) + (f_decompose_pre v_GAMMA2 x0) + (fun result -> f_decompose_post v_GAMMA2 x0 result); + f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; + f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> (usize & v_Self) -> Type0; + f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self + -> Prims.Pure (usize & v_Self) + (f_compute_hint_pre v_GAMMA2 x0 x1) + (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 result); + f_use_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; + f_use_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; + f_use_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self + (f_use_hint_pre v_GAMMA2 x0 x1) + (fun result -> f_use_hint_post v_GAMMA2 x0 x1 result); + f_montgomery_multiply_pre:v_Self -> v_Self -> Type0; + f_montgomery_multiply_post:v_Self -> v_Self -> v_Self -> Type0; + f_montgomery_multiply:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self + (f_montgomery_multiply_pre x0 x1) + (fun result -> f_montgomery_multiply_post x0 x1 result); + f_montgomery_multiply_by_constant_pre:v_Self -> i32 -> Type0; + f_montgomery_multiply_by_constant_post:v_Self -> i32 -> v_Self -> Type0; + f_montgomery_multiply_by_constant:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_montgomery_multiply_by_constant_pre x0 x1) + (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); + f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; + f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: v_Self + -> Prims.Pure v_Self + (f_shift_left_then_reduce_pre v_SHIFT_BY x0) + (fun result -> f_shift_left_then_reduce_post v_SHIFT_BY x0 result); + f_power2round_pre:v_Self -> Type0; + f_power2round_post:v_Self -> (v_Self & v_Self) -> Type0; + f_power2round:x0: v_Self + -> Prims.Pure (v_Self & v_Self) + (f_power2round_pre x0) + (fun result -> f_power2round_post x0 result); + f_rejection_sample_less_than_field_modulus_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_field_modulus_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_field_modulus:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_field_modulus_pre x0 x1) + (fun result -> f_rejection_sample_less_than_field_modulus_post x0 x1 result); + f_rejection_sample_less_than_eta_equals_2_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_eta_equals_2_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_eta_equals_2_:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_eta_equals_2_pre x0 x1) + (fun result -> f_rejection_sample_less_than_eta_equals_2_post x0 x1 result); + f_rejection_sample_less_than_eta_equals_4_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_eta_equals_4_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_eta_equals_4_:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) + (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); + f_gamma1_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_gamma1_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_gamma1_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_gamma1_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_gamma1_serialize_post v_OUTPUT_SIZE x0 result); + f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0; + f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0; + f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8 + -> Prims.Pure v_Self + (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0) + (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result); + f_commitment_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_commitment_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_commitment_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_commitment_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_commitment_serialize_post v_OUTPUT_SIZE x0 result); + f_error_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_error_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_error_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_error_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_error_serialize_post v_OUTPUT_SIZE x0 result); + f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0; + f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0; + f_error_deserialize:v_ETA: usize -> x0: t_Slice u8 + -> Prims.Pure v_Self + (f_error_deserialize_pre v_ETA x0) + (fun result -> f_error_deserialize_post v_ETA x0 result); + f_t0_serialize_pre:v_Self -> Type0; + f_t0_serialize_post:v_Self -> t_Array u8 (sz 13) -> Type0; + f_t0_serialize:x0: v_Self + -> Prims.Pure (t_Array u8 (sz 13)) + (f_t0_serialize_pre x0) + (fun result -> f_t0_serialize_post x0 result); + f_t0_deserialize_pre:t_Slice u8 -> Type0; + f_t0_deserialize_post:t_Slice u8 -> v_Self -> Type0; + f_t0_deserialize:x0: t_Slice u8 + -> Prims.Pure v_Self (f_t0_deserialize_pre x0) (fun result -> f_t0_deserialize_post x0 result); + f_t1_serialize_pre:v_Self -> Type0; + f_t1_serialize_post:v_Self -> t_Array u8 (sz 10) -> Type0; + f_t1_serialize:x0: v_Self + -> Prims.Pure (t_Array u8 (sz 10)) + (f_t1_serialize_pre x0) + (fun result -> f_t1_serialize_post x0 result); + f_t1_deserialize_pre:t_Slice u8 -> Type0; + f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; + f_t1_deserialize:x0: t_Slice u8 + -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); + f_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; + f_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; + f_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 + -> Prims.Pure v_Self + (f_ntt_at_layer_0_pre x0 x1 x2 x3 x4) + (fun result -> f_ntt_at_layer_0_post x0 x1 x2 x3 x4 result); + f_ntt_at_layer_1_pre:v_Self -> i32 -> i32 -> Type0; + f_ntt_at_layer_1_post:v_Self -> i32 -> i32 -> v_Self -> Type0; + f_ntt_at_layer_1_:x0: v_Self -> x1: i32 -> x2: i32 + -> Prims.Pure v_Self + (f_ntt_at_layer_1_pre x0 x1 x2) + (fun result -> f_ntt_at_layer_1_post x0 x1 x2 result); + f_ntt_at_layer_2_pre:v_Self -> i32 -> Type0; + f_ntt_at_layer_2_post:v_Self -> i32 -> v_Self -> Type0; + f_ntt_at_layer_2_:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_ntt_at_layer_2_pre x0 x1) + (fun result -> f_ntt_at_layer_2_post x0 x1 result); + f_invert_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; + f_invert_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_0_pre x0 x1 x2 x3 x4) + (fun result -> f_invert_ntt_at_layer_0_post x0 x1 x2 x3 x4 result); + f_invert_ntt_at_layer_1_pre:v_Self -> i32 -> i32 -> Type0; + f_invert_ntt_at_layer_1_post:v_Self -> i32 -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_1_:x0: v_Self -> x1: i32 -> x2: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_1_pre x0 x1 x2) + (fun result -> f_invert_ntt_at_layer_1_post x0 x1 x2 result); + f_invert_ntt_at_layer_2_pre:v_Self -> i32 -> Type0; + f_invert_ntt_at_layer_2_post:v_Self -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_2_:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_2_pre x0 x1) + (fun result -> f_invert_ntt_at_layer_2_post x0 x1 result) +} + +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL + +val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32) + : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst new file mode 100644 index 000000000..26d5eefaf --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -0,0 +1,16 @@ +module Libcrux_ml_dsa.Types +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self._0 <: t_Slice u8 + +let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self._0 <: t_Slice u8 + +let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self._0 <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti new file mode 100644 index 000000000..9ad1e315d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -0,0 +1,45 @@ +module Libcrux_ml_dsa.Types +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// The number of bytes +val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_2__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_4__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +///An ML-DSA signature. +type t_MLDSASignature (v_SIZE: usize) = + | MLDSASignature : t_Array u8 v_SIZE -> t_MLDSASignature v_SIZE + +/// A reference to the raw byte slice. +val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +///An ML-DSA signature key. +type t_MLDSASigningKey (v_SIZE: usize) = + | MLDSASigningKey : t_Array u8 v_SIZE -> t_MLDSASigningKey v_SIZE + +/// A reference to the raw byte slice. +val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +///An ML-DSA verification key. +type t_MLDSAVerificationKey (v_SIZE: usize) = + | MLDSAVerificationKey : t_Array u8 v_SIZE -> t_MLDSAVerificationKey v_SIZE + +/// A reference to the raw byte slice. +val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// An ML-DSA key pair. +type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = { + f_signing_key:t_MLDSASigningKey v_SIGNING_KEY_SIZE; + f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE +} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst new file mode 100644 index 000000000..82aa84965 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN <: bool) + in + () + in + let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let out:t_Array u8 v_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti new file mode 100644 index 000000000..112de368e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti @@ -0,0 +1,8 @@ +module Libcrux_ml_dsa.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Pad the `slice` with `0`s at the end. +val into_padded_array (v_LEN: usize) (slice: t_Slice u8) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Makefile b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile new file mode 100644 index 000000000..4f7a001a8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile @@ -0,0 +1,3 @@ +SLOW_MODULES += +ADMIT_MODULES = +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph new file mode 100644 index 000000000..4f0f1efe3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph @@ -0,0 +1,3894 @@ +digraph { + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "prims" + "fstar_reflection_const" -> "prims" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "core_ops_range" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "prims" + "rust_primitives_hax_folds" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ntt" -> "core_slice" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_ntt" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44_" -> "core" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44_" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_44_" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "fstar_bitvector" + "fstar_sealed_inhabited" -> "fstar_sealed" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "prims" + "fstar_sealed_inhabited" -> "prims" + "core" -> "core_ops" + "core" -> "core_ops" + "core" -> "core_iter" + "core" -> "core_num" + "core" -> "rust_primitives" + "core" -> "rust_primitives" + "core" -> "fstar_pervasives" + "core" -> "fstar_pervasives" + "core" -> "prims" + "core" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_vconfig" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "prims" + "fstar_reflection_v1_derived" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "fstar_tactics_bv" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "core_ops_range" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "core_ops" + "core_iter" -> "core_ops" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "rust_primitives" + "core_iter" -> "rust_primitives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "prims" + "core_iter" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_num" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "prims" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "prims" + "fstar_seq" -> "prims" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "prims" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "prims" + "fstar_math_lib" -> "prims" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "prims" + "fstar_reflection_v2_arith" -> "prims" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_65_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65_" -> "core" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "prims" + "core_ops_arith" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87_" -> "core" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_87_" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_platform_platform" -> "fstar_mul" + "libcrux_platform_platform" -> "core" + "libcrux_platform_platform" -> "fstar_pervasives" + "libcrux_platform_platform" -> "prims" + "core_result" -> "fstar_pervasives" + "core_result" -> "fstar_pervasives" + "core_result" -> "prims" + "core_result" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "core_clone" + "libcrux_ml_dsa_simd_traits" -> "core_clone" + "libcrux_ml_dsa_simd_traits" -> "core_marker" + "libcrux_ml_dsa_simd_traits" -> "core_marker" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_65__neon" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_encoding_t0" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "prims" + "fstar_heap" -> "prims" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "prims" + "fstar_reflection_v1_compare" -> "prims" + "fstar_issue" -> "fstar_stubs_pprint" + "fstar_issue" -> "fstar_range" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "prims" + "fstar_issue" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_platform_platform" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "fstar_ghost" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "core_ops_arith" + "core_num" -> "core_num_error" + "core_num" -> "core_result" + "core_num" -> "core_result" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "lib_inttypes" + "core_num" -> "lib_inttypes" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint32" + "core_num" -> "fstar_uint32" + "core_num" -> "rust_primitives" + "core_num" -> "rust_primitives" + "core_num" -> "fstar_pervasives" + "core_num" -> "fstar_pervasives" + "core_num" -> "prims" + "core_num" -> "prims" + "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "prims" + "fstar_stubs_errors_msg" -> "prims" + "core_option" -> "fstar_pervasives" + "core_option" -> "fstar_pervasives" + "core_option" -> "prims" + "core_option" -> "prims" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_char" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "prims" + "spec_sha3" -> "fstar_pervasives_native" + "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "lib_loopcombinators" + "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "lib_bytesequence" + "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_inttypes" + "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "prims" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4_incremental" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_calc" -> "fstar_calc" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "core_ops_range" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "core" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_num" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "fstar_stubs_reflection_types" -> "fstar_sealed" + "fstar_stubs_reflection_types" -> "fstar_range" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "prims" + "fstar_stubs_reflection_types" -> "prims" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "prims" + "hax_lib" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "prims" + "core_fmt_rt" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "core_convert" + "libcrux_ml_dsa_encoding_signature" -> "core_convert" + "libcrux_ml_dsa_encoding_signature" -> "core_array" + "libcrux_ml_dsa_encoding_signature" -> "core_array" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "core_ops_range" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signature" -> "core_slice" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_utils" -> "core_ops_range" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax" + "libcrux_ml_dsa_utils" -> "core_slice" + "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "libcrux_ml_dsa_utils" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "fstar_math_lemmas" + "fstar_calc" -> "fstar_range" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_bitvector" -> "fstar_seq_base" + "fstar_bitvector" -> "fstar_seq_base" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "prims" + "fstar_tactics_util" -> "prims" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "prims" + "fstar_order" -> "prims" + "fstar_tactics_smt" -> "fstar_vconfig" + "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "fstar_tactics_smt" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_stubs_reflection_types" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_sealed" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "fstar_reflection_termeq" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "core_ops_range" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_signing_key" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "prims" + "core_ops_index" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_sample" -> "core_slice" + "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_sample" -> "core_slice_iter" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_sample" -> "core" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_sample" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_simd_portable_sample" + "fstar_stubs_tactics_types" -> "fstar_issue" + "fstar_stubs_tactics_types" -> "fstar_range" + "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" + "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" + "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "prims" + "fstar_stubs_tactics_types" -> "prims" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "core_panicking" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "prims" + "fstar_stubs_tactics_result" -> "prims" + "core_array" -> "rust_primitives" + "core_array" -> "rust_primitives" + "core_array" -> "fstar_pervasives" + "core_array" -> "fstar_pervasives" + "core_array" -> "prims" + "core_array" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "prims" + "core_fmt" -> "core_fmt_rt" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "core_result" + "core_fmt" -> "core_result" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "prims" + "core_fmt" -> "prims" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_slice_iter" + "core_slice" -> "core_slice_iter" + "core_slice" -> "fstar_seq" + "core_slice" -> "fstar_seq" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "prims" + "core_slice" -> "prims" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "libcrux_ml_dsa_matrix" -> "fstar_int32" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_44__neon" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_print" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "lib_inttypes" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "prims" + "core_iter_traits_collect" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_classical" -> "fstar_classical" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "prims" + "fstar_reflection_v1_formula" -> "prims" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_tactics_effect" -> "fstar_range" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "rust_primitives_arrays" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_print" -> "fstar_stubs_reflection_types" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_ntt" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_effect" + "fstar_tactics_bv" -> "fstar_tactics_effect" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "prims" + "fstar_stubs_syntax_syntax" -> "prims" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_types" + "lib_bytesequence" -> "fstar_pervasives_native" + "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_math_lemmas" + "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_uint8" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "lib_loopcombinators" + "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "lib_bytesequence" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_list_tot" + "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "lib_sequence" + "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "fstar_pervasives" + "spec_sha3_constants" -> "prims" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1" -> "fstar_reflection_v1_compare" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_stubs_reflection_types" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "prims" + "fstar_tactics_v1" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "core_ops_range" + "libcrux_ml_dsa_simd_portable" -> "core_convert" + "libcrux_ml_dsa_simd_portable" -> "core_array" + "libcrux_ml_dsa_simd_portable" -> "core_result" + "libcrux_ml_dsa_simd_portable" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "fstar_seq_base" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "fstar_int8" -> "fstar_int8" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_ntt" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "libcrux_ml_dsa_polynomial" -> "core_ops_range" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "core_array_iter" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "core_option" + "libcrux_ml_dsa_polynomial" -> "core_option" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "hax_lib" + "libcrux_ml_dsa_polynomial" -> "hax_lib" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "core_slice" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_polynomial" + "core_array_iter" -> "core_iter" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "prims" + "core_array_iter" -> "prims" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "prims" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "prims" + "core_iter_adapters_enumerate" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "prims" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "prims" + "fstar_erasedlogic" -> "prims" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_visit" + "fstar_tactics_names" -> "fstar_tactics_visit" + "fstar_tactics_names" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_names" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_namedview" + "fstar_tactics_names" -> "fstar_tactics_namedview" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_names" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "prims" + "core_slice_iter" -> "prims" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "prims" + "core_ops_range" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" + "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_result" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_verification_key" -> "core_slice" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_verification_key" -> "core_ops_range" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_verification_key" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "fstar_uint32" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_range" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_tactics_names" + "fstar_tactics_v2_derived" -> "fstar_tactics_names" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_vconfig" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "prims" + "fstar_tactics_v2_derived" -> "prims" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "core_slice" + "core_convert" -> "core_array" + "core_convert" -> "core_array" + "core_convert" -> "core_result" + "core_convert" -> "core_result" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "rust_primitives" + "core_convert" -> "rust_primitives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "prims" + "core_convert" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "prims" + "fstar_stubs_pprint" -> "fstar_float" + "fstar_stubs_pprint" -> "fstar_char" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "prims" + "fstar_stubs_pprint" -> "prims" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "prims" + "fstar_st" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint64" + "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint16" + "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "fstar_uint8" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_int16" -> "fstar_int16" + "fstar_reflection_v1" -> "fstar_reflection_v1_compare" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "prims" + "fstar_reflection_v1" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "core_slice" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "prims" + "rust_primitives_hax" -> "prims" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" + "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_set" -> "fstar_set" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "prims" + "fstar_tactics" -> "prims" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" + "libcrux_ml_dsa_ntt" -> "fstar_list_tot" + "libcrux_ml_dsa_ntt" -> "fstar_list_tot" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "prims" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "prims" + "core_marker" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_tactics_bv_lemmas" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "prims" + "core_ops_control_flow" -> "prims" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_44_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44_" -> "core" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87_" -> "core" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_sealed" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "prims" + "fstar_tactics_unseal" -> "prims" + "rust_primitives_hax_control_flow_monad_mexception" -> "core_ops_control_flow" + "rust_primitives_hax_control_flow_monad_mexception" -> "fstar_pervasives" + "rust_primitives_hax_control_flow_monad_mexception" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "prims" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_bv" -> "fstar_bv" + "fstar_pervasives_native" -> "prims" + "fstar_pervasives_native" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_gamma1" -> "core_option" + "libcrux_ml_dsa_encoding_gamma1" -> "core_option" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_87__avx2" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "prims" + "fstar_list_tot_base" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_sample" -> "core" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_sample" -> "prims" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "prims" + "fstar_reflection_v2_formula" -> "prims" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "prims" + "fstar_char" -> "prims" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_mapply" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "prims" + "core_iter_adapters_step_by" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "prims" + "lib_loopcombinators" -> "fstar_tactics_effect" + "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_tactics" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "lib_loopcombinators" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "core_ops" -> "core_ops_index" + "core_ops" -> "core_ops_index" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "rust_primitives" + "core_ops" -> "rust_primitives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "prims" + "core_ops" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "fstar_classical_sugar" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "prims" + "fstar_exn" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "libcrux_sha3_traits" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "fstar_list_tot_properties" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "prims" + "fstar_preorder" -> "prims" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "prims" + "fstar_monotonic_pure" -> "prims" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_option" + "rust_primitives" -> "core_option" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "prims" + "rust_primitives" -> "prims" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "prims" + "fstar_int_cast_full" -> "prims" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "prims" + "fstar_all" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "prims" + "libcrux_sha3_portable_incremental" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "rust_primitives_integers" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_87__portable" + "fstar_range" -> "fstar_sealed" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "prims" + "fstar_range" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_squash" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "fstar_monotonic_heap" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" + "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "rust_primitives_bitvectors" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "fstar_functionalextensionality" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "core_slice" + "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" + "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_tactics_bv_lemmas" + "fstar_uint128" -> "fstar_tactics_bv_lemmas" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_mapply" + "fstar_uint128" -> "fstar_tactics_mapply" + "fstar_uint128" -> "fstar_tactics_v2_derived" + "fstar_uint128" -> "fstar_tactics_v2_derived" + "fstar_uint128" -> "fstar_stubs_tactics_v2_builtins" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "fstar_uint128" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_range" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_tactics_names" + "fstar_tactics_v1_derived" -> "fstar_tactics_names" + "fstar_tactics_v1_derived" -> "fstar_vconfig" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_v1_derived" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "core_panicking" -> "core_fmt" + "core_panicking" -> "core_option" + "core_panicking" -> "core_option" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "prims" + "core_panicking" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_87__neon" + "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_int128" -> "fstar_int128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" + "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" + "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic_lemmas" -> "fstar_classical" + "fstar_tactics_v1_logic_lemmas" -> "fstar_classical" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "fstar_tactics_v1_logic_lemmas" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "prims" + "core_clone" -> "prims" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "prims" + "fstar_sealed" -> "prims" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "prims" + "fstar_vconfig" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "core_slice" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "fstar_seq_properties" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_44__portable" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "prims" + "fstar_float" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_stubs_reflection_types" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "prims" + "fstar_tactics_v2" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived" -> "fstar_vconfig" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "prims" + "fstar_reflection_v2_derived" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_stubs_tactics_common" -> "fstar_range" + "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_tactics_common" -> "prims" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "prims" + "fstar_int_cast" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice" + "libcrux_ml_dsa_encoding_commitment" -> "core_ops_range" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_encoding_commitment" + "fstar_reflection_v2" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "prims" + "fstar_reflection_v2" -> "prims" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "lib_rawinttypes" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "fstar_tactics_namedview" -> "fstar_range" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "fstar_indefinitedescription" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_stubs_reflection_v1_data" -> "prims" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_65__portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_65__avx2" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "fstar_tactics_namedview" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax_monomorphized_update_at" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_int" -> "fstar_int" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "fstar_uint16" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "fstar_int64" -> "fstar_int64" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_ops_range" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_array" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_array" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_slice" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "prims" + "fstar_mul" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "prims" + "fstar_propositionalextensionality" -> "prims" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "prims" + "fstar_predicateextensionality" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_num" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65_" -> "core" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_65_" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_sample" -> "fstar_uint8" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_array" + "libcrux_ml_dsa_sample" -> "core_result" + "libcrux_ml_dsa_sample" -> "core_num" + "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "core_panicking" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_sample" -> "core_ops_range" + "libcrux_ml_dsa_sample" -> "core_slice" + "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core_slice" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_seq_properties" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" + "lib_sequence" -> "lib_sequence" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "prims" + "fstar_list_tot" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "prims" + "core_num_error" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "prims" + "fstar_list" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_uint" -> "fstar_uint" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tset" -> "fstar_tset" + "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_visit" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_visit" -> "fstar_stubs_reflection_types" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "prims" + "fstar_tactics_visit" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_error" -> "core_option" + "libcrux_ml_dsa_encoding_error" -> "core_option" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_encoding_error" -> "core_slice" + "libcrux_ml_dsa_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_encoding_error" + "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "prims" + "fstar_reflection_v2_collect" -> "fstar_list_tot_base" + "fstar_reflection_v2_collect" -> "fstar_list_tot_base" + "fstar_reflection_v2_collect" -> "fstar_pervasives_native" + "fstar_reflection_v2_collect" -> "fstar_pervasives_native" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_collect" -> "fstar_pervasives" + "fstar_reflection_v2_collect" -> "fstar_pervasives" + "fstar_reflection_v2_collect" -> "prims" + "fstar_reflection_v2_collect" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_44__avx2" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "fstar_tactics_effect" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "prims" + "core_iter_traits_iterator" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_slice" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_array_iter" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_ops_control_flow" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_control_flow_monad_mexception" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_fmt_rt" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_fmt" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_uint64" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_logic" +} From c963c44e95711a9e0b30272e04cc667ef6467086 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Mon, 23 Sep 2024 11:11:38 +0200 Subject: [PATCH 04/74] wip lax --- libcrux-ml-dsa/src/hash_functions.rs | 4 ++++ libcrux-ml-dsa/src/ml_dsa_generic.rs | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index cac3002b3..4e747a619 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -150,6 +150,10 @@ pub(crate) mod portable { pub(crate) struct Shake256 { state: KeccakState, } + + // #[hax_lib::opaque] + pub(crate) type Shake256Absorb = libcrux_sha3::portable::incremental::Shake256Absorb; + impl shake256::Xof for Shake256 { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { shake256(out, input); diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 7a35ca583..63c674b6a 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -1,4 +1,4 @@ -use libcrux_sha3::portable::incremental::{Shake256Absorb, XofAbsorb, XofSqueeze}; +//use libcrux_sha3::portable::incremental::{Shake256Absorb, XofAbsorb, XofSqueeze}; use crate::{ arithmetic::{ @@ -6,7 +6,7 @@ use crate::{ }, constants::*, encoding, - hash_functions::{shake128, shake256}, + hash_functions::{shake128, shake256, portable::Shake256Absorb}, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, From acf0d0a72d16fb0a26223564e92161feb84aa415 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 11 Oct 2024 17:13:39 +0200 Subject: [PATCH 05/74] got rid of some cycles, the rest need some hax help --- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 16 +- .../extraction/Libcrux_ml_dsa.Constants.fsti | 7 +- .../Libcrux_ml_dsa.Encoding.Commitment.fst | 10 +- .../Libcrux_ml_dsa.Encoding.Error.fst | 12 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 10 +- .../Libcrux_ml_dsa.Encoding.Signature.fst | 46 +- .../Libcrux_ml_dsa.Encoding.Signature.fsti | 6 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 10 +- .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 10 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 8 +- ...bcrux_ml_dsa.Encoding.Verification_key.fst | 7 +- ...Libcrux_ml_dsa.Hash_functions.Portable.fst | 534 +--- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 29 +- ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 14 + .../extraction/Libcrux_ml_dsa.Matrix.fst | 17 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 76 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti | 49 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 85 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti | 49 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 87 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti | 49 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 166 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 60 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 76 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti | 49 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 85 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti | 49 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 87 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti | 49 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 166 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 60 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 76 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti | 49 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 85 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti | 49 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 87 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti | 49 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 166 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 60 +- ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 73 +- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 56 +- ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 29 +- ...sa.Ml_dsa_generic.Instantiations.Neon.fsti | 38 +- ...Ml_dsa_generic.Instantiations.Portable.fst | 29 +- ...l_dsa_generic.Instantiations.Portable.fsti | 38 +- ...rux_ml_dsa.Ml_dsa_generic.Multiplexing.fst | 24 +- ...ux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti | 33 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 169 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 210 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 144 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 37 - .../extraction/Libcrux_ml_dsa.Polynomial.fst | 18 +- .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 4 - .../extraction/Libcrux_ml_dsa.Sample.fst | 31 +- .../extraction/Libcrux_ml_dsa.Sample.fsti | 4 +- .../extraction/Libcrux_ml_dsa.Samplex4.fst | 32 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 112 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 7 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 563 +++- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 64 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 570 ++-- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 345 +-- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 54 +- ..._dsa.Simd.Portable.Encoding.Commitment.fst | 12 +- ...dsa.Simd.Portable.Encoding.Commitment.fsti | 4 +- ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 177 +- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 14 +- ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 353 ++- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 14 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 400 +-- ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 4 +- ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 51 +- ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 4 +- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 929 +++--- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 87 +- .../Libcrux_ml_dsa.Simd.Portable.Sample.fst | 11 +- .../Libcrux_ml_dsa.Simd.Portable.fsti | 462 ++- .../extraction/Libcrux_ml_dsa.Simd.Traits.fst | 315 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 158 +- .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 53 +- .../extraction/Libcrux_ml_dsa.Types.fsti | 32 + .../fstar/extraction/Libcrux_ml_dsa.Utils.fst | 5 +- .../proofs/fstar/extraction/dep.graph | 2620 ++++++++++++----- libcrux-ml-dsa/src/encoding/signature.rs | 2 +- libcrux-ml-dsa/src/lib.rs | 5 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 26 +- .../src/ml_dsa_generic/instantiations.rs | 2 +- libcrux-ml-dsa/src/pre_hash.rs | 3 +- libcrux-ml-dsa/src/simd/avx2.rs | 22 +- libcrux-ml-dsa/src/simd/portable.rs | 18 +- .../src/simd/portable/arithmetic.rs | 9 +- .../src/simd/portable/encoding/commitment.rs | 2 +- .../src/simd/portable/encoding/error.rs | 3 +- .../src/simd/portable/encoding/gamma1.rs | 4 +- .../src/simd/portable/encoding/t0.rs | 4 +- .../src/simd/portable/encoding/t1.rs | 4 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 6 +- libcrux-ml-dsa/src/types.rs | 31 + 98 files changed, 6292 insertions(+), 4837 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index f9d562698..3abc0037c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -17,8 +17,7 @@ let decompose_vector i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + = let vector_low:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () @@ -161,8 +160,7 @@ let power2round_vector i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + = let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -293,7 +291,7 @@ let shift_left_then_reduce i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () in @@ -340,7 +338,7 @@ let use_hint (hint: t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION) (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -429,7 +427,7 @@ let vector_infinity_norm_exceeds Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) (bound: i32) - : bool = + = let exceeds:bool = false in let exceeds:bool = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter @@ -464,7 +462,7 @@ let make_hint i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & usize) = + = let hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION = Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 256) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti index 547a2b8e2..f0d48b7bc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -9,6 +9,9 @@ let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = Rust_primitives.mk_usize 64 let v_COEFFICIENTS_IN_RING_ELEMENT: usize = Rust_primitives.mk_usize 256 +/// The length of `context` is serialized to a single `u8`. +let v_CONTEXT_MAX_LEN: usize = Rust_primitives.mk_usize 255 + let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = Rust_primitives.mk_usize 23 @@ -23,7 +26,7 @@ let v_MASK_SEED_SIZE: usize = Rust_primitives.mk_usize 64 let v_MESSAGE_REPRESENTATIVE_SIZE: usize = Rust_primitives.mk_usize 64 -let v_REJECTION_SAMPLE_BOUND: usize = Rust_primitives.mk_usize 576 +let v_REJECTION_SAMPLE_BOUND_SIGN: usize = Rust_primitives.mk_usize 814 let v_RING_ELEMENT_OF_T0S_SIZE: usize = (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! @@ -41,5 +44,3 @@ let v_SEED_FOR_SIGNING_SIZE: usize = Rust_primitives.mk_usize 32 /// Number of bytes of entropy required for signing. let v_SIGNING_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 - -let v_VERIFIER_CHALLENGE_SEED_SIZE: usize = Rust_primitives.mk_usize 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst index a88bd8edb..0474a942c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.Commitment -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,10 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 4 - -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = Rust_primitives.mk_usize 6 - let serialize (#v_SIMDUnit: Type0) (v_OUTPUT_SIZE: usize) @@ -20,7 +16,7 @@ let serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in @@ -142,7 +138,7 @@ let serialize_vector i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : t_Array u8 v_OUTPUT_SIZE = + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst index 0f49c87e7..3cc36259d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.Error -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,10 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 3 - -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = Rust_primitives.mk_usize 4 - let serialize (#v_SIMDUnit: Type0) (v_ETA v_OUTPUT_SIZE: usize) @@ -20,7 +16,7 @@ let serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in @@ -142,7 +138,7 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = match cast (v_ETA <: usize) <: u8 with | 2 -> Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 3) @@ -218,7 +214,7 @@ let deserialize_to_vector_then_ntt i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + = let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst index ac05e4c76..97c3946ad 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.Gamma1 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,10 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 18 - -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = Rust_primitives.mk_usize 20 - let serialize (#v_SIMDUnit: Type0) (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) @@ -20,7 +16,7 @@ let serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : t_Array u8 v_OUTPUT_BYTES = + = let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_BYTES in @@ -142,7 +138,7 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with | 17 -> Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 18) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst index f1e726fc6..301e92d69 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.Signature -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -17,11 +17,7 @@ let impl__deserialize i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result - (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = let commitment_hash, rest_of_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (serialized <: t_Slice u8) v_COMMITMENT_HASH_SIZE in @@ -215,19 +211,17 @@ let impl__deserialize if malformed_hint then Core.Result.Result_Err - (Libcrux_ml_dsa.Ml_dsa_generic.VerificationError_MalformedHintError + (Libcrux_ml_dsa.Types.VerificationError_MalformedHintError <: - Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + Libcrux_ml_dsa.Types.t_VerificationError) <: Core.Result.t_Result - (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A + ) Libcrux_ml_dsa.Types.t_VerificationError else Core.Result.Result_Ok ({ - Libcrux_ml_dsa.Ml_dsa_generic.f_commitment_hash + Libcrux_ml_dsa.Types.f_commitment_hash = Core.Result.impl__unwrap #(t_Array u8 v_COMMITMENT_HASH_SIZE) #Core.Array.t_TryFromSliceError @@ -237,20 +231,15 @@ let impl__deserialize commitment_hash <: Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Core.Array.t_TryFromSliceError); - Libcrux_ml_dsa.Ml_dsa_generic.f_signer_response = signer_response; - Libcrux_ml_dsa.Ml_dsa_generic.f_hint = hint + Libcrux_ml_dsa.Types.f_signer_response = signer_response; + Libcrux_ml_dsa.Types.f_hint = hint } <: - Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) <: Core.Result.t_Result - (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit - v_COMMITMENT_HASH_SIZE - v_COLUMNS_IN_A - v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A + ) Libcrux_ml_dsa.Types.t_VerificationError let impl__serialize (#v_SIMDUnit: Type0) @@ -260,11 +249,11 @@ let impl__serialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self: - Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) - : t_Array u8 v_SIGNATURE_SIZE = + = let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_SIGNATURE_SIZE in @@ -286,7 +275,7 @@ let impl__serialize Core.Ops.Range.t_Range usize ] <: t_Slice u8) - (self.Libcrux_ml_dsa.Ml_dsa_generic.f_commitment_hash <: t_Slice u8) + (self.Libcrux_ml_dsa.Types.f_commitment_hash <: t_Slice u8) <: t_Slice u8) in @@ -322,7 +311,7 @@ let impl__serialize (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE - (self.Libcrux_ml_dsa.Ml_dsa_generic.f_signer_response.[ i ] + (self.Libcrux_ml_dsa.Types.f_signer_response.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) <: @@ -346,8 +335,7 @@ let impl__serialize let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in let i:usize = i in let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (self - .Libcrux_ml_dsa.Ml_dsa_generic.f_hint.[ i ] + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.Libcrux_ml_dsa.Types.f_hint.[ i ] <: t_Array i32 (Rust_primitives.mk_usize 256)) (fun temp_0_ temp_1_ -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti index a3b5fb565..946d0fb21 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -17,10 +17,10 @@ val impl__deserialize (serialized: t_Array u8 v_SIGNATURE_SIZE) : Prims.Pure (Core.Result.t_Result - (Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A - v_ROWS_IN_A) Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + v_ROWS_IN_A) Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -30,7 +30,7 @@ val impl__serialize usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (self: - Libcrux_ml_dsa.Ml_dsa_generic.t_Signature v_SIMDUnit + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst index 0a357f256..faed8897f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.Signing_key -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -22,7 +22,7 @@ let generate_serialized (seed_for_A seed_for_signing verification_key: t_Slice u8) (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : t_Array u8 v_SIGNING_KEY_SIZE = + = let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_SIGNING_KEY_SIZE in @@ -252,11 +252,7 @@ let deserialize_then_ntt i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Array u8 v_SIGNING_KEY_SIZE) - : (t_Array u8 (Rust_primitives.mk_usize 32) & t_Array u8 (Rust_primitives.mk_usize 32) & - t_Array u8 (Rust_primitives.mk_usize 64) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + = let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (serialized <: t_Slice u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst index 2f84be7ed..69d5736a2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.T0 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,15 +9,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 13 - let serialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : t_Array u8 (Rust_primitives.mk_usize 416) = + = let serialized:t_Array u8 (Rust_primitives.mk_usize 416) = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 416) in @@ -76,7 +74,7 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 13) in @@ -144,7 +142,7 @@ let deserialize_to_vector_then_ntt i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + = let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index b53690363..801629612 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.T1 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,15 +9,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 10 - let serialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : t_Array u8 (Rust_primitives.mk_usize 320) = + = let serialized:t_Array u8 (Rust_primitives.mk_usize 320) = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 320) in @@ -76,7 +74,7 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Slice u8) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 10) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst index 99a202c2a..a7171dbe8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Encoding.Verification_key -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -17,7 +17,7 @@ let generate_serialized Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (seed_for_A: t_Slice u8) (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : t_Array u8 v_VERIFICATION_KEY_SIZE = + = let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_VERIFICATION_KEY_SIZE in @@ -101,8 +101,7 @@ let deserialize i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - : (t_Array u8 (Rust_primitives.mk_usize 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + = let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst index a4972e06b..fd24408ba 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst @@ -1,9 +1,9 @@ module Libcrux_ml_dsa.Hash_functions.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -let init_absorb__init_absorb (input: t_Slice u8) : Libcrux_sha3.Portable.t_KeccakState = +let init_absorb__init_absorb (input: t_Slice u8) = let state:Libcrux_sha3.Portable.t_KeccakState = Libcrux_sha3.Portable.Incremental.shake128_init () in @@ -11,533 +11,3 @@ let init_absorb__init_absorb (input: t_Slice u8) : Libcrux_sha3.Portable.t_Kecca Libcrux_sha3.Portable.Incremental.shake128_absorb_final state input in state - -/// Portable SHAKE 128 state -type t_Shake128 = | Shake128 : t_Shake128 - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = - { - f_shake128_pre - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); - f_shake128_post - = - (fun - (v_OUTPUT_LENGTH: usize) - (input: t_Slice u8) - (out: t_Array u8 v_OUTPUT_LENGTH) - (out1: t_Array u8 v_OUTPUT_LENGTH) - -> - true); - f_shake128 - = - fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> - let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake128 out input in - out - } - -/// Portable SHAKE 128 x4 state. -/// We're using a portable implementation so this is actually sequential. -type t_Shake128X4 = { - f_state0:Libcrux_sha3.Portable.t_KeccakState; - f_state1:Libcrux_sha3.Portable.t_KeccakState; - f_state2:Libcrux_sha3.Portable.t_KeccakState; - f_state3:Libcrux_sha3.Portable.t_KeccakState -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = - { - f_init_absorb_pre - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true - ); - f_init_absorb_post - = - (fun - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out: t_Shake128X4) - -> - true); - f_init_absorb - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state0:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input0 in - let state1:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input1 in - let state2:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input2 in - let state3:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input3 in - { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } - <: - t_Shake128X4); - f_squeeze_first_five_blocks_pre - = - (fun - (self: t_Shake128X4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) - -> - true); - f_squeeze_first_five_blocks_post - = - (fun - (self: t_Shake128X4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) - (out4: - (t_Shake128X4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))) - -> - true); - f_squeeze_first_five_blocks - = - (fun - (self: t_Shake128X4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) - -> - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state0 out0 - in - let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state1 out1 - in - let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state2 out2 - in - let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state3 out3 - in - let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let _:Prims.unit = () in - self, out0, out1, out2, out3 - <: - (t_Shake128X4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))); - f_squeeze_next_block_pre = (fun (self: t_Shake128X4) -> true); - f_squeeze_next_block_post - = - (fun - (self: t_Shake128X4) - (out4: - (t_Shake128X4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)))) - -> - true); - f_squeeze_next_block - = - fun (self: t_Shake128X4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state0 out0 - in - let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let _:Prims.unit = () in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state1 out1 - in - let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let _:Prims.unit = () in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state2 out2 - in - let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let _:Prims.unit = () in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state3 out3 - in - let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = - out0, out1, out2, out3 - <: - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) - in - self, hax_temp_output - <: - (t_Shake128X4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) - } - -/// Portable SHAKE 256 state -type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = - { - f_shake256_pre - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); - f_shake256_post - = - (fun - (v_OUTPUT_LENGTH: usize) - (input: t_Slice u8) - (out: t_Array u8 v_OUTPUT_LENGTH) - (out1: t_Array u8 v_OUTPUT_LENGTH) - -> - true); - f_shake256 - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> - let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake256 out input in - out); - f_init_absorb_pre = (fun (input: t_Slice u8) -> true); - f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); - f_init_absorb - = - (fun (input: t_Slice u8) -> - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state input - in - { f_state = state } <: t_Shake256); - f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); - f_squeeze_first_block_post - = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))) -> true - ); - f_squeeze_first_block - = - (fun (self: t_Shake256) -> - let out:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out - in - let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))); - f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); - f_squeeze_next_block_post - = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))) -> true - ); - f_squeeze_next_block - = - fun (self: t_Shake256) -> - let out:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out - in - let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136)) - } - -/// Portable SHAKE 256 x4 state. -/// We're using a portable implementation so this is actually sequential. -type t_Shake256X4 = { - f_state0:Libcrux_sha3.Portable.t_KeccakState; - f_state1:Libcrux_sha3.Portable.t_KeccakState; - f_state2:Libcrux_sha3.Portable.t_KeccakState; - f_state3:Libcrux_sha3.Portable.t_KeccakState -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = - { - f_init_absorb_pre - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true - ); - f_init_absorb_post - = - (fun - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out: t_Shake256X4) - -> - true); - f_init_absorb - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state0:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state0:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state0 input0 - in - let state1:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state1:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state1 input1 - in - let state2:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state2:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state2 input2 - in - let state3:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state3:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state3 input3 - in - { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } - <: - t_Shake256X4); - f_squeeze_first_block_pre = (fun (self: t_Shake256X4) -> true); - f_squeeze_first_block_post - = - (fun - (self: t_Shake256X4) - (out4: - (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) - -> - true); - f_squeeze_first_block - = - (fun (self: t_Shake256X4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state0 out0 - in - let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state1 out1 - in - let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state2 out2 - in - let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state3 out3 - in - let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) - in - self, hax_temp_output - <: - (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); - f_squeeze_next_block_pre = (fun (self: t_Shake256X4) -> true); - f_squeeze_next_block_post - = - (fun - (self: t_Shake256X4) - (out4: - (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) - -> - true); - f_squeeze_next_block - = - (fun (self: t_Shake256X4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state0 out0 - in - let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state1 out1 - in - let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state2 out2 - in - let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state3 out3 - in - let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) - in - self, hax_temp_output - <: - (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); - f_shake256_pre - = - (fun - (v_OUT_LEN: usize) - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out0: t_Array u8 v_OUT_LEN) - (out1: t_Array u8 v_OUT_LEN) - (out2: t_Array u8 v_OUT_LEN) - (out3: t_Array u8 v_OUT_LEN) - -> - true); - f_shake256_post - = - (fun - (v_OUT_LEN: usize) - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out0: t_Array u8 v_OUT_LEN) - (out1: t_Array u8 v_OUT_LEN) - (out2: t_Array u8 v_OUT_LEN) - (out3: t_Array u8 v_OUT_LEN) - (out4: - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN - )) - -> - true); - f_shake256 - = - fun - (v_OUT_LEN: usize) - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out0: t_Array u8 v_OUT_LEN) - (out1: t_Array u8 v_OUT_LEN) - (out2: t_Array u8 v_OUT_LEN) - (out3: t_Array u8 v_OUT_LEN) - -> - let out0:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out0 input0 in - let out1:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out1 input1 in - let out2:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out2 input2 in - let out3:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out3 input3 in - out0, out1, out2, out3 - <: - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 89d1a1d2f..1f960b146 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -6,6 +6,31 @@ open FStar.Mul val init_absorb__init_absorb (input: t_Slice u8) : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) +/// Portable SHAKE 128 state +type t_Shake128 = | Shake128 : t_Shake128 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = + { + f_shake128_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake128_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake128 + = + fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake128 out input in + out + } + /// Portable SHAKE 128 x4 state. /// We're using a portable implementation so this is actually sequential. type t_Shake128X4 = { @@ -187,7 +212,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = { f_shake256_pre = @@ -270,7 +295,7 @@ type t_Shake256X4 = { } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = +let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = { f_init_absorb_pre = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti index 208cceefc..71bceb4a7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -3,6 +3,20 @@ module Libcrux_ml_dsa.Hash_functions.Shake128 open Core open FStar.Mul +class t_Xof (v_Self: Type0) = { + f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake128_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake128_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) +} + /// When sampling matrix A we always want to do 4 absorb/squeeze calls in /// parallel. class t_XofX4 (v_Self: Type0) = { diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst index 103f53586..38057f92e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -17,7 +17,7 @@ let vector_times_ring_element Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -67,7 +67,7 @@ let add_vectors i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -103,7 +103,6 @@ let add_vectors in result -/// Compute InvertNTT(Â ◦ ŷ) let compute_A_times_mask (#v_SIMDUnit: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) @@ -115,7 +114,7 @@ let compute_A_times_mask (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) v_ROWS_IN_A) (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -203,7 +202,6 @@ let compute_A_times_mask in result -/// Compute InvertNTT(Â ◦ ŝ₁) + s₂ let compute_As1_plus_s2 (#v_SIMDUnit: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) @@ -216,7 +214,7 @@ let compute_As1_plus_s2 v_ROWS_IN_A) (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -312,7 +310,6 @@ let compute_As1_plus_s2 in result -/// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) let compute_w_approx (#v_SIMDUnit: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) @@ -327,7 +324,7 @@ let compute_w_approx t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: @@ -439,7 +436,7 @@ let subtract_vectors i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + = let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index 5b0f9ae60..e371c24e0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -3,31 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 open Core open FStar.Mul -let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) - (message: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message randomness - -let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) - (message: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) - (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) - verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 - let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & t_Array u8 (Rust_primitives.mk_usize 1312)) = @@ -54,3 +29,54 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = <: Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) + (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) + (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) + (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (Rust_primitives.mk_usize + 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) + (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) + (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) + (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) + (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) + (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (Rust_primitives.mk_usize + 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) + (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) + (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) + (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) + (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context + signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti index 7dc101010..9bd343dc3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 open Core open FStar.Mul +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-44 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 6e9b8da2b..3c221beed 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -1,18 +1,40 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Generate an ML-DSA-44 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & + t_Array u8 (Rust_primitives.mk_usize 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 2) + (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 2560) + (Rust_primitives.mk_usize 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) @@ -20,16 +42,11 @@ let sign (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) @@ -37,16 +54,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-44 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) @@ -54,16 +67,12 @@ let verify (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) @@ -71,33 +80,3 @@ let verify_pre_hashed_shake128 (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA-44 Key Pair -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti index 62fb323c1..198c8e600 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Neon open Core open FStar.Mul +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-44 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index ec89d2c1a..34a714c2d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -1,18 +1,41 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Generate an ML-DSA-44 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & + t_Array u8 (Rust_primitives.mk_usize 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize + 4) + (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 2) + (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 2560) + (Rust_primitives.mk_usize 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) @@ -20,16 +43,11 @@ let sign (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) @@ -37,16 +55,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-44 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) @@ -54,16 +68,12 @@ let verify (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) @@ -71,34 +81,3 @@ let verify_pre_hashed_shake128 (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA-44 Key Pair -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize - 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti index 9f8103de3..7d700adf5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Portable open Core open FStar.Mul +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-44 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index 0d0d89b44..76aa01067 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -1,95 +1,40 @@ module Libcrux_ml_dsa.Ml_dsa_44_ -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = Rust_primitives.mk_usize 6 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = Rust_primitives.mk_usize 3 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = Rust_primitives.mk_usize 18 - -let v_COLUMNS_IN_A: usize = Rust_primitives.mk_usize 4 - -let v_COMMITMENT_HASH_SIZE: usize = Rust_primitives.mk_usize 32 - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - <: - usize) /! - Rust_primitives.mk_usize 8 - -let v_ERROR_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 - -let v_ETA: usize = Rust_primitives.mk_usize 2 - -let v_GAMMA1_EXPONENT: usize = Rust_primitives.mk_usize 17 - -let v_GAMMA1_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize - ) /! - Rust_primitives.mk_usize 8 - -let v_GAMMA2: i32 = - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 88 - -let v_MAX_ONES_IN_HINT: usize = Rust_primitives.mk_usize 80 - -let v_ONES_IN_VERIFIER_CHALLENGE: usize = Rust_primitives.mk_usize 39 - -let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 - -let v_ROWS_IN_A: usize = Rust_primitives.mk_usize 4 - -let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A - -let v_SIGNATURE_SIZE: usize = - ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! - v_MAX_ONES_IN_HINT - <: - usize) +! - v_ROWS_IN_A - -let v_SIGNING_KEY_SIZE: usize = - (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - <: - usize) +! - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - <: - usize) +! - ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & + t_Array u8 (Rust_primitives.mk_usize 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 2) + (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 2560) + (Rust_primitives.mk_usize 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - usize) +! - (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) - -let v_VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! - (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - <: - usize) - <: - usize) /! - Rust_primitives.mk_usize 8 + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - usize) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560) -/// Sign with ML-DSA 44 -/// Sign a `message` with the ML-DSA `signing_key`. -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// This function returns an [`MLDSA44Signature`]. let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) @@ -97,19 +42,11 @@ let sign (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing -/// Sign a digest of `message` derived using `pre_hash` with the -/// ML-DSA `signing_key`. -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// This function returns an [`MLDSA44Signature`]. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) @@ -117,18 +54,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-44 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) @@ -136,54 +67,15 @@ let verify (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA 44 Key Pair -/// Generate an ML-DSA key pair. The input is a byte array of size -/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. -/// This function returns an [`MLDSA44KeyPair`]. -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti index 88a9f85eb..3960090e8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -78,34 +78,70 @@ let v_VERIFICATION_KEY_SIZE: usize = <: usize) +/// Generate an ML-DSA 44 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA44KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) + (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) + /// Sign with ML-DSA 44 /// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. /// This function returns an [`MLDSA44Signature`]. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) - (message: t_Slice u8) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA44Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA 44 Key Pair -/// Generate an ML-DSA key pair. The input is a byte array of size -/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. -/// This function returns an [`MLDSA44KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index 4bc45d59b..8ae4f70df 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -3,31 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 open Core open FStar.Mul -let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) - (message: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message randomness - -let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) - (message: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) - verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 - let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & t_Array u8 (Rust_primitives.mk_usize 1952)) = @@ -54,3 +29,54 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = <: Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 6) + (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) + (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) + (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (Rust_primitives.mk_usize + 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) + (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) + (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 6) + (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) + (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) + (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (Rust_primitives.mk_usize + 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) + (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) + (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) + (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context + signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti index 01e8a455e..1ebca715f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 open Core open FStar.Mul +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-65 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index 2182a4801..807dcf30c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -1,18 +1,40 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Generate an ML-DSA-65 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & + t_Array u8 (Rust_primitives.mk_usize 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 6) + (Rust_primitives.mk_usize 5) + (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 4032) + (Rust_primitives.mk_usize 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -20,16 +42,11 @@ let sign (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -37,16 +54,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-65 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) @@ -54,16 +67,12 @@ let verify (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) @@ -71,33 +80,3 @@ let verify_pre_hashed_shake128 (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA-65 Key Pair -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti index 605059ef4..341c764be 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Neon open Core open FStar.Mul +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-65 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 768fda906..91cf2cd7e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -1,18 +1,41 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Generate an ML-DSA-65 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & + t_Array u8 (Rust_primitives.mk_usize 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize + 6) + (Rust_primitives.mk_usize 5) + (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 4032) + (Rust_primitives.mk_usize 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -20,16 +43,11 @@ let sign (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -37,16 +55,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-65 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) @@ -54,16 +68,12 @@ let verify (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) @@ -71,34 +81,3 @@ let verify_pre_hashed_shake128 (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA-65 Key Pair -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize - 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti index ea7546cb2..28c5fb133 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Portable open Core open FStar.Mul +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-65 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index b2f9588db..bc58d87b4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -1,95 +1,40 @@ module Libcrux_ml_dsa.Ml_dsa_65_ -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = Rust_primitives.mk_usize 4 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = Rust_primitives.mk_usize 4 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = Rust_primitives.mk_usize 20 - -let v_COLUMNS_IN_A: usize = Rust_primitives.mk_usize 5 - -let v_COMMITMENT_HASH_SIZE: usize = Rust_primitives.mk_usize 48 - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - <: - usize) /! - Rust_primitives.mk_usize 8 - -let v_ERROR_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 - -let v_ETA: usize = Rust_primitives.mk_usize 4 - -let v_GAMMA1_EXPONENT: usize = Rust_primitives.mk_usize 19 - -let v_GAMMA1_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize - ) /! - Rust_primitives.mk_usize 8 - -let v_GAMMA2: i32 = - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 32 - -let v_MAX_ONES_IN_HINT: usize = Rust_primitives.mk_usize 55 - -let v_ONES_IN_VERIFIER_CHALLENGE: usize = Rust_primitives.mk_usize 49 - -let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 - -let v_ROWS_IN_A: usize = Rust_primitives.mk_usize 6 - -let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A - -let v_SIGNATURE_SIZE: usize = - ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! - v_MAX_ONES_IN_HINT - <: - usize) +! - v_ROWS_IN_A - -let v_SIGNING_KEY_SIZE: usize = - (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - <: - usize) +! - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - <: - usize) +! - ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & + t_Array u8 (Rust_primitives.mk_usize 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 6) + (Rust_primitives.mk_usize 5) + (Rust_primitives.mk_usize 4) + (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 4032) + (Rust_primitives.mk_usize 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - usize) +! - (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) - -let v_VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! - (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - <: - usize) - <: - usize) /! - Rust_primitives.mk_usize 8 + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - usize) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032) -/// Sign with ML-DSA 65 -/// Sign a `message` with the ML-DSA `signing_key`. -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// This function returns an [`MLDSA65Signature`]. let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -97,19 +42,11 @@ let sign (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing -/// Sign a digest of `message` derived using `pre_hash` with the -/// ML-DSA `signing_key`. -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// This function returns an [`MLDSA65Signature`]. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -117,18 +54,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-65 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) @@ -136,54 +67,15 @@ let verify (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA 65 Key Pair -/// Generate an ML-DSA key pair. The input is a byte array of size -/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. -/// This function returns an [`MLDSA65KeyPair`]. -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti index f4235a3c8..467b363d7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -78,34 +78,70 @@ let v_VERIFICATION_KEY_SIZE: usize = <: usize) +/// Generate an ML-DSA 65 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA65KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) + (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) + /// Sign with ML-DSA 65 /// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. /// This function returns an [`MLDSA65Signature`]. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) - (message: t_Slice u8) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA65Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA 65 Key Pair -/// Generate an ML-DSA key pair. The input is a byte array of size -/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. -/// This function returns an [`MLDSA65KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index 15e9e014f..913efa791 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -3,31 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 open Core open FStar.Mul -let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) - (message: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message randomness - -let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) - (message: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) - (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) - verification_key.Libcrux_ml_dsa.Types._0 message signature.Libcrux_ml_dsa.Types._0 - let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & t_Array u8 (Rust_primitives.mk_usize 2592)) = @@ -54,3 +29,54 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = <: Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 8) + (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) + (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) + (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (Rust_primitives.mk_usize + 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) + (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) + (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 8) + (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) + (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) + (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (Rust_primitives.mk_usize + 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) + (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) + (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) + (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) + (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context + signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti index 43e1e678a..2e6bcab3b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 open Core open FStar.Mul +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-87 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index da7cffaf1..11749a2ed 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -1,18 +1,40 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Generate an ML-DSA-87 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & + t_Array u8 (Rust_primitives.mk_usize 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 8) + (Rust_primitives.mk_usize 7) + (Rust_primitives.mk_usize 2) + (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 4896) + (Rust_primitives.mk_usize 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -20,16 +42,11 @@ let sign (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -37,16 +54,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-87 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) @@ -54,16 +67,12 @@ let verify (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) @@ -71,33 +80,3 @@ let verify_pre_hashed_shake128 (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA-87 Key Pair -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti index 64c615fcd..97b5b98ad 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Neon open Core open FStar.Mul +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-87 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index 22c65fb6b..83db066c7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -1,18 +1,41 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Generate an ML-DSA-87 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & + t_Array u8 (Rust_primitives.mk_usize 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize + 8) + (Rust_primitives.mk_usize 7) + (Rust_primitives.mk_usize 2) + (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 4896) + (Rust_primitives.mk_usize 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896) + let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -20,16 +43,11 @@ let sign (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -37,16 +55,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-87 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) @@ -54,16 +68,12 @@ let verify (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) @@ -71,34 +81,3 @@ let verify_pre_hashed_shake128 (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA-87 Key Pair -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize - 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti index 83f396f81..dcfafcad1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti @@ -3,27 +3,58 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Portable open Core open FStar.Mul +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) + /// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) - (message: t_Slice u8) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA-87 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index 801550d81..6b6638c60 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -1,95 +1,40 @@ module Libcrux_ml_dsa.Ml_dsa_87_ -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = Rust_primitives.mk_usize 4 - -let v_BITS_PER_ERROR_COEFFICIENT: usize = Rust_primitives.mk_usize 3 - -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = Rust_primitives.mk_usize 20 - -let v_COLUMNS_IN_A: usize = Rust_primitives.mk_usize 7 - -let v_COMMITMENT_HASH_SIZE: usize = Rust_primitives.mk_usize 64 - -let v_COMMITMENT_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT - <: - usize) /! - Rust_primitives.mk_usize 8 - -let v_ERROR_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 - -let v_ETA: usize = Rust_primitives.mk_usize 2 - -let v_GAMMA1_EXPONENT: usize = Rust_primitives.mk_usize 19 - -let v_GAMMA1_RING_ELEMENT_SIZE: usize = - (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize - ) /! - Rust_primitives.mk_usize 8 - -let v_GAMMA2: i32 = - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 32 - -let v_MAX_ONES_IN_HINT: usize = Rust_primitives.mk_usize 75 - -let v_ONES_IN_VERIFIER_CHALLENGE: usize = Rust_primitives.mk_usize 60 - -let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 - -let v_ROWS_IN_A: usize = Rust_primitives.mk_usize 8 - -let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A - -let v_SIGNATURE_SIZE: usize = - ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! - v_MAX_ONES_IN_HINT - <: - usize) +! - v_ROWS_IN_A - -let v_SIGNING_KEY_SIZE: usize = - (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - <: - usize) +! - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - <: - usize) +! - ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) +let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = + let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & + t_Array u8 (Rust_primitives.mk_usize 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 8) + (Rust_primitives.mk_usize 7) + (Rust_primitives.mk_usize 2) + (Rust_primitives.mk_usize 96) + (Rust_primitives.mk_usize 4896) + (Rust_primitives.mk_usize 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - usize) +! - (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) - -let v_VERIFICATION_KEY_SIZE: usize = - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! - (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - <: - usize) - <: - usize) /! - Rust_primitives.mk_usize 8 + Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - usize) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896) -/// Sign with ML-DSA 87 -/// Sign a `message` with the ML-DSA `signing_key`. -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// This function returns an [`MLDSA87Signature`]. let sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -97,19 +42,11 @@ let sign (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing -/// Sign a digest of `message` derived using `pre_hash` with the -/// ML-DSA `signing_key`. -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// This function returns an [`MLDSA87Signature`]. let sign_pre_hashed_shake128 (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) @@ -117,18 +54,12 @@ let sign_pre_hashed_shake128 (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness -/// Verify an ML-DSA-87 Signature -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. let verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) @@ -136,54 +67,15 @@ let verify (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 -/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing -/// The parameter `context` is used for domain separation -/// and is a byte string of length at most 255 bytes. It -/// may also be empty. -/// Returns `Ok` when the `signature` is valid for the `message` and -/// `verification_key`, and a [`VerificationError`] otherwise. let verify_pre_hashed_shake128 (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 - -/// Generate an ML-DSA 87 Key Pair -/// Generate an ML-DSA key pair. The input is a byte array of size -/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. -/// This function returns an [`MLDSA87KeyPair`]. -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) - randomness - in - { - Libcrux_ml_dsa.Types.f_signing_key - = - Libcrux_ml_dsa.Types.MLDSASigningKey signing_key - <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); - Libcrux_ml_dsa.Types.f_verification_key - = - Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key - <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - } - <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti index fd74703f4..96f044550 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -78,34 +78,70 @@ let v_VERIFICATION_KEY_SIZE: usize = <: usize) +/// Generate an ML-DSA 87 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA87KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) + (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) + /// Sign with ML-DSA 87 /// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. /// This function returns an [`MLDSA87Signature`]. val sign (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) - (message: t_Slice u8) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA87Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) ) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an ML-DSA 87 Key Pair -/// Generate an ML-DSA key pair. The input is a byte array of size -/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. -/// This function returns an [`MLDSA87KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + ) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index 26a020f6d..b37a27bd0 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -9,6 +9,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Avx2 in let open Libcrux_ml_dsa.Simd.Traits in () @@ -18,12 +19,49 @@ let generate_key_pair usize) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE + v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + let verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -31,29 +69,30 @@ let verify (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message signature + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature -let sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.t_AVX2SIMDUnit + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE - v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message randomness + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index c5c9cb6e2..4f5b62941 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -9,6 +9,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Avx2 in let open Libcrux_ml_dsa.Simd.Traits in () @@ -22,7 +23,33 @@ val generate_key_pair Prims.l_True (fun _ -> Prims.l_True) -/// Verify +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. val verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -30,21 +57,22 @@ val verify (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) -/// Sign. -val sign - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) - (v_GAMMA2: i32) - (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) - (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst index ba760a567..8ccc95911 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -15,19 +15,17 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -/// Generate key pair. let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness -/// Sign. let sign (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) @@ -36,9 +34,8 @@ let sign (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA @@ -47,7 +44,6 @@ let sign v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness -/// Sign (pre-hashed). let sign_pre_hashed_shake128 (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) @@ -56,9 +52,8 @@ let sign_pre_hashed_shake128 (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH @@ -68,7 +63,6 @@ let sign_pre_hashed_shake128 v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness -/// Verify. let verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -78,15 +72,14 @@ let verify (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature -/// Verify (pre-hashed with SHAKE-128). let verify_pre_hashed_shake128 (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -96,8 +89,8 @@ let verify_pre_hashed_shake128 (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti index 0cd20433e..44a225bcb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -10,6 +10,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Portable in let open Libcrux_ml_dsa.Simd.Traits in () @@ -30,13 +31,26 @@ val sign (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. val verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -44,8 +58,22 @@ val verify (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst index 360fcd8de..200472cb5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -14,19 +14,17 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -/// Generate key pair. let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness -/// Sign. let sign (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) @@ -35,9 +33,8 @@ let sign (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA @@ -46,7 +43,6 @@ let sign v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness -/// Sign (pre-hashed). let sign_pre_hashed_shake128 (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) (v_GAMMA2: i32) @@ -55,9 +51,8 @@ let sign_pre_hashed_shake128 (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH @@ -67,7 +62,6 @@ let sign_pre_hashed_shake128 v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness -/// Verify. let verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -77,15 +71,14 @@ let verify (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature -/// Verify (pre-hashed with SHAKE-128). let verify_pre_hashed_shake128 (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -95,8 +88,8 @@ let verify_pre_hashed_shake128 (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti index 597de0301..572a02079 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -9,6 +9,7 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Portable in let open Libcrux_ml_dsa.Simd.Traits in () @@ -29,13 +30,26 @@ val sign (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) -/// Verify +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. val verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: usize) @@ -43,8 +57,22 @@ val verify (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst index 55141af66..faaea5bc9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -7,10 +7,10 @@ let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) = + = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair v_ROWS_IN_A + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE @@ -44,11 +44,10 @@ let sign (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key @@ -76,11 +75,10 @@ let sign_pre_hashed_shake128 (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError = + = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 v_ROWS_IN_A + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE @@ -109,10 +107,10 @@ let verify (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify v_ROWS_IN_A v_COLUMNS_IN_A + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context @@ -141,10 +139,10 @@ let verify_pre_hashed_shake128 (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError = + = if Libcrux_platform.Platform.simd256_support () then - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 v_ROWS_IN_A + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti index 16f594a65..871419f5c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti @@ -17,11 +17,23 @@ val sign (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - Libcrux_ml_dsa.Ml_dsa_generic.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) val verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: @@ -30,8 +42,21 @@ val verify (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: usize) (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - (message: t_Slice u8) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Ml_dsa_generic.t_VerificationError) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index d43f48161..a3a0638df 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Ml_dsa_generic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -13,52 +13,13 @@ let _ = let open Libcrux_sha3.Portable.Incremental in () -type t_SigningError = - | SigningError_RejectionSamplingError : t_SigningError - | SigningError_ContextTooLongError : t_SigningError - -let t_SigningError_cast_to_repr (x: t_SigningError) : isize = - match x with - | SigningError_RejectionSamplingError -> Rust_primitives.mk_isize 0 - | SigningError_ContextTooLongError -> Rust_primitives.mk_isize 1 - -type t_VerificationError = - | VerificationError_MalformedHintError : t_VerificationError - | VerificationError_SignerResponseExceedsBoundError : t_VerificationError - | VerificationError_CommitmentHashesDontMatchError : t_VerificationError - | VerificationError_ContextTooLongError : t_VerificationError - -let t_VerificationError_cast_to_repr (x: t_VerificationError) : isize = - match x with - | VerificationError_MalformedHintError -> Rust_primitives.mk_isize 0 - | VerificationError_SignerResponseExceedsBoundError -> Rust_primitives.mk_isize 1 - | VerificationError_CommitmentHashesDontMatchError -> Rust_primitives.mk_isize 3 - | VerificationError_ContextTooLongError -> Rust_primitives.mk_isize 6 - -/// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm -/// 8, resp.). -/// If `domain_separation_context` is supplied, applies domain -/// separation and length encoding to the context string, -/// before appending the message (in the regular variant) or the -/// pre-hash OID as well as the pre-hashed message digest. Otherwise, -/// it is assumed that `message` already contains domain separation -/// information. -/// In FIPS 204 M' is the concatenation of the domain separated context, any -/// potential pre-hash OID and the message (or the message pre-hash). We do not -/// explicitely construct the concatenation in memory since it is of statically unknown -/// length, but feed its components directly into the incremental XOF. -/// Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS -/// 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) -/// for details on the domain separation for regular ML-DSA. Line -/// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA -/// variant. let derive_message_representative (verification_key_hash: t_Array u8 (Rust_primitives.mk_usize 64)) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (message: t_Slice u8) (message_representative: t_Array u8 (Rust_primitives.mk_usize 64)) - : t_Array u8 (Rust_primitives.mk_usize 64) = + = let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb #(Rust_primitives.mk_usize 136) @@ -156,7 +117,6 @@ let derive_message_representative let _:Prims.unit = () in message_representative -/// Generate a key pair. let generate_key_pair (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: @@ -174,7 +134,7 @@ let generate_key_pair i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) = + = let seed_expanded:t_Array u8 (Rust_primitives.mk_usize 128) = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 128) in @@ -268,19 +228,6 @@ let generate_key_pair <: (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) -type t_Signature - (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { - f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; - f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A; - f_hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A -} - -/// The internal signing API. -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. let sign_internal (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) @@ -304,7 +251,7 @@ let sign_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError = + = let seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt:(t_Array u8 (Rust_primitives.mk_usize 32) & t_Array u8 (Rust_primitives.mk_usize 32) & @@ -659,11 +606,14 @@ let sign_internal | Core.Option.Option_Some commitment_hash -> Core.Result.Result_Ok commitment_hash <: - Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) t_SigningError + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError | Core.Option.Option_None -> - Core.Result.Result_Err (SigningError_RejectionSamplingError <: t_SigningError) + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) t_SigningError + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError with | Core.Result.Result_Ok commitment_hash -> (match @@ -673,13 +623,16 @@ let sign_internal <: Core.Result.t_Result (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - t_SigningError + Libcrux_ml_dsa.Types.t_SigningError | Core.Option.Option_None -> - Core.Result.Result_Err (SigningError_RejectionSamplingError <: t_SigningError) + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - t_SigningError + Libcrux_ml_dsa.Types.t_SigningError with | Core.Result.Result_Ok signer_response -> (match @@ -688,12 +641,17 @@ let sign_internal Core.Result.Result_Ok hint <: Core.Result.t_Result - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) t_SigningError + (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError | Core.Option.Option_None -> - Core.Result.Result_Err (SigningError_RejectionSamplingError <: t_SigningError) + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) t_SigningError + (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError with | Core.Result.Result_Ok hint -> let signature:t_Array u8 v_SIGNATURE_SIZE = @@ -706,12 +664,15 @@ let sign_internal v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE ({ - f_commitment_hash = commitment_hash; - f_signer_response = signer_response; - f_hint = hint + Libcrux_ml_dsa.Types.f_commitment_hash = commitment_hash; + Libcrux_ml_dsa.Types.f_signer_response = signer_response; + Libcrux_ml_dsa.Types.f_hint = hint } <: - t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) in Core.Result.Result_Ok (Libcrux_ml_dsa.Types.MLDSASignature signature @@ -719,21 +680,22 @@ let sign_internal Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - t_SigningError + Libcrux_ml_dsa.Types.t_SigningError | Core.Result.Result_Err err -> Core.Result.Result_Err err <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) - t_SigningError) + Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError - ) + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) | Core.Result.Result_Err err -> Core.Result.Result_Err err <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError let sign (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) @@ -756,7 +718,7 @@ let sign (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError = + = match Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) @@ -773,7 +735,8 @@ let sign | Core.Result.Result_Err err -> Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError let sign_pre_hashed (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) @@ -800,12 +763,14 @@ let sign_pre_hashed (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError = + = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then - Core.Result.Result_Err (SigningError_ContextTooLongError <: t_SigningError) + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError else let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message @@ -831,11 +796,9 @@ let sign_pre_hashed | Core.Result.Result_Err err -> Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: - Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) t_SigningError + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError -/// The internal verification API. -/// If no `domain_separation_context` is supplied, it is assumed that -/// `message` already contains the domain separation. let verify_internal (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: @@ -857,7 +820,7 @@ let verify_internal (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit t_VerificationError = + = let seed_for_A, t1:(t_Array u8 (Rust_primitives.mk_usize 32) & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit @@ -880,7 +843,7 @@ let verify_internal if ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit v_COLUMNS_IN_A - signature.f_signer_response + signature.Libcrux_ml_dsa.Types.f_signer_response ((Rust_primitives.mk_i32 2 <. commitment_hash + if signature.Libcrux_ml_dsa.Types.f_commitment_hash <>. commitment_hash then Core.Result.Result_Err - (VerificationError_CommitmentHashesDontMatchError <: t_VerificationError) + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result Prims.unit t_VerificationError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError else Core.Result.Result_Ok (() <: Prims.unit) <: - Core.Result.t_Result Prims.unit t_VerificationError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError else Core.Result.Result_Err - (VerificationError_SignerResponseExceedsBoundError <: t_VerificationError) + (Libcrux_ml_dsa.Types.VerificationError_SignerResponseExceedsBoundError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: - Core.Result.t_Result Prims.unit t_VerificationError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError | Core.Result.Result_Err err -> - Core.Result.Result_Err err <: Core.Result.t_Result Prims.unit t_VerificationError + Core.Result.Result_Err err + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError let verify (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) @@ -1023,7 +992,7 @@ let verify (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit t_VerificationError = + = match Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) @@ -1039,7 +1008,7 @@ let verify | Core.Result.Result_Err err -> Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: - Core.Result.t_Result Prims.unit t_VerificationError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError let verify_pre_hashed (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) @@ -1063,7 +1032,7 @@ let verify_pre_hashed (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) (message context: t_Slice u8) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) - : Core.Result.t_Result Prims.unit t_VerificationError = + = let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message in @@ -1088,4 +1057,4 @@ let verify_pre_hashed | Core.Result.Result_Err err -> Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: - Core.Result.t_Result Prims.unit t_VerificationError + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index cd202d4de..a42a1a5c3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -8,70 +8,35 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Traits in + let open Libcrux_sha3.Portable.Incremental in () -type t_SigningError = | SigningError_RejectionSamplingError : t_SigningError - -val t_SigningError_cast_to_repr (x: t_SigningError) - : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) - -type t_VerificationError = - | VerificationError_MalformedHintError : t_VerificationError - | VerificationError_SignerResponseExceedsBoundError : t_VerificationError - | VerificationError_CommitmentHashesDontMatchError : t_VerificationError - -val t_VerificationError_cast_to_repr (x: t_VerificationError) - : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) - -val sign: - #v_SIMDUnit: Type0 -> - #v_Shake128X4: Type0 -> - #v_Shake256: Type0 -> - #v_Shake256X4: Type0 -> - v_ROWS_IN_A: usize -> - v_COLUMNS_IN_A: usize -> - v_ETA: usize -> - v_ERROR_RING_ELEMENT_SIZE: usize -> - v_GAMMA1_EXPONENT: usize -> - v_GAMMA2: i32 -> - v_COMMITMENT_RING_ELEMENT_SIZE: usize -> - v_COMMITMENT_VECTOR_SIZE: usize -> - v_COMMITMENT_HASH_SIZE: usize -> - v_ONES_IN_VERIFIER_CHALLENGE: usize -> - v_MAX_ONES_IN_HINT: usize -> - v_GAMMA1_RING_ELEMENT_SIZE: usize -> - v_SIGNING_KEY_SIZE: usize -> - v_SIGNATURE_SIZE: usize -> - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} -> - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} -> - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} -> - Prims.unit - -> Prims.Pure Rust_primitives.Hax.t_Never Prims.l_True (fun _ -> Prims.l_True) - -val verify: - #v_SIMDUnit: Type0 -> - #v_Shake128X4: Type0 -> - #v_Shake256: Type0 -> - v_ROWS_IN_A: usize -> - v_COLUMNS_IN_A: usize -> - v_SIGNATURE_SIZE: usize -> - v_VERIFICATION_KEY_SIZE: usize -> - v_GAMMA1_EXPONENT: usize -> - v_GAMMA1_RING_ELEMENT_SIZE: usize -> - v_GAMMA2: i32 -> - v_BETA: i32 -> - v_COMMITMENT_RING_ELEMENT_SIZE: usize -> - v_COMMITMENT_VECTOR_SIZE: usize -> - v_COMMITMENT_HASH_SIZE: usize -> - v_ONES_IN_VERIFIER_CHALLENGE: usize -> - v_MAX_ONES_IN_HINT: usize -> - {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> - {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} -> - {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} -> - Prims.unit - -> Prims.Pure Rust_primitives.Hax.t_Never Prims.l_True (fun _ -> Prims.l_True) +/// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm +/// 8, resp.). +/// If `domain_separation_context` is supplied, applies domain +/// separation and length encoding to the context string, +/// before appending the message (in the regular variant) or the +/// pre-hash OID as well as the pre-hashed message digest. Otherwise, +/// it is assumed that `message` already contains domain separation +/// information. +/// In FIPS 204 M' is the concatenation of the domain separated context, any +/// potential pre-hash OID and the message (or the message pre-hash). We do not +/// explicitely construct the concatenation in memory since it is of statically unknown +/// length, but feed its components directly into the incremental XOF. +/// Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS +/// 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) +/// for details on the domain separation for regular ML-DSA. Line +/// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA +/// variant. +val derive_message_representative + (verification_key_hash: t_Array u8 (Rust_primitives.mk_usize 64)) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (message: t_Slice u8) + (message_representative: t_Array u8 (Rust_primitives.mk_usize 64)) + : Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 64)) Prims.l_True (fun _ -> Prims.l_True) /// Generate a key pair. val generate_key_pair @@ -87,12 +52,117 @@ val generate_key_pair Prims.l_True (fun _ -> Prims.l_True) -type t_Signature - (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { - f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; - f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A; - f_hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A -} +/// The internal signing API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val sign_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index 4e8286acf..d4a5e3b30 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,134 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (Rust_primitives.mk_usize 256) = - let list = - [ - Rust_primitives.mk_i32 0; Rust_primitives.mk_i32 25847; Rust_primitives.mk_i32 (-2608894); - Rust_primitives.mk_i32 (-518909); Rust_primitives.mk_i32 237124; - Rust_primitives.mk_i32 (-777960); Rust_primitives.mk_i32 (-876248); - Rust_primitives.mk_i32 466468; Rust_primitives.mk_i32 1826347; Rust_primitives.mk_i32 2353451; - Rust_primitives.mk_i32 (-359251); Rust_primitives.mk_i32 (-2091905); - Rust_primitives.mk_i32 3119733; Rust_primitives.mk_i32 (-2884855); - Rust_primitives.mk_i32 3111497; Rust_primitives.mk_i32 2680103; Rust_primitives.mk_i32 2725464; - Rust_primitives.mk_i32 1024112; Rust_primitives.mk_i32 (-1079900); - Rust_primitives.mk_i32 3585928; Rust_primitives.mk_i32 (-549488); - Rust_primitives.mk_i32 (-1119584); Rust_primitives.mk_i32 2619752; - Rust_primitives.mk_i32 (-2108549); Rust_primitives.mk_i32 (-2118186); - Rust_primitives.mk_i32 (-3859737); Rust_primitives.mk_i32 (-1399561); - Rust_primitives.mk_i32 (-3277672); Rust_primitives.mk_i32 1757237; - Rust_primitives.mk_i32 (-19422); Rust_primitives.mk_i32 4010497; Rust_primitives.mk_i32 280005; - Rust_primitives.mk_i32 2706023; Rust_primitives.mk_i32 95776; Rust_primitives.mk_i32 3077325; - Rust_primitives.mk_i32 3530437; Rust_primitives.mk_i32 (-1661693); - Rust_primitives.mk_i32 (-3592148); Rust_primitives.mk_i32 (-2537516); - Rust_primitives.mk_i32 3915439; Rust_primitives.mk_i32 (-3861115); - Rust_primitives.mk_i32 (-3043716); Rust_primitives.mk_i32 3574422; - Rust_primitives.mk_i32 (-2867647); Rust_primitives.mk_i32 3539968; - Rust_primitives.mk_i32 (-300467); Rust_primitives.mk_i32 2348700; - Rust_primitives.mk_i32 (-539299); Rust_primitives.mk_i32 (-1699267); - Rust_primitives.mk_i32 (-1643818); Rust_primitives.mk_i32 3505694; - Rust_primitives.mk_i32 (-3821735); Rust_primitives.mk_i32 3507263; - Rust_primitives.mk_i32 (-2140649); Rust_primitives.mk_i32 (-1600420); - Rust_primitives.mk_i32 3699596; Rust_primitives.mk_i32 811944; Rust_primitives.mk_i32 531354; - Rust_primitives.mk_i32 954230; Rust_primitives.mk_i32 3881043; Rust_primitives.mk_i32 3900724; - Rust_primitives.mk_i32 (-2556880); Rust_primitives.mk_i32 2071892; - Rust_primitives.mk_i32 (-2797779); Rust_primitives.mk_i32 (-3930395); - Rust_primitives.mk_i32 (-1528703); Rust_primitives.mk_i32 (-3677745); - Rust_primitives.mk_i32 (-3041255); Rust_primitives.mk_i32 (-1452451); - Rust_primitives.mk_i32 3475950; Rust_primitives.mk_i32 2176455; - Rust_primitives.mk_i32 (-1585221); Rust_primitives.mk_i32 (-1257611); - Rust_primitives.mk_i32 1939314; Rust_primitives.mk_i32 (-4083598); - Rust_primitives.mk_i32 (-1000202); Rust_primitives.mk_i32 (-3190144); - Rust_primitives.mk_i32 (-3157330); Rust_primitives.mk_i32 (-3632928); - Rust_primitives.mk_i32 126922; Rust_primitives.mk_i32 3412210; - Rust_primitives.mk_i32 (-983419); Rust_primitives.mk_i32 2147896; - Rust_primitives.mk_i32 2715295; Rust_primitives.mk_i32 (-2967645); - Rust_primitives.mk_i32 (-3693493); Rust_primitives.mk_i32 (-411027); - Rust_primitives.mk_i32 (-2477047); Rust_primitives.mk_i32 (-671102); - Rust_primitives.mk_i32 (-1228525); Rust_primitives.mk_i32 (-22981); - Rust_primitives.mk_i32 (-1308169); Rust_primitives.mk_i32 (-381987); - Rust_primitives.mk_i32 1349076; Rust_primitives.mk_i32 1852771; - Rust_primitives.mk_i32 (-1430430); Rust_primitives.mk_i32 (-3343383); - Rust_primitives.mk_i32 264944; Rust_primitives.mk_i32 508951; Rust_primitives.mk_i32 3097992; - Rust_primitives.mk_i32 44288; Rust_primitives.mk_i32 (-1100098); Rust_primitives.mk_i32 904516; - Rust_primitives.mk_i32 3958618; Rust_primitives.mk_i32 (-3724342); - Rust_primitives.mk_i32 (-8578); Rust_primitives.mk_i32 1653064; - Rust_primitives.mk_i32 (-3249728); Rust_primitives.mk_i32 2389356; - Rust_primitives.mk_i32 (-210977); Rust_primitives.mk_i32 759969; - Rust_primitives.mk_i32 (-1316856); Rust_primitives.mk_i32 189548; - Rust_primitives.mk_i32 (-3553272); Rust_primitives.mk_i32 3159746; - Rust_primitives.mk_i32 (-1851402); Rust_primitives.mk_i32 (-2409325); - Rust_primitives.mk_i32 (-177440); Rust_primitives.mk_i32 1315589; - Rust_primitives.mk_i32 1341330; Rust_primitives.mk_i32 1285669; - Rust_primitives.mk_i32 (-1584928); Rust_primitives.mk_i32 (-812732); - Rust_primitives.mk_i32 (-1439742); Rust_primitives.mk_i32 (-3019102); - Rust_primitives.mk_i32 (-3881060); Rust_primitives.mk_i32 (-3628969); - Rust_primitives.mk_i32 3839961; Rust_primitives.mk_i32 2091667; Rust_primitives.mk_i32 3407706; - Rust_primitives.mk_i32 2316500; Rust_primitives.mk_i32 3817976; - Rust_primitives.mk_i32 (-3342478); Rust_primitives.mk_i32 2244091; - Rust_primitives.mk_i32 (-2446433); Rust_primitives.mk_i32 (-3562462); - Rust_primitives.mk_i32 266997; Rust_primitives.mk_i32 2434439; - Rust_primitives.mk_i32 (-1235728); Rust_primitives.mk_i32 3513181; - Rust_primitives.mk_i32 (-3520352); Rust_primitives.mk_i32 (-3759364); - Rust_primitives.mk_i32 (-1197226); Rust_primitives.mk_i32 (-3193378); - Rust_primitives.mk_i32 900702; Rust_primitives.mk_i32 1859098; Rust_primitives.mk_i32 909542; - Rust_primitives.mk_i32 819034; Rust_primitives.mk_i32 495491; - Rust_primitives.mk_i32 (-1613174); Rust_primitives.mk_i32 (-43260); - Rust_primitives.mk_i32 (-522500); Rust_primitives.mk_i32 (-655327); - Rust_primitives.mk_i32 (-3122442); Rust_primitives.mk_i32 2031748; - Rust_primitives.mk_i32 3207046; Rust_primitives.mk_i32 (-3556995); - Rust_primitives.mk_i32 (-525098); Rust_primitives.mk_i32 (-768622); - Rust_primitives.mk_i32 (-3595838); Rust_primitives.mk_i32 342297; - Rust_primitives.mk_i32 286988; Rust_primitives.mk_i32 (-2437823); - Rust_primitives.mk_i32 4108315; Rust_primitives.mk_i32 3437287; - Rust_primitives.mk_i32 (-3342277); Rust_primitives.mk_i32 1735879; - Rust_primitives.mk_i32 203044; Rust_primitives.mk_i32 2842341; Rust_primitives.mk_i32 2691481; - Rust_primitives.mk_i32 (-2590150); Rust_primitives.mk_i32 1265009; - Rust_primitives.mk_i32 4055324; Rust_primitives.mk_i32 1247620; Rust_primitives.mk_i32 2486353; - Rust_primitives.mk_i32 1595974; Rust_primitives.mk_i32 (-3767016); - Rust_primitives.mk_i32 1250494; Rust_primitives.mk_i32 2635921; - Rust_primitives.mk_i32 (-3548272); Rust_primitives.mk_i32 (-2994039); - Rust_primitives.mk_i32 1869119; Rust_primitives.mk_i32 1903435; - Rust_primitives.mk_i32 (-1050970); Rust_primitives.mk_i32 (-1333058); - Rust_primitives.mk_i32 1237275; Rust_primitives.mk_i32 (-3318210); - Rust_primitives.mk_i32 (-1430225); Rust_primitives.mk_i32 (-451100); - Rust_primitives.mk_i32 1312455; Rust_primitives.mk_i32 3306115; - Rust_primitives.mk_i32 (-1962642); Rust_primitives.mk_i32 (-1279661); - Rust_primitives.mk_i32 1917081; Rust_primitives.mk_i32 (-2546312); - Rust_primitives.mk_i32 (-1374803); Rust_primitives.mk_i32 1500165; - Rust_primitives.mk_i32 777191; Rust_primitives.mk_i32 2235880; Rust_primitives.mk_i32 3406031; - Rust_primitives.mk_i32 (-542412); Rust_primitives.mk_i32 (-2831860); - Rust_primitives.mk_i32 (-1671176); Rust_primitives.mk_i32 (-1846953); - Rust_primitives.mk_i32 (-2584293); Rust_primitives.mk_i32 (-3724270); - Rust_primitives.mk_i32 594136; Rust_primitives.mk_i32 (-3776993); - Rust_primitives.mk_i32 (-2013608); Rust_primitives.mk_i32 2432395; - Rust_primitives.mk_i32 2454455; Rust_primitives.mk_i32 (-164721); - Rust_primitives.mk_i32 1957272; Rust_primitives.mk_i32 3369112; Rust_primitives.mk_i32 185531; - Rust_primitives.mk_i32 (-1207385); Rust_primitives.mk_i32 (-3183426); - Rust_primitives.mk_i32 162844; Rust_primitives.mk_i32 1616392; Rust_primitives.mk_i32 3014001; - Rust_primitives.mk_i32 810149; Rust_primitives.mk_i32 1652634; - Rust_primitives.mk_i32 (-3694233); Rust_primitives.mk_i32 (-1799107); - Rust_primitives.mk_i32 (-3038916); Rust_primitives.mk_i32 3523897; - Rust_primitives.mk_i32 3866901; Rust_primitives.mk_i32 269760; Rust_primitives.mk_i32 2213111; - Rust_primitives.mk_i32 (-975884); Rust_primitives.mk_i32 1717735; - Rust_primitives.mk_i32 472078; Rust_primitives.mk_i32 (-426683); - Rust_primitives.mk_i32 1723600; Rust_primitives.mk_i32 (-1803090); - Rust_primitives.mk_i32 1910376; Rust_primitives.mk_i32 (-1667432); - Rust_primitives.mk_i32 (-1104333); Rust_primitives.mk_i32 (-260646); - Rust_primitives.mk_i32 (-3833893); Rust_primitives.mk_i32 (-2939036); - Rust_primitives.mk_i32 (-2235985); Rust_primitives.mk_i32 (-420899); - Rust_primitives.mk_i32 (-2286327); Rust_primitives.mk_i32 183443; - Rust_primitives.mk_i32 (-976891); Rust_primitives.mk_i32 1612842; - Rust_primitives.mk_i32 (-3545687); Rust_primitives.mk_i32 (-554416); - Rust_primitives.mk_i32 3919660; Rust_primitives.mk_i32 (-48306); - Rust_primitives.mk_i32 (-1362209); Rust_primitives.mk_i32 3937738; - Rust_primitives.mk_i32 1400424; Rust_primitives.mk_i32 (-846154); - Rust_primitives.mk_i32 1976782 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); - Rust_primitives.Hax.array_of_list 256 list - let invert_ntt_at_layer_0_ (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -144,7 +16,7 @@ let invert_ntt_at_layer_0_ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + = let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) @@ -204,7 +76,7 @@ let invert_ntt_at_layer_1_ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + = let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) @@ -257,7 +129,7 @@ let invert_ntt_at_layer_2_ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + = let (re, zeta_i), hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) @@ -307,7 +179,7 @@ let invert_ntt_at_layer_3_plus Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + = let step:usize = Rust_primitives.mk_usize 1 < Prims.l_True) -val ntt_at_layer_0_ - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_1_ - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_2_ - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_3_plus - (#v_SIMDUnit: Type0) - (v_LAYER: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - val ntt (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index ea797a6e2..48a4df562 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -9,17 +9,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -type t_PolynomialRingElement - (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { f_simd_units:t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) } - let impl__ZERO (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (_: Prims.unit) - : t_PolynomialRingElement v_SIMDUnit = + = { f_simd_units = @@ -39,7 +35,7 @@ let impl__add i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self rhs: t_PolynomialRingElement v_SIMDUnit) - : t_PolynomialRingElement v_SIMDUnit = + = let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in let sum:t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) @@ -78,7 +74,7 @@ let impl__from_i32_array i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (array: t_Slice i32) - : t_PolynomialRingElement v_SIMDUnit = + = let _:Prims.unit = if true then @@ -144,7 +140,7 @@ let impl__infinity_norm_exceeds Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self: t_PolynomialRingElement v_SIMDUnit) (bound: i32) - : bool = + = let exceeds:bool = false in let exceeds:bool = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Array v_SIMDUnit @@ -175,7 +171,7 @@ let impl__subtract i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self rhs: t_PolynomialRingElement v_SIMDUnit) - : t_PolynomialRingElement v_SIMDUnit = + = let difference:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in let difference:t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) @@ -214,7 +210,7 @@ let impl__to_i32_array i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self: t_PolynomialRingElement v_SIMDUnit) - : t_Array i32 (Rust_primitives.mk_usize 256) = + = let result:t_Array i32 (Rust_primitives.mk_usize 256) = Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 256) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti index 8ed54a1d8..dbc9a476d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -9,10 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_SIMD_UNITS_IN_RING_ELEMENT: usize = - Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - type t_PolynomialRingElement (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} = { f_simd_units:t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index 44b968088..ef691b0e2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Sample -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -11,8 +11,7 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let update_seed (seed: t_Array u8 (Rust_primitives.mk_usize 66)) (domain_separator: u16) - : (u16 & t_Array u8 (Rust_primitives.mk_usize 66)) = +let update_seed (seed: t_Array u8 (Rust_primitives.mk_usize 66)) (domain_separator: u16) = let seed:t_Array u8 (Rust_primitives.mk_usize 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed (Rust_primitives.mk_usize 64) @@ -35,7 +34,7 @@ let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (sampled_coefficients: usize) (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + = let done:bool = false in let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks @@ -104,7 +103,7 @@ let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (sampled_coefficients: usize) (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + = let done:bool = false in let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks @@ -174,7 +173,7 @@ let rejection_sample_less_than_eta (randomness: t_Slice u8) (sampled: usize) (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + = let (out, sampled), hax_temp_output:((t_Array i32 (Rust_primitives.mk_usize 263) & usize) & bool) = match cast (v_ETA <: usize) <: u8 with @@ -215,7 +214,7 @@ let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (sampled_coefficients: usize) (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + = let done:bool = false in let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks @@ -281,7 +280,7 @@ let inside_out_shuffle (out_index: usize) (signs: u64) (result: t_Array i32 (Rust_primitives.mk_usize 256)) - : (usize & u64 & t_Array i32 (Rust_primitives.mk_usize 256) & bool) = + = let done:bool = false in let done, out_index, result, signs:(bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64) = @@ -359,7 +358,7 @@ let sample_challenge_ring_element i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) (seed: t_Array u8 v_SEED_SIZE) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = let state:v_Shake256 = Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 #FStar.Tactics.Typeclasses.solve @@ -467,10 +466,7 @@ let sample_four_error_ring_elements Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) - : (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + = let seed0:t_Array u8 (Rust_primitives.mk_usize 66) = seed_base in let seed0:t_Array u8 (Rust_primitives.mk_usize 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 @@ -809,10 +805,7 @@ let sample_four_ring_elements Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) (seed0: t_Array u8 (Rust_primitives.mk_usize 34)) (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) - : (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + = let seed0:t_Array u8 (Rust_primitives.mk_usize 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 (Rust_primitives.mk_usize 32) @@ -1219,7 +1212,7 @@ let sample_mask_ring_element i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) (seed: t_Array u8 (Rust_primitives.mk_usize 66)) - : Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with | 17 -> let out:t_Array u8 (Rust_primitives.mk_usize 576) = @@ -1265,7 +1258,7 @@ let sample_mask_vector Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (seed: t_Array u8 (Rust_primitives.mk_usize 66)) (domain_separator: u16) - : (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + = let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 36c0bb2d7..2b9b97952 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -68,10 +68,10 @@ val inside_out_shuffle val sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) - (v_NUMBER_OF_ONES: usize) + (v_NUMBER_OF_ONES v_SEED_SIZE: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 32)) + (seed: t_Array u8 v_SEED_SIZE) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst index da7158a27..f70701b34 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Samplex4 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -11,7 +11,7 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let generate_domain_separator (row column: u8) : u16 = +let generate_domain_separator (row column: u8) = (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < Prims.l_True) -val simd_multiply_i32_and_return_high (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) @@ -35,9 +32,7 @@ val power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i32) +val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) val decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index 26922de15..b5d19c6d7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -3,6 +3,141 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt open Core open FStar.Mul +let butterfly_2_ + (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) + = + let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) a + in + let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) b + in + let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled + in + let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled + in + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b3 + zeta_b2 + zeta_a3 + zeta_a2 + zeta_b1 + zeta_b0 + zeta_a1 + zeta_a0 + in + let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products + in + let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products + in + let a_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + in + let b_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + in + let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) + a_terms_shuffled + in + let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) + b_terms_shuffled + in + a_out, b_out + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let butterfly_4_ + (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) + = + let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b + in + let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b + in + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1 + zeta_b1 + zeta_a1 + zeta_a1 + zeta_b0 + zeta_b0 + zeta_a0 + zeta_a0 + in + let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products + in + let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products + in + let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + in + let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + in + a_out, b_out + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = + let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + b + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 (Rust_primitives.mk_i32 19) b a + in + let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 + in + let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products + in + let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products + in + let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + sub_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms + <: + Libcrux_intrinsics.Avx2_extract.t_Vec128) + in + let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 (Rust_primitives.mk_i32 19) + sub_terms + add_terms + in + a_out, b_out + <: + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let invert_ntt_at_layer_0_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i32) @@ -111,71 +246,391 @@ let invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 (Rust_primitives.mk_i32 240) sums products -let ntt_at_layer_0_ - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i32) +let ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg zeta3 <: i32) - zeta3 - (Core.Ops.Arith.Neg.neg zeta2 <: i32) - zeta2 - (Core.Ops.Arith.Neg.neg zeta1 <: i32) - zeta1 - (Core.Ops.Arith.Neg.neg zeta0 <: i32) - zeta0 + let step:usize = Rust_primitives.mk_usize 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let offset:usize = + ((round *! step <: usize) *! Rust_primitives.mk_usize 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) = + re + in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) = + re + in + let j:usize = j in + let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + step_by + <: + usize ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + t + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + t + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + in + re) + in + re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) in - let zeta_multipliers:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 245) simd_unit + zeta_i, re + <: + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + +let ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + = + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (Rust_primitives.mk_usize 0) + (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 + (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) + <: + usize) + (Rust_primitives.mk_usize 2) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let round:usize = round in + let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + butterfly_2_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ round +! Rust_primitives.mk_usize 1 <: usize ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 1 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 2 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 3 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 4 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 5 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 6 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 7 + <: + usize ] + <: + i32) + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (round +! Rust_primitives.mk_usize 1 <: usize) + b + in + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 8 in + re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multipliers zetas + let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + +let ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + = + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (Rust_primitives.mk_usize 0) + (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 + (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) + <: + usize) + (Rust_primitives.mk_usize 2) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let round:usize = round in + let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + butterfly_4_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ round +! Rust_primitives.mk_usize 1 <: usize ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 1 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 2 + <: + usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 3 + <: + usize ] + <: + i32) + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (round +! Rust_primitives.mk_usize 1 <: usize) + b + in + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 4 in + re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 160) simd_unit + let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + +let ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + = + let (re, zeta_i), hax_temp_output:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (Rust_primitives.mk_usize 0) + (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 + (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) + <: + usize) + (Rust_primitives.mk_usize 2) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & + Libcrux_intrinsics.Avx2_extract.t_Vec256) = + butterfly_8_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ round +! Rust_primitives.mk_usize 1 <: usize ] + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! + Rust_primitives.mk_usize 1 + <: + usize ] + <: + i32) + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (round +! Rust_primitives.mk_usize 1 <: usize) + b + in + let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + re, zeta_i + <: + (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 rhs lhs + zeta_i, re + <: + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) -let ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg zeta1 <: i32) - (Core.Ops.Arith.Neg.neg zeta1 <: i32) - zeta1 - zeta1 - (Core.Ops.Arith.Neg.neg zeta0 <: i32) - (Core.Ops.Arith.Neg.neg zeta0 <: i32) - zeta0 - zeta0 +let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + let zeta_i:usize = Rust_primitives.mk_usize 0 in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_3_plus (Rust_primitives.mk_usize 7) zeta_i re in - let zeta_multipliers:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 238) simd_unit + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_3_plus (Rust_primitives.mk_usize 6) zeta_i re in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multipliers zetas + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_3_plus (Rust_primitives.mk_usize 5) zeta_i re in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 68) simd_unit + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_3_plus (Rust_primitives.mk_usize 4) zeta_i re in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 rhs lhs - -let ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg zeta <: i32) - (Core.Ops.Arith.Neg.neg zeta <: i32) - (Core.Ops.Arith.Neg.neg zeta <: i32) - (Core.Ops.Arith.Neg.neg zeta <: i32) - zeta - zeta - zeta - zeta + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_3_plus (Rust_primitives.mk_usize 3) zeta_i re in - let zeta_multipliers:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 (Rust_primitives.mk_i32 238) simd_unit + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_2_ zeta_i re in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multipliers zetas + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_1_ zeta_i re in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 (Rust_primitives.mk_i32 68) simd_unit + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + ntt_at_layer_0_ zeta_i re in - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 rhs lhs + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let _:Prims.unit = () in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index 4a6421e31..df72e60c3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -3,6 +3,30 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt open Core open FStar.Mul +let butterfly_2___SHUFFLE: i32 = Rust_primitives.mk_i32 216 + +val butterfly_2_ + (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + +val butterfly_4_ + (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) + (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + +val butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) + : Prims.Pure + (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + Prims.l_True + (fun _ -> Prims.l_True) + val invert_ntt_at_layer_0_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i32) @@ -14,13 +38,39 @@ val invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) val invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_at_layer_0_ - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + (zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + Prims.l_True + (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + Prims.l_True + (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti index ea0039789..35b953c61 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -3,226 +3,325 @@ module Libcrux_ml_dsa.Simd.Avx2 open Core open FStar.Mul -type t_AVX2SIMDUnit = { f_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in + () [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 = - { - f_from_pre = (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_from_post - = - (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_AVX2SIMDUnit) -> true); - f_from - = - fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - { f_coefficients = coefficients } <: t_AVX2SIMDUnit - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Simd.Traits.t_Operations t_AVX2SIMDUnit = +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); - f_ZERO_post = (fun (_: Prims.unit) (out: t_AVX2SIMDUnit) -> true); - f_ZERO + f_ZERO_post = - (fun (_: Prims.unit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.v_ZERO ()); f_from_coefficient_array_pre = (fun (coefficient_array: t_Slice i32) -> true); f_from_coefficient_array_post = - (fun (coefficient_array: t_Slice i32) (out: t_AVX2SIMDUnit) -> true); + (fun + (coefficient_array: t_Slice i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_from_coefficient_array = (fun (coefficient_array: t_Slice i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_to_coefficient_array_pre = (fun (self: t_AVX2SIMDUnit) -> true); + Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array); + f_to_coefficient_array_pre + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_to_coefficient_array_post = - (fun (self: t_AVX2SIMDUnit) (out: t_Array i32 (Rust_primitives.mk_usize 8)) -> true); + (fun + (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array i32 (Rust_primitives.mk_usize 8)) + -> + true); f_to_coefficient_array = - (fun (self: t_AVX2SIMDUnit) -> - let coefficient_array:t_Array i32 (Rust_primitives.mk_usize 8) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) - in - let coefficient_array:t_Array i32 (Rust_primitives.mk_usize 8) = - Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array - self.f_coefficients - in - coefficient_array); - f_add_pre = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> true); - f_add_post = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array self); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_add = - (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs.f_coefficients rhs.f_coefficients + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_subtract_pre = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> true); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_subtract_post = - (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_subtract = - (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs.f_coefficients rhs.f_coefficients + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); f_montgomery_multiply_by_constant_pre = - (fun (simd_unit: t_AVX2SIMDUnit) (constant: i32) -> true); + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> true); f_montgomery_multiply_by_constant_post = - (fun (simd_unit: t_AVX2SIMDUnit) (constant: i32) (out: t_AVX2SIMDUnit) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (constant: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_montgomery_multiply_by_constant = - (fun (simd_unit: t_AVX2SIMDUnit) (constant: i32) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant simd_unit - .f_coefficients + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients constant <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_montgomery_multiply_pre = (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> true); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_montgomery_multiply_post = - (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_montgomery_multiply = - (fun (lhs: t_AVX2SIMDUnit) (rhs: t_AVX2SIMDUnit) -> + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs.f_coefficients - rhs.f_coefficients + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_AVX2SIMDUnit) -> true); + f_shift_left_then_reduce_pre + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_shift_left_then_reduce_post = - (fun (v_SHIFT_BY: i32) (simd_unit: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> true); + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_shift_left_then_reduce = - (fun (v_SHIFT_BY: i32) (simd_unit: t_AVX2SIMDUnit) -> + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY - simd_unit.f_coefficients + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_power2round_pre = (fun (simd_unit: t_AVX2SIMDUnit) -> true); + f_power2round_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_power2round_post = - (fun (simd_unit: t_AVX2SIMDUnit) (out: (t_AVX2SIMDUnit & t_AVX2SIMDUnit)) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); f_power2round = - (fun (simd_unit: t_AVX2SIMDUnit) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit.f_coefficients + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients in Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve lower, Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve upper <: - (t_AVX2SIMDUnit & t_AVX2SIMDUnit)); - f_infinity_norm_exceeds_pre = (fun (simd_unit: t_AVX2SIMDUnit) (bound: i32) -> true); + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> true); f_infinity_norm_exceeds_post = - (fun (simd_unit: t_AVX2SIMDUnit) (bound: i32) (out: bool) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (bound: i32) + (out: bool) + -> + true); f_infinity_norm_exceeds = - (fun (simd_unit: t_AVX2SIMDUnit) (bound: i32) -> - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit.f_coefficients bound); - f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) -> true); + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + bound); + f_decompose_pre + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_decompose_post = - (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (out: (t_AVX2SIMDUnit & t_AVX2SIMDUnit)) -> + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> true); f_decompose = - (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) -> + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 simd_unit.f_coefficients + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients in Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve lower, Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve upper <: - (t_AVX2SIMDUnit & t_AVX2SIMDUnit)); - f_compute_hint_pre = (fun (v_GAMMA2: i32) (low: t_AVX2SIMDUnit) (high: t_AVX2SIMDUnit) -> true); + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_compute_hint_post = (fun (v_GAMMA2: i32) - (low: t_AVX2SIMDUnit) - (high: t_AVX2SIMDUnit) - (out: (usize & t_AVX2SIMDUnit)) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) -> true); f_compute_hint = - (fun (v_GAMMA2: i32) (low: t_AVX2SIMDUnit) (high: t_AVX2SIMDUnit) -> + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> let count, hint:(usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 - low.f_coefficients - high.f_coefficients + low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients in count, Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve hint <: - (usize & t_AVX2SIMDUnit)); + (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); f_use_hint_pre = - (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (hint: t_AVX2SIMDUnit) -> true); + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_use_hint_post = - (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (hint: t_AVX2SIMDUnit) (out: t_AVX2SIMDUnit) -> + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> true); f_use_hint = - (fun (v_GAMMA2: i32) (simd_unit: t_AVX2SIMDUnit) (hint: t_AVX2SIMDUnit) -> + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2 - simd_unit.f_coefficients - hint.f_coefficients + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); f_rejection_sample_less_than_field_modulus_pre @@ -276,169 +375,231 @@ let impl_1: Libcrux_ml_dsa.Simd.Traits.t_Operations t_AVX2SIMDUnit = let out:t_Slice i32 = tmp0 in let hax_temp_output:usize = out1 in out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> true); + f_gamma1_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); f_gamma1_serialize_post = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> true); + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); f_gamma1_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit.f_coefficients); + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); f_gamma1_deserialize_post = - (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + (fun + (v_GAMMA1_EXPONENT: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_gamma1_deserialize = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_commitment_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> true); + f_commitment_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); f_commitment_serialize_post = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> true); + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); f_commitment_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize v_OUTPUT_SIZE - simd_unit.f_coefficients); - f_error_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> true); + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_error_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); f_error_serialize_post = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> true); + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); f_error_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit.f_coefficients); + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); f_error_deserialize_post = - (fun (v_ETA: usize) (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + (fun + (v_ETA: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_error_deserialize = (fun (v_ETA: usize) (serialized: t_Slice u8) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_t0_serialize_pre = (fun (simd_unit: t_AVX2SIMDUnit) -> true); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_t0_serialize_post = - (fun (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 13)) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 (Rust_primitives.mk_usize 13)) + -> + true); f_t0_serialize = - (fun (simd_unit: t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit.f_coefficients); + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t0_deserialize_post = (fun (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + f_t0_deserialize_post + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true + ); f_t0_deserialize = (fun (serialized: t_Slice u8) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_t1_serialize_pre = (fun (simd_unit: t_AVX2SIMDUnit) -> true); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_t1_serialize_post = - (fun (simd_unit: t_AVX2SIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 10)) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 (Rust_primitives.mk_usize 10)) + -> + true); f_t1_serialize = - (fun (simd_unit: t_AVX2SIMDUnit) -> - Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit.f_coefficients); + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t1_deserialize_post = (fun (serialized: t_Slice u8) (out: t_AVX2SIMDUnit) -> true); + f_t1_deserialize_post + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true + ); f_t1_deserialize = (fun (serialized: t_Slice u8) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_ntt_at_layer_0_pre + f_ntt_pre + = + (fun + (simd_units: + t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) + -> + true); + f_ntt_post + = + (fun + (simd_units: + t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) + (out: + t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) + -> + true); + f_ntt = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true); - f_ntt_at_layer_0_post + (fun + (simd_units: + t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) + -> + let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt (Core.Array.impl_23__map #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + (Rust_primitives.mk_usize 32) + #Libcrux_intrinsics.Avx2_extract.t_Vec256 + simd_units + (fun x -> + let x:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = x in + x.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients) + <: + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + in + Core.Array.impl_23__map #Libcrux_intrinsics.Avx2_extract.t_Vec256 + (Rust_primitives.mk_usize 32) + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + result + (fun x -> + let x:Libcrux_intrinsics.Avx2_extract.t_Vec256 = x in + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + x + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_invert_ntt_at_layer_0_pre = (fun - (simd_unit: t_AVX2SIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) - (out: t_AVX2SIMDUnit) -> true); - f_ntt_at_layer_0_ - = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt_at_layer_0_ simd_unit.f_coefficients - zeta0 - zeta1 - zeta2 - zeta3 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_ntt_at_layer_1_pre = (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> true); - f_ntt_at_layer_1_post - = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_AVX2SIMDUnit) -> true); - f_ntt_at_layer_1_ - = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt_at_layer_1_ simd_unit.f_coefficients zeta0 zeta1 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_ntt_at_layer_2_pre = (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> true); - f_ntt_at_layer_2_post - = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) (out: t_AVX2SIMDUnit) -> true); - f_ntt_at_layer_2_ - = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt_at_layer_2_ simd_unit.f_coefficients zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_invert_ntt_at_layer_0_pre - = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true); f_invert_ntt_at_layer_0_post = (fun - (simd_unit: t_AVX2SIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) - (out: t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_invert_ntt_at_layer_0_ = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_0_ simd_unit.f_coefficients + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_0_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients zeta0 zeta1 zeta2 @@ -447,30 +608,57 @@ let impl_1: Libcrux_ml_dsa.Simd.Traits.t_Operations t_AVX2SIMDUnit = Libcrux_intrinsics.Avx2_extract.t_Vec256)); f_invert_ntt_at_layer_1_pre = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + true); f_invert_ntt_at_layer_1_post = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_AVX2SIMDUnit) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_invert_ntt_at_layer_1_ = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta0: i32) (zeta1: i32) -> + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_1_ simd_unit.f_coefficients zeta0 zeta1 + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_1_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta0 + zeta1 <: Libcrux_intrinsics.Avx2_extract.t_Vec256)); - f_invert_ntt_at_layer_2_pre = (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> true); f_invert_ntt_at_layer_2_post = - (fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) (out: t_AVX2SIMDUnit) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); f_invert_ntt_at_layer_2_ = - fun (simd_unit: t_AVX2SIMDUnit) (zeta: i32) -> + fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 - #t_AVX2SIMDUnit + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_2_ simd_unit.f_coefficients zeta + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_2_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta <: Libcrux_intrinsics.Avx2_extract.t_Vec256) } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index 30697b7e1..48c1c060a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Simd.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -10,26 +10,24 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_MONTGOMERY_SHIFT: u8 = Rust_primitives.mk_u8 32 - -let compute_one_hint (v_GAMMA2 low high: i32) : i32 = +let compute_one_hint (v_GAMMA2 low high: i32) = if low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. Rust_primitives.mk_i32 0 then Rust_primitives.mk_i32 1 else Rust_primitives.mk_i32 0 -let get_n_least_significant_bits (n: u8) (value: u64) : u64 = +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((Rust_primitives.mk_u64 1 <>! Rust_primitives.mk_i32 23 in fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) -let montgomery_reduce_element (value: i64) : i32 = +let montgomery_reduce_element (value: i64) = let t:u64 = (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R @@ -42,10 +40,10 @@ let montgomery_reduce_element (value: i64) : i32 = let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in value_high -! c -let montgomery_multiply_fe_by_fer (fe fer: i32) : i32 = +let montgomery_multiply_fe_by_fer (fe fer: i32) = montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) -let decompose_element (v_GAMMA2 r: i32) : (i32 & i32) = +let decompose_element (v_GAMMA2 r: i32) = let _:Prims.unit = if true then @@ -130,7 +128,7 @@ let decompose_element (v_GAMMA2 r: i32) : (i32 & i32) = in r0, r1 <: (i32 & i32) -let power2round_element (t: i32) : (i32 & i32) = +let power2round_element (t: i32) = let _:Prims.unit = if true then @@ -176,7 +174,7 @@ let power2round_element (t: i32) : (i32 & i32) = let t0:i32 = t -! (t1 < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit i -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i:usize = i in { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i (montgomery_reduce_element ((cast (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) <: @@ -296,210 +296,224 @@ let montgomery_multiply_by_constant t_Array i32 (Rust_primitives.mk_usize 8) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in simd_unit -let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 (sum.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (Core.Slice.impl__len #i32 + (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) <: usize) (fun sum temp_1_ -> - let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = sum in + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in let _:usize = temp_1_ in true) sum (fun sum i -> - let sum:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = sum in + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in let i:usize = i in { sum with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i - ((lhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) +! - (rhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) <: i32) <: t_Array i32 (Rust_primitives.mk_usize 8) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in sum -let compute_hint (v_GAMMA2: i32) (low high: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : (usize & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = - let hint:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +let compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in let one_hints_count:usize = Rust_primitives.mk_usize 0 in - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize) = + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 (hint.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) <: usize) (fun temp_0_ temp_1_ -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize) = + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = temp_0_ in let _:usize = temp_1_ in true) - (hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize)) + (hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) (fun temp_0_ i -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize) = + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = temp_0_ in let i:usize = i in - let hint:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { hint with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i (compute_one_hint v_GAMMA2 - (low.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) - (high.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let one_hints_count:usize = one_hints_count +! - (cast (hint.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) <: usize) + (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + usize) in - hint, one_hints_count <: (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & usize)) + hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) in - one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -let decompose (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = - let low:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +let decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let high:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let high, low:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 (low.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (Core.Slice.impl__len #i32 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) <: usize) (fun temp_0_ temp_1_ -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = temp_0_ in let _:usize = temp_1_ in true) (high, low <: - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) (fun temp_0_ i -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = temp_0_ in let i:usize = i in let low_part, high_part:(i32 & i32) = decompose_element v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) in - let low:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { low with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i low_part } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let high:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { high with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i high_part } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in high, low <: - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) in low, high <: - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit - ) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) (Core.Slice.impl__len #i32 - (product.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) <: usize) (fun product temp_1_ -> - let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = product in + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in let _:usize = temp_1_ in true) product (fun product i -> - let product:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = product in + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in let i:usize = i in { product with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i - (montgomery_reduce_element ((cast (lhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i - ] + (montgomery_reduce_element ((cast (lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) <: i64) *! - (cast (rhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) <: i64) + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i64) <: i64) <: @@ -508,112 +522,113 @@ let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUni t_Array i32 (Rust_primitives.mk_usize 8) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in product -let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = temp_0_ in let _:usize = temp_1_ in true) (t0_simd_unit, t1_simd_unit <: - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) = + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = temp_0_ in let i, t:(usize & i32) = temp_1_ in let t0, t1:(i32 & i32) = power2round_element t in - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { t0_simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i t0 } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { t1_simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i t1 } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in t0_simd_unit, t1_simd_unit <: - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit)) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) in t0_simd_unit, t1_simd_unit <: - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit - ) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) let shift_left_then_reduce (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) <: usize) (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = out in + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in let _:usize = temp_1_ in true) out (fun out i -> - let out:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = out in + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in let i:usize = i in { out with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i - (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) < - let difference:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = difference in + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in let _:usize = temp_1_ in true) difference (fun difference i -> - let difference:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = difference in + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in let i:usize = i in { difference with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i - ((lhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) -! - (rhs.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) <: i32) <: t_Array i32 (Rust_primitives.mk_usize 8) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in difference -let use_hint (v_GAMMA2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +let use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 (result.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (Core.Slice.impl__len #i32 + (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) <: usize) (fun result temp_1_ -> - let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = result in + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in let _:usize = temp_1_ in true) result (fun result i -> - let result:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = result in + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in let i:usize = i in { result with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients i (use_one_hint v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) - (hint.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ i ] <: i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) <: i32) <: t_Array i32 (Rust_primitives.mk_usize 8) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti index 622a44121..e987f5016 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -31,54 +31,66 @@ val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val infinity_norm_exceeds (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (bound: i32) +val infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val compute_hint (v_GAMMA2: i32) (low high: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val decompose (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) -val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) val shift_left_then_reduce (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val use_hint (v_GAMMA2: i32) (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst index 0c3108c04..59e3e305f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -1,10 +1,12 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in @@ -12,7 +14,7 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_ | 4 -> let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let _:usize = temp_1_ in @@ -34,7 +36,7 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_ | 6 -> let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let _:usize = temp_1_ in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti index e69035f8d..cc50ef52c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -3,5 +3,7 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment open Core open FStar.Mul -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index 59989eaff..1101e8bd4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -10,25 +10,19 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let deserialize_when_eta_is_2___ETA: i32 = Rust_primitives.mk_i32 2 - -let deserialize_when_eta_is_4___ETA: i32 = Rust_primitives.mk_i32 4 - -let serialize_when_eta_is_2___ETA: i32 = Rust_primitives.mk_i32 2 - -let serialize_when_eta_is_4___ETA: i32 = Rust_primitives.mk_i32 4 - let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in let coefficient0:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] + <: + i32) <: i32) <: @@ -36,8 +30,10 @@ let serialize_when_eta_is_2_ in let coefficient1:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] + <: + i32) <: i32) <: @@ -45,8 +41,10 @@ let serialize_when_eta_is_2_ in let coefficient2:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] + <: + i32) <: i32) <: @@ -54,8 +52,10 @@ let serialize_when_eta_is_2_ in let coefficient3:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] + <: + i32) <: i32) <: @@ -63,8 +63,10 @@ let serialize_when_eta_is_2_ in let coefficient4:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] + <: + i32) <: i32) <: @@ -72,8 +74,10 @@ let serialize_when_eta_is_2_ in let coefficient5:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] + <: + i32) <: i32) <: @@ -81,8 +85,10 @@ let serialize_when_eta_is_2_ in let coefficient6:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] + <: + i32) <: i32) <: @@ -90,8 +96,10 @@ let serialize_when_eta_is_2_ in let coefficient7:u8 = cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32 - ) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 7 ] + <: + i32) <: i32) <: @@ -137,14 +145,14 @@ let serialize_when_eta_is_2_ let serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let _:usize = temp_1_ in @@ -178,8 +186,10 @@ let serialize_when_eta_is_4_ in serialized -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = match cast (v_OUTPUT_SIZE <: usize) <: u8 with | 3 -> serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit | 4 -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit @@ -189,8 +199,7 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_ <: Rust_primitives.Hax.t_Never) -let deserialize_when_eta_is_2_ (serialized: t_Slice u8) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = let _:Prims.unit = if true then @@ -202,34 +211,34 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in let byte0:i32 = cast (serialized.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32 in let byte1:i32 = cast (serialized.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32 in let byte2:i32 = cast (serialized.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) (deserialize_when_eta_is_2___ETA -! (byte0 &. Rust_primitives.mk_i32 7 <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) (deserialize_when_eta_is_2___ETA -! ((byte0 >>! Rust_primitives.mk_i32 3 <: i32) &. Rust_primitives.mk_i32 7 <: i32) @@ -237,15 +246,15 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) (deserialize_when_eta_is_2___ETA -! (((byte0 >>! Rust_primitives.mk_i32 6 <: i32) |. @@ -259,15 +268,15 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) (deserialize_when_eta_is_2___ETA -! ((byte1 >>! Rust_primitives.mk_i32 1 <: i32) &. Rust_primitives.mk_i32 7 <: i32) @@ -275,15 +284,15 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) (deserialize_when_eta_is_2___ETA -! ((byte1 >>! Rust_primitives.mk_i32 4 <: i32) &. Rust_primitives.mk_i32 7 <: i32) @@ -291,15 +300,15 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) (deserialize_when_eta_is_2___ETA -! (((byte1 >>! Rust_primitives.mk_i32 7 <: i32) |. @@ -313,15 +322,15 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) (deserialize_when_eta_is_2___ETA -! ((byte2 >>! Rust_primitives.mk_i32 2 <: i32) &. Rust_primitives.mk_i32 7 <: i32) @@ -329,15 +338,15 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) (deserialize_when_eta_is_2___ETA -! ((byte2 >>! Rust_primitives.mk_i32 5 <: i32) &. Rust_primitives.mk_i32 7 <: i32) @@ -345,12 +354,11 @@ let deserialize_when_eta_is_2_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit -let deserialize_when_eta_is_4_ (serialized: t_Slice u8) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = let _:Prims.unit = if true then @@ -362,28 +370,28 @@ let deserialize_when_eta_is_4_ (serialized: t_Slice u8) in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_enumerated_slice serialized (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i, byte:(usize & u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2 *! i <: usize) (deserialize_when_eta_is_4___ETA -! (cast (byte &. Rust_primitives.mk_u8 15 <: u8) <: i32) @@ -391,15 +399,15 @@ let deserialize_when_eta_is_4_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) (deserialize_when_eta_is_4___ETA -! (cast (byte >>! Rust_primitives.mk_i32 4 <: u8) <: i32) @@ -407,14 +415,13 @@ let deserialize_when_eta_is_4_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit) in simd_unit -let deserialize (v_ETA: usize) (serialized: t_Slice u8) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = match cast (v_ETA <: usize) <: u8 with | 2 -> deserialize_when_eta_is_2_ serialized | 4 -> deserialize_when_eta_is_4_ serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti index dd1e3aec0..7164821d8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -20,28 +20,30 @@ let serialize_when_eta_is_4___ETA: i32 = Rust_primitives.mk_i32 4 val serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) val serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) val deserialize_when_eta_is_2_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) val deserialize_when_eta_is_4_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) val deserialize (v_ETA: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index 5b881ef9d..d1d4b15fc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -10,36 +10,16 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = - Rust_primitives.mk_i32 1 < let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let _:usize = temp_1_ in @@ -154,14 +134,14 @@ let serialize_when_gamma1_is_2_pow_17_ let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE in let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let _:usize = temp_1_ in @@ -220,8 +200,10 @@ let serialize_when_gamma1_is_2_pow_19_ in serialized -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 v_OUTPUT_SIZE = +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = match cast (v_OUTPUT_SIZE <: usize) <: u8 with | 18 -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit | 20 -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit @@ -231,8 +213,7 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_ <: Rust_primitives.Hax.t_Never) -let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = let _:Prims.unit = if true then @@ -244,44 +225,45 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 9) serialized (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4 *! i <: usize) (cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 *! + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 *! i <: usize ] @@ -295,17 +277,18 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 *! + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 *! i <: usize ] @@ -319,17 +302,18 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 *! + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 *! i <: usize ] @@ -340,15 +324,15 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) ((cast (bytes.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32) >>! Rust_primitives.mk_i32 2 @@ -356,17 +340,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -384,17 +368,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -412,17 +396,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -437,15 +421,15 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) ((cast (bytes.[ Rust_primitives.mk_usize 4 ] <: u8) <: i32) >>! Rust_primitives.mk_i32 4 @@ -453,17 +437,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -481,17 +465,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -509,17 +493,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -534,15 +518,15 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) ((cast (bytes.[ Rust_primitives.mk_usize 6 ] <: u8) <: i32) >>! Rust_primitives.mk_i32 6 @@ -550,17 +534,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -578,17 +562,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -606,17 +590,17 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -631,18 +615,18 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4 *! i <: usize) (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 *! i <: @@ -653,18 +637,18 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -678,18 +662,18 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -703,18 +687,18 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) (deserialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 4 *! i <: @@ -728,14 +712,13 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit) in simd_unit -let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = let _:Prims.unit = if true then @@ -747,44 +730,45 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 5) serialized (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2 *! i <: usize) (cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 *! + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 *! i <: usize ] @@ -798,17 +782,18 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 *! + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 *! i <: usize ] @@ -822,17 +807,18 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 *! + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 *! i <: usize ] @@ -843,15 +829,15 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) ((cast (bytes.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32) >>! Rust_primitives.mk_i32 4 @@ -859,17 +845,17 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 2 *! i <: @@ -887,17 +873,17 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 2 *! i <: @@ -915,18 +901,18 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2 *! i <: usize) (deserialize_when_gamma1_is_2_pow_19___GAMMA1 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 *! i <: @@ -937,18 +923,18 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) (deserialize_when_gamma1_is_2_pow_19___GAMMA1 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ (Rust_primitives.mk_usize + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize 2 *! i <: @@ -962,14 +948,13 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit) in simd_unit -let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with | 17 -> deserialize_when_gamma1_is_2_pow_17_ serialized | 19 -> deserialize_when_gamma1_is_2_pow_19_ serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti index ba795ee16..0c47ebcf4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -32,28 +32,30 @@ let serialize_when_gamma1_is_2_pow_19___GAMMA1: i32 = val serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) val serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst index 8281c554e..ae51fdbc1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T0 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -10,69 +10,61 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let change_t0_interval (t0: i32) : i32 = +let change_t0_interval (t0: i32) = (Rust_primitives.mk_i32 1 <>! Rust_primitives.mk_i32 5 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) |. (byte2 <>! Rust_primitives.mk_i32 2 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) |. (byte4 <>! Rust_primitives.mk_i32 7 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] <: i32) |. (byte5 <>! Rust_primitives.mk_i32 4 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) |. (byte7 <>! Rust_primitives.mk_i32 1 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] <: i32) |. (byte9 <>! Rust_primitives.mk_i32 6 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] <: i32) |. (byte10 <>! Rust_primitives.mk_i32 3 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 7 ] <: i32) |. (byte12 < Prims.l_True) val deserialize (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst index 6d928a50d..92eb0bd96 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -10,14 +10,13 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) - : t_Array u8 (Rust_primitives.mk_usize 10) = +let serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 10) in let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients <: t_Slice i32) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = serialized in let _:usize = temp_1_ in @@ -125,7 +124,7 @@ let serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) in serialized -let deserialize (serialized: t_Slice u8) : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let deserialize (serialized: t_Slice u8) = let _:Prims.unit = if true then @@ -137,8 +136,8 @@ let deserialize (serialized: t_Slice u8) : Libcrux_ml_dsa.Simd.Portable.t_Portab in () in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #FStar.Tactics.Typeclasses.solve () in @@ -146,42 +145,42 @@ let deserialize (serialized: t_Slice u8) : Libcrux_ml_dsa.Simd.Portable.t_Portab (Rust_primitives.mk_i32 1 < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let _:usize = temp_1_ in true) simd_unit (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = simd_unit in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in let byte0:i32 = cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32 in let byte1:i32 = cast (bytes.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32 in let byte2:i32 = cast (bytes.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32 in let byte3:i32 = cast (bytes.[ Rust_primitives.mk_usize 3 ] <: u8) <: i32 in let byte4:i32 = cast (bytes.[ Rust_primitives.mk_usize 4 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4 *! i <: usize) ((byte0 |. (byte1 <>! Rust_primitives.mk_i32 2 <: i32) |. (byte2 <>! Rust_primitives.mk_i32 4 <: i32) |. (byte3 <>! Rust_primitives.mk_i32 6 <: i32) |. (byte4 < Prims.l_True) val deserialize (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index a29af2f59..b93407247 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -11,505 +11,604 @@ let _ = () let invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1 zeta2 zeta3: i32) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + = let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 0 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 7 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit let invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1: i32) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + = let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 0 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 7 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit -let invert_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = +let invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 0 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 ) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 ) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 ) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 + ] + <: + i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 + ] + <: + i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 7 ] <: i32) <: i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 ) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit let simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1 zeta2 zeta3: i32) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + = let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) zeta0 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) -! t @@ -517,17 +616,18 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) +! t @@ -535,24 +635,25 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) zeta1 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) -! t @@ -560,17 +661,18 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) +! t @@ -578,24 +680,25 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 ] <: i32) zeta2 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) -! t @@ -603,17 +706,18 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) +! t @@ -621,24 +725,25 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32) zeta3 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] <: i32) -! t @@ -646,17 +751,18 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 6 ] <: i32) +! t @@ -664,26 +770,27 @@ let simd_unit_ntt_at_layer_0_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit let ntt_at_layer_0_ (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - : (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) - ) = + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + = let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) <: usize) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ @@ -692,22 +799,23 @@ let ntt_at_layer_0_ true) (re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ in let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round (simd_unit_ntt_at_layer_0_ (re.[ round ] <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! Rust_primitives.mk_usize 1 @@ -728,39 +836,43 @@ let ntt_at_layer_0_ <: i32) <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 4 in re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) in let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in zeta_i, re <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) let simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta1 zeta2: i32) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + = let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) zeta1 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) -! t @@ -768,17 +880,18 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) +! t @@ -786,24 +899,25 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) zeta1 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) -! t @@ -811,17 +925,18 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) +! t @@ -829,24 +944,25 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 ] <: i32) zeta2 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) -! t @@ -854,17 +970,18 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 4 ] <: i32) +! t @@ -872,24 +989,25 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32) zeta2 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] <: i32) -! t @@ -897,17 +1015,18 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 5 ] <: i32) +! t @@ -915,26 +1034,27 @@ let simd_unit_ntt_at_layer_1_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit let ntt_at_layer_1_ (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - : (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) - ) = + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + = let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) <: usize) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ @@ -943,22 +1063,23 @@ let ntt_at_layer_1_ true) (re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ in let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round (simd_unit_ntt_at_layer_1_ (re.[ round ] <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! Rust_primitives.mk_usize 1 @@ -967,39 +1088,43 @@ let ntt_at_layer_1_ <: i32) <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 2 in re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) in let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in zeta_i, re <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) let simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) - : Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + = let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 4 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 ] <: i32) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) -! t @@ -1007,17 +1132,18 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 0 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 0 ] <: i32) +! t @@ -1025,24 +1151,25 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 5 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 ] <: i32) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) -! t @@ -1050,17 +1177,18 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 1 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 1 ] <: i32) +! t @@ -1068,24 +1196,25 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 6 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 ] <: i32) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) -! t @@ -1093,17 +1222,18 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 2 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 2 ] <: i32) +! t @@ -1111,24 +1241,25 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in let t:i32 = Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 7 ] + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 ] <: i32) zeta in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] <: i32) -! t @@ -1136,17 +1267,18 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { simd_unit with - Libcrux_ml_dsa.Simd.Portable.f_coefficients + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.f_coefficients + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.f_coefficients.[ Rust_primitives.mk_usize 3 ] + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize + 3 ] <: i32) +! t @@ -1154,25 +1286,26 @@ let simd_unit_ntt_at_layer_2_ i32) } <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit in simd_unit let ntt_at_layer_2_ (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - : (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) - ) = - let (re, zeta_i), hax_temp_output:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + = + let (re, zeta_i), hax_temp_output:(t_Array + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) <: usize) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ @@ -1181,108 +1314,131 @@ let ntt_at_layer_2_ true) (re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ in let round:usize = round in let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round (simd_unit_ntt_at_layer_2_ (re.[ round ] <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) in zeta_i, re <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) -let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - : t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = +let ntt + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + = let zeta_i:usize = Rust_primitives.mk_usize 0 in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_3_plus (Rust_primitives.mk_usize 7) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_3_plus (Rust_primitives.mk_usize 6) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_3_plus (Rust_primitives.mk_usize 5) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_3_plus (Rust_primitives.mk_usize 4) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_3_plus (Rust_primitives.mk_usize 3) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_2_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_1_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) = + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) = ntt_at_layer_0_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) = tmp1 in let _:Prims.unit = () in @@ -1290,17 +1446,18 @@ let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primi let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - : (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) - ) = + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + = let step:usize = Rust_primitives.mk_usize 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ @@ -1309,10 +1466,11 @@ let ntt_at_layer_3_plus true) (re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & usize) = temp_0_ @@ -1324,12 +1482,12 @@ let ntt_at_layer_3_plus Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = Rust_primitives.Hax.Folds.fold_range offset (offset +! step_by <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = re in @@ -1337,47 +1495,50 @@ let ntt_at_layer_3_plus true) re (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = re in let j:usize = j in - let t:Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (re.[ j +! step_by <: usize ] <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! step_by <: usize) (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) t <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) t <: - Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in re) in re, zeta_i <: - (t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32) & usize)) in zeta_i, re <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index aa19ed193..66de4b801 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -3,38 +3,99 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + val invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) +val simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta1 zeta2: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val ntt_at_layer_0_ + (zeta_i: usize) + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit) (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.t_PortableSIMDUnit +val ntt_at_layer_1_ + (zeta_i: usize) + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ + (zeta_i: usize) + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + : Prims.Pure + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + : Prims.Pure + (usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst index fbba1b226..570bccd7b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -1,10 +1,9 @@ module Libcrux_ml_dsa.Simd.Portable.Sample -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) - : (t_Slice i32 & usize) = +let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) = let sampled:usize = Rust_primitives.mk_usize 0 in let out, sampled:(t_Slice i32 & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) @@ -60,8 +59,7 @@ let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Sl let hax_temp_output:usize = sampled in out, hax_temp_output <: (t_Slice i32 & usize) -let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) - : (t_Slice i32 & usize) = +let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) = let sampled:usize = Rust_primitives.mk_usize 0 in let out, sampled:(t_Slice i32 & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) @@ -101,8 +99,7 @@ let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Sl let hax_temp_output:usize = sampled in out, hax_temp_output <: (t_Slice i32 & usize) -let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) - : (t_Slice i32 & usize) = +let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = let sampled:usize = Rust_primitives.mk_usize 0 in let out, sampled:(t_Slice i32 & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti index c033e2355..f6a95bc61 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -3,168 +3,248 @@ module Libcrux_ml_dsa.Simd.Portable open Core open FStar.Mul -type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (Rust_primitives.mk_usize 8) } +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + () [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations t_PortableSIMDUnit = +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); - f_ZERO_post = (fun (_: Prims.unit) (out: t_PortableSIMDUnit) -> true); - f_ZERO - = - (fun (_: Prims.unit) -> - { - f_coefficients - = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) - } - <: - t_PortableSIMDUnit); + f_ZERO_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO ()); f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); - f_from_coefficient_array_post = (fun (array: t_Slice i32) (out: t_PortableSIMDUnit) -> true); + f_from_coefficient_array_post + = + (fun (array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + true); f_from_coefficient_array = (fun (array: t_Slice i32) -> - { - f_coefficients - = - Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice i32) - #(t_Array i32 (Rust_primitives.mk_usize 8)) - #FStar.Tactics.Typeclasses.solve - (array.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i32) - <: - Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) - Core.Array.t_TryFromSliceError) - } - <: - t_PortableSIMDUnit); - f_to_coefficient_array_pre = (fun (self: t_PortableSIMDUnit) -> true); + Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array); + f_to_coefficient_array_pre + = + (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); f_to_coefficient_array_post = - (fun (self: t_PortableSIMDUnit) (out: t_Array i32 (Rust_primitives.mk_usize 8)) -> true); + (fun + (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array i32 (Rust_primitives.mk_usize 8)) + -> + true); f_to_coefficient_array = - (fun (self: t_PortableSIMDUnit) -> - Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) - #Core.Convert.t_Infallible - (Core.Convert.f_try_into #(t_Array i32 (Rust_primitives.mk_usize 8)) - #(t_Array i32 (Rust_primitives.mk_usize 8)) - #FStar.Tactics.Typeclasses.solve - self.f_coefficients - <: - Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) - Core.Convert.t_Infallible)); - f_add_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array self); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_add_post = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_add = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); - f_subtract_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_subtract_post = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_subtract = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); - f_montgomery_multiply_by_constant_pre = (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> true); + f_montgomery_multiply_by_constant_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> true); f_montgomery_multiply_by_constant_post = - (fun (simd_unit: t_PortableSIMDUnit) (c: i32) (out: t_PortableSIMDUnit) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_montgomery_multiply_by_constant = - (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); - f_montgomery_multiply_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_montgomery_multiply_post = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_montgomery_multiply = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); - f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> true); + f_shift_left_then_reduce_pre + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_shift_left_then_reduce_post = - (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_shift_left_then_reduce = - (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); - f_power2round_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_power2round_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); f_power2round_post = - (fun (simd_unit: t_PortableSIMDUnit) (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); f_power2round = - (fun (simd_unit: t_PortableSIMDUnit) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); - f_infinity_norm_exceeds_pre = (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> true); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> + true); f_infinity_norm_exceeds_post = - (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) (out: bool) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + (out: bool) + -> + true); f_infinity_norm_exceeds = - (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); - f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> true); + f_decompose_pre + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + true); f_decompose_post = (fun (v_GAMMA2: i32) - (simd_unit: t_PortableSIMDUnit) - (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) -> true); f_decompose = - (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); f_compute_hint_pre = - (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> true); + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_compute_hint_post = (fun (v_GAMMA2: i32) - (low: t_PortableSIMDUnit) - (high: t_PortableSIMDUnit) - (out: (usize & t_PortableSIMDUnit)) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) -> true); f_compute_hint = - (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); f_use_hint_pre = - (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> true); + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_use_hint_post = (fun (v_GAMMA2: i32) - (simd_unit: t_PortableSIMDUnit) - (hint: t_PortableSIMDUnit) - (out: t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); f_use_hint = - (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); f_rejection_sample_less_than_field_modulus_pre = @@ -214,151 +294,247 @@ let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations t_PortableSIMDUnit = let out:t_Slice i32 = tmp0 in let hax_temp_output:usize = out1 in out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_gamma1_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_gamma1_serialize_post = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> true); f_gamma1_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); f_gamma1_deserialize_post = - (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + (fun + (v_GAMMA1_EXPONENT: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_gamma1_deserialize = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); f_commitment_serialize_pre = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_commitment_serialize_post = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> true); f_commitment_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); - f_error_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_error_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_error_serialize_post = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> true); f_error_serialize = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); f_error_deserialize_post = - (fun (v_ETA: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + (fun + (v_ETA: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_error_deserialize = (fun (v_ETA: usize) (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); - f_t0_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); f_t0_serialize_post = - (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 13)) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 (Rust_primitives.mk_usize 13)) + -> + true); f_t0_serialize = - (fun (simd_unit: t_PortableSIMDUnit) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t0_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_t0_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_t0_deserialize = (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized ); - f_t1_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); f_t1_serialize_post = - (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 10)) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 (Rust_primitives.mk_usize 10)) + -> + true); f_t1_serialize = - (fun (simd_unit: t_PortableSIMDUnit) -> + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t1_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_t1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_t1_deserialize = (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized ); - f_ntt_at_layer_0_pre + f_ntt_pre = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true - ); - f_ntt_at_layer_0_post + (fun + (simd_units: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + -> + true); + f_ntt_post + = + (fun + (simd_units: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + (out: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + -> + true); + f_ntt + = + (fun + (simd_units: + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (Rust_primitives.mk_usize 32)) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); + f_invert_ntt_at_layer_0_pre = (fun - (simd_unit: t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) - (out: t_PortableSIMDUnit) -> true); - f_ntt_at_layer_0_ - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); - f_ntt_at_layer_1_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> true); - f_ntt_at_layer_1_post - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_PortableSIMDUnit) -> true - ); - f_ntt_at_layer_1_ - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.ntt_at_layer_1_ simd_unit zeta0 zeta1); - f_ntt_at_layer_2_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> true); - f_ntt_at_layer_2_post - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) (out: t_PortableSIMDUnit) -> true); - f_ntt_at_layer_2_ - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.ntt_at_layer_2_ simd_unit zeta); - f_invert_ntt_at_layer_0_pre - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true - ); f_invert_ntt_at_layer_0_post = (fun - (simd_unit: t_PortableSIMDUnit) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) - (out: t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); f_invert_ntt_at_layer_0_ = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); f_invert_ntt_at_layer_1_pre = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + true); f_invert_ntt_at_layer_1_post = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_PortableSIMDUnit) -> true - ); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_invert_ntt_at_layer_1_ = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); - f_invert_ntt_at_layer_2_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> + true); f_invert_ntt_at_layer_2_post = - (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) (out: t_PortableSIMDUnit) -> true); + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); f_invert_ntt_at_layer_2_ = - fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> + fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst index 471cc2b55..5bf547714 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst @@ -1,322 +1,11 @@ module Libcrux_ml_dsa.Simd.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -class t_Operations (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - f_ZERO_pre:Prims.unit -> Type0; - f_ZERO_post:Prims.unit -> v_Self -> Type0; - f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); - f_from_coefficient_array_pre:t_Slice i32 -> Type0; - f_from_coefficient_array_post:t_Slice i32 -> v_Self -> Type0; - f_from_coefficient_array:x0: t_Slice i32 - -> Prims.Pure v_Self - (f_from_coefficient_array_pre x0) - (fun result -> f_from_coefficient_array_post x0 result); - f_to_coefficient_array_pre:v_Self -> Type0; - f_to_coefficient_array_post:v_Self -> t_Array i32 (Rust_primitives.mk_usize 8) -> Type0; - f_to_coefficient_array:x0: v_Self - -> Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 8)) - (f_to_coefficient_array_pre x0) - (fun result -> f_to_coefficient_array_post x0 result); - f_add_pre:v_Self -> v_Self -> Type0; - f_add_post:v_Self -> v_Self -> v_Self -> Type0; - f_add:x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); - f_subtract_pre:v_Self -> v_Self -> Type0; - f_subtract_post:v_Self -> v_Self -> v_Self -> Type0; - f_subtract:x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); - f_infinity_norm_exceeds_pre:v_Self -> i32 -> Type0; - f_infinity_norm_exceeds_post:v_Self -> i32 -> bool -> Type0; - f_infinity_norm_exceeds:x0: v_Self -> x1: i32 - -> Prims.Pure bool - (f_infinity_norm_exceeds_pre x0 x1) - (fun result -> f_infinity_norm_exceeds_post x0 x1 result); - f_decompose_pre:v_GAMMA2: i32 -> v_Self -> Type0; - f_decompose_post:v_GAMMA2: i32 -> v_Self -> (v_Self & v_Self) -> Type0; - f_decompose:v_GAMMA2: i32 -> x0: v_Self - -> Prims.Pure (v_Self & v_Self) - (f_decompose_pre v_GAMMA2 x0) - (fun result -> f_decompose_post v_GAMMA2 x0 result); - f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; - f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> (usize & v_Self) -> Type0; - f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self - -> Prims.Pure (usize & v_Self) - (f_compute_hint_pre v_GAMMA2 x0 x1) - (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 result); - f_use_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; - f_use_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; - f_use_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self - (f_use_hint_pre v_GAMMA2 x0 x1) - (fun result -> f_use_hint_post v_GAMMA2 x0 x1 result); - f_montgomery_multiply_pre:v_Self -> v_Self -> Type0; - f_montgomery_multiply_post:v_Self -> v_Self -> v_Self -> Type0; - f_montgomery_multiply:x0: v_Self -> x1: v_Self - -> Prims.Pure v_Self - (f_montgomery_multiply_pre x0 x1) - (fun result -> f_montgomery_multiply_post x0 x1 result); - f_montgomery_multiply_by_constant_pre:v_Self -> i32 -> Type0; - f_montgomery_multiply_by_constant_post:v_Self -> i32 -> v_Self -> Type0; - f_montgomery_multiply_by_constant:x0: v_Self -> x1: i32 - -> Prims.Pure v_Self - (f_montgomery_multiply_by_constant_pre x0 x1) - (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); - f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; - f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; - f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: v_Self - -> Prims.Pure v_Self - (f_shift_left_then_reduce_pre v_SHIFT_BY x0) - (fun result -> f_shift_left_then_reduce_post v_SHIFT_BY x0 result); - f_power2round_pre:v_Self -> Type0; - f_power2round_post:v_Self -> (v_Self & v_Self) -> Type0; - f_power2round:x0: v_Self - -> Prims.Pure (v_Self & v_Self) - (f_power2round_pre x0) - (fun result -> f_power2round_post x0 result); - f_rejection_sample_less_than_field_modulus_pre:t_Slice u8 -> t_Slice i32 -> Type0; - f_rejection_sample_less_than_field_modulus_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) - -> Type0; - f_rejection_sample_less_than_field_modulus:x0: t_Slice u8 -> x1: t_Slice i32 - -> Prims.Pure (t_Slice i32 & usize) - (f_rejection_sample_less_than_field_modulus_pre x0 x1) - (fun result -> f_rejection_sample_less_than_field_modulus_post x0 x1 result); - f_rejection_sample_less_than_eta_equals_2_pre:t_Slice u8 -> t_Slice i32 -> Type0; - f_rejection_sample_less_than_eta_equals_2_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) - -> Type0; - f_rejection_sample_less_than_eta_equals_2_:x0: t_Slice u8 -> x1: t_Slice i32 - -> Prims.Pure (t_Slice i32 & usize) - (f_rejection_sample_less_than_eta_equals_2_pre x0 x1) - (fun result -> f_rejection_sample_less_than_eta_equals_2_post x0 x1 result); - f_rejection_sample_less_than_eta_equals_4_pre:t_Slice u8 -> t_Slice i32 -> Type0; - f_rejection_sample_less_than_eta_equals_4_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) - -> Type0; - f_rejection_sample_less_than_eta_equals_4_:x0: t_Slice u8 -> x1: t_Slice i32 - -> Prims.Pure (t_Slice i32 & usize) - (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) - (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); - f_gamma1_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; - f_gamma1_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; - f_gamma1_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self - -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) - (f_gamma1_serialize_pre v_OUTPUT_SIZE x0) - (fun result -> f_gamma1_serialize_post v_OUTPUT_SIZE x0 result); - f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0; - f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0; - f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8 - -> Prims.Pure v_Self - (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0) - (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result); - f_commitment_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; - f_commitment_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; - f_commitment_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self - -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) - (f_commitment_serialize_pre v_OUTPUT_SIZE x0) - (fun result -> f_commitment_serialize_post v_OUTPUT_SIZE x0 result); - f_error_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; - f_error_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; - f_error_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self - -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) - (f_error_serialize_pre v_OUTPUT_SIZE x0) - (fun result -> f_error_serialize_post v_OUTPUT_SIZE x0 result); - f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0; - f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0; - f_error_deserialize:v_ETA: usize -> x0: t_Slice u8 - -> Prims.Pure v_Self - (f_error_deserialize_pre v_ETA x0) - (fun result -> f_error_deserialize_post v_ETA x0 result); - f_t0_serialize_pre:v_Self -> Type0; - f_t0_serialize_post:v_Self -> t_Array u8 (Rust_primitives.mk_usize 13) -> Type0; - f_t0_serialize:x0: v_Self - -> Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 13)) - (f_t0_serialize_pre x0) - (fun result -> f_t0_serialize_post x0 result); - f_t0_deserialize_pre:t_Slice u8 -> Type0; - f_t0_deserialize_post:t_Slice u8 -> v_Self -> Type0; - f_t0_deserialize:x0: t_Slice u8 - -> Prims.Pure v_Self (f_t0_deserialize_pre x0) (fun result -> f_t0_deserialize_post x0 result); - f_t1_serialize_pre:v_Self -> Type0; - f_t1_serialize_post:v_Self -> t_Array u8 (Rust_primitives.mk_usize 10) -> Type0; - f_t1_serialize:x0: v_Self - -> Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 10)) - (f_t1_serialize_pre x0) - (fun result -> f_t1_serialize_post x0 result); - f_t1_deserialize_pre:t_Slice u8 -> Type0; - f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; - f_t1_deserialize:x0: t_Slice u8 - -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); - f_ntt_pre:t_Array v_Self (Rust_primitives.mk_usize 32) -> Type0; - f_ntt_post: - t_Array v_Self (Rust_primitives.mk_usize 32) -> - t_Array v_Self (Rust_primitives.mk_usize 32) - -> Type0; - f_ntt:x0: t_Array v_Self (Rust_primitives.mk_usize 32) - -> Prims.Pure (t_Array v_Self (Rust_primitives.mk_usize 32)) - (f_ntt_pre x0) - (fun result -> f_ntt_post x0 result); - f_invert_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; - f_invert_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; - f_invert_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 - -> Prims.Pure v_Self - (f_invert_ntt_at_layer_0_pre x0 x1 x2 x3 x4) - (fun result -> f_invert_ntt_at_layer_0_post x0 x1 x2 x3 x4 result); - f_invert_ntt_at_layer_1_pre:v_Self -> i32 -> i32 -> Type0; - f_invert_ntt_at_layer_1_post:v_Self -> i32 -> i32 -> v_Self -> Type0; - f_invert_ntt_at_layer_1_:x0: v_Self -> x1: i32 -> x2: i32 - -> Prims.Pure v_Self - (f_invert_ntt_at_layer_1_pre x0 x1 x2) - (fun result -> f_invert_ntt_at_layer_1_post x0 x1 x2 result); - f_invert_ntt_at_layer_2_pre:v_Self -> i32 -> Type0; - f_invert_ntt_at_layer_2_post:v_Self -> i32 -> v_Self -> Type0; - f_invert_ntt_at_layer_2_:x0: v_Self -> x1: i32 - -> Prims.Pure v_Self - (f_invert_ntt_at_layer_2_pre x0 x1) - (fun result -> f_invert_ntt_at_layer_2_post x0 x1 result) -} - -let v_COEFFICIENTS_IN_SIMD_UNIT: usize = Rust_primitives.mk_usize 8 - -let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 - -let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = Rust_primitives.mk_u64 58728449 - -let v_SIMD_UNITS_IN_RING_ELEMENT: usize = - Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT - -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (Rust_primitives.mk_usize 256) = - let list = - [ - Rust_primitives.mk_i32 0; Rust_primitives.mk_i32 25847; Rust_primitives.mk_i32 (-2608894); - Rust_primitives.mk_i32 (-518909); Rust_primitives.mk_i32 237124; - Rust_primitives.mk_i32 (-777960); Rust_primitives.mk_i32 (-876248); - Rust_primitives.mk_i32 466468; Rust_primitives.mk_i32 1826347; Rust_primitives.mk_i32 2353451; - Rust_primitives.mk_i32 (-359251); Rust_primitives.mk_i32 (-2091905); - Rust_primitives.mk_i32 3119733; Rust_primitives.mk_i32 (-2884855); - Rust_primitives.mk_i32 3111497; Rust_primitives.mk_i32 2680103; Rust_primitives.mk_i32 2725464; - Rust_primitives.mk_i32 1024112; Rust_primitives.mk_i32 (-1079900); - Rust_primitives.mk_i32 3585928; Rust_primitives.mk_i32 (-549488); - Rust_primitives.mk_i32 (-1119584); Rust_primitives.mk_i32 2619752; - Rust_primitives.mk_i32 (-2108549); Rust_primitives.mk_i32 (-2118186); - Rust_primitives.mk_i32 (-3859737); Rust_primitives.mk_i32 (-1399561); - Rust_primitives.mk_i32 (-3277672); Rust_primitives.mk_i32 1757237; - Rust_primitives.mk_i32 (-19422); Rust_primitives.mk_i32 4010497; Rust_primitives.mk_i32 280005; - Rust_primitives.mk_i32 2706023; Rust_primitives.mk_i32 95776; Rust_primitives.mk_i32 3077325; - Rust_primitives.mk_i32 3530437; Rust_primitives.mk_i32 (-1661693); - Rust_primitives.mk_i32 (-3592148); Rust_primitives.mk_i32 (-2537516); - Rust_primitives.mk_i32 3915439; Rust_primitives.mk_i32 (-3861115); - Rust_primitives.mk_i32 (-3043716); Rust_primitives.mk_i32 3574422; - Rust_primitives.mk_i32 (-2867647); Rust_primitives.mk_i32 3539968; - Rust_primitives.mk_i32 (-300467); Rust_primitives.mk_i32 2348700; - Rust_primitives.mk_i32 (-539299); Rust_primitives.mk_i32 (-1699267); - Rust_primitives.mk_i32 (-1643818); Rust_primitives.mk_i32 3505694; - Rust_primitives.mk_i32 (-3821735); Rust_primitives.mk_i32 3507263; - Rust_primitives.mk_i32 (-2140649); Rust_primitives.mk_i32 (-1600420); - Rust_primitives.mk_i32 3699596; Rust_primitives.mk_i32 811944; Rust_primitives.mk_i32 531354; - Rust_primitives.mk_i32 954230; Rust_primitives.mk_i32 3881043; Rust_primitives.mk_i32 3900724; - Rust_primitives.mk_i32 (-2556880); Rust_primitives.mk_i32 2071892; - Rust_primitives.mk_i32 (-2797779); Rust_primitives.mk_i32 (-3930395); - Rust_primitives.mk_i32 (-1528703); Rust_primitives.mk_i32 (-3677745); - Rust_primitives.mk_i32 (-3041255); Rust_primitives.mk_i32 (-1452451); - Rust_primitives.mk_i32 3475950; Rust_primitives.mk_i32 2176455; - Rust_primitives.mk_i32 (-1585221); Rust_primitives.mk_i32 (-1257611); - Rust_primitives.mk_i32 1939314; Rust_primitives.mk_i32 (-4083598); - Rust_primitives.mk_i32 (-1000202); Rust_primitives.mk_i32 (-3190144); - Rust_primitives.mk_i32 (-3157330); Rust_primitives.mk_i32 (-3632928); - Rust_primitives.mk_i32 126922; Rust_primitives.mk_i32 3412210; - Rust_primitives.mk_i32 (-983419); Rust_primitives.mk_i32 2147896; - Rust_primitives.mk_i32 2715295; Rust_primitives.mk_i32 (-2967645); - Rust_primitives.mk_i32 (-3693493); Rust_primitives.mk_i32 (-411027); - Rust_primitives.mk_i32 (-2477047); Rust_primitives.mk_i32 (-671102); - Rust_primitives.mk_i32 (-1228525); Rust_primitives.mk_i32 (-22981); - Rust_primitives.mk_i32 (-1308169); Rust_primitives.mk_i32 (-381987); - Rust_primitives.mk_i32 1349076; Rust_primitives.mk_i32 1852771; - Rust_primitives.mk_i32 (-1430430); Rust_primitives.mk_i32 (-3343383); - Rust_primitives.mk_i32 264944; Rust_primitives.mk_i32 508951; Rust_primitives.mk_i32 3097992; - Rust_primitives.mk_i32 44288; Rust_primitives.mk_i32 (-1100098); Rust_primitives.mk_i32 904516; - Rust_primitives.mk_i32 3958618; Rust_primitives.mk_i32 (-3724342); - Rust_primitives.mk_i32 (-8578); Rust_primitives.mk_i32 1653064; - Rust_primitives.mk_i32 (-3249728); Rust_primitives.mk_i32 2389356; - Rust_primitives.mk_i32 (-210977); Rust_primitives.mk_i32 759969; - Rust_primitives.mk_i32 (-1316856); Rust_primitives.mk_i32 189548; - Rust_primitives.mk_i32 (-3553272); Rust_primitives.mk_i32 3159746; - Rust_primitives.mk_i32 (-1851402); Rust_primitives.mk_i32 (-2409325); - Rust_primitives.mk_i32 (-177440); Rust_primitives.mk_i32 1315589; - Rust_primitives.mk_i32 1341330; Rust_primitives.mk_i32 1285669; - Rust_primitives.mk_i32 (-1584928); Rust_primitives.mk_i32 (-812732); - Rust_primitives.mk_i32 (-1439742); Rust_primitives.mk_i32 (-3019102); - Rust_primitives.mk_i32 (-3881060); Rust_primitives.mk_i32 (-3628969); - Rust_primitives.mk_i32 3839961; Rust_primitives.mk_i32 2091667; Rust_primitives.mk_i32 3407706; - Rust_primitives.mk_i32 2316500; Rust_primitives.mk_i32 3817976; - Rust_primitives.mk_i32 (-3342478); Rust_primitives.mk_i32 2244091; - Rust_primitives.mk_i32 (-2446433); Rust_primitives.mk_i32 (-3562462); - Rust_primitives.mk_i32 266997; Rust_primitives.mk_i32 2434439; - Rust_primitives.mk_i32 (-1235728); Rust_primitives.mk_i32 3513181; - Rust_primitives.mk_i32 (-3520352); Rust_primitives.mk_i32 (-3759364); - Rust_primitives.mk_i32 (-1197226); Rust_primitives.mk_i32 (-3193378); - Rust_primitives.mk_i32 900702; Rust_primitives.mk_i32 1859098; Rust_primitives.mk_i32 909542; - Rust_primitives.mk_i32 819034; Rust_primitives.mk_i32 495491; - Rust_primitives.mk_i32 (-1613174); Rust_primitives.mk_i32 (-43260); - Rust_primitives.mk_i32 (-522500); Rust_primitives.mk_i32 (-655327); - Rust_primitives.mk_i32 (-3122442); Rust_primitives.mk_i32 2031748; - Rust_primitives.mk_i32 3207046; Rust_primitives.mk_i32 (-3556995); - Rust_primitives.mk_i32 (-525098); Rust_primitives.mk_i32 (-768622); - Rust_primitives.mk_i32 (-3595838); Rust_primitives.mk_i32 342297; - Rust_primitives.mk_i32 286988; Rust_primitives.mk_i32 (-2437823); - Rust_primitives.mk_i32 4108315; Rust_primitives.mk_i32 3437287; - Rust_primitives.mk_i32 (-3342277); Rust_primitives.mk_i32 1735879; - Rust_primitives.mk_i32 203044; Rust_primitives.mk_i32 2842341; Rust_primitives.mk_i32 2691481; - Rust_primitives.mk_i32 (-2590150); Rust_primitives.mk_i32 1265009; - Rust_primitives.mk_i32 4055324; Rust_primitives.mk_i32 1247620; Rust_primitives.mk_i32 2486353; - Rust_primitives.mk_i32 1595974; Rust_primitives.mk_i32 (-3767016); - Rust_primitives.mk_i32 1250494; Rust_primitives.mk_i32 2635921; - Rust_primitives.mk_i32 (-3548272); Rust_primitives.mk_i32 (-2994039); - Rust_primitives.mk_i32 1869119; Rust_primitives.mk_i32 1903435; - Rust_primitives.mk_i32 (-1050970); Rust_primitives.mk_i32 (-1333058); - Rust_primitives.mk_i32 1237275; Rust_primitives.mk_i32 (-3318210); - Rust_primitives.mk_i32 (-1430225); Rust_primitives.mk_i32 (-451100); - Rust_primitives.mk_i32 1312455; Rust_primitives.mk_i32 3306115; - Rust_primitives.mk_i32 (-1962642); Rust_primitives.mk_i32 (-1279661); - Rust_primitives.mk_i32 1917081; Rust_primitives.mk_i32 (-2546312); - Rust_primitives.mk_i32 (-1374803); Rust_primitives.mk_i32 1500165; - Rust_primitives.mk_i32 777191; Rust_primitives.mk_i32 2235880; Rust_primitives.mk_i32 3406031; - Rust_primitives.mk_i32 (-542412); Rust_primitives.mk_i32 (-2831860); - Rust_primitives.mk_i32 (-1671176); Rust_primitives.mk_i32 (-1846953); - Rust_primitives.mk_i32 (-2584293); Rust_primitives.mk_i32 (-3724270); - Rust_primitives.mk_i32 594136; Rust_primitives.mk_i32 (-3776993); - Rust_primitives.mk_i32 (-2013608); Rust_primitives.mk_i32 2432395; - Rust_primitives.mk_i32 2454455; Rust_primitives.mk_i32 (-164721); - Rust_primitives.mk_i32 1957272; Rust_primitives.mk_i32 3369112; Rust_primitives.mk_i32 185531; - Rust_primitives.mk_i32 (-1207385); Rust_primitives.mk_i32 (-3183426); - Rust_primitives.mk_i32 162844; Rust_primitives.mk_i32 1616392; Rust_primitives.mk_i32 3014001; - Rust_primitives.mk_i32 810149; Rust_primitives.mk_i32 1652634; - Rust_primitives.mk_i32 (-3694233); Rust_primitives.mk_i32 (-1799107); - Rust_primitives.mk_i32 (-3038916); Rust_primitives.mk_i32 3523897; - Rust_primitives.mk_i32 3866901; Rust_primitives.mk_i32 269760; Rust_primitives.mk_i32 2213111; - Rust_primitives.mk_i32 (-975884); Rust_primitives.mk_i32 1717735; - Rust_primitives.mk_i32 472078; Rust_primitives.mk_i32 (-426683); - Rust_primitives.mk_i32 1723600; Rust_primitives.mk_i32 (-1803090); - Rust_primitives.mk_i32 1910376; Rust_primitives.mk_i32 (-1667432); - Rust_primitives.mk_i32 (-1104333); Rust_primitives.mk_i32 (-260646); - Rust_primitives.mk_i32 (-3833893); Rust_primitives.mk_i32 (-2939036); - Rust_primitives.mk_i32 (-2235985); Rust_primitives.mk_i32 (-420899); - Rust_primitives.mk_i32 (-2286327); Rust_primitives.mk_i32 183443; - Rust_primitives.mk_i32 (-976891); Rust_primitives.mk_i32 1612842; - Rust_primitives.mk_i32 (-3545687); Rust_primitives.mk_i32 (-554416); - Rust_primitives.mk_i32 3919660; Rust_primitives.mk_i32 (-48306); - Rust_primitives.mk_i32 (-1362209); Rust_primitives.mk_i32 3937738; - Rust_primitives.mk_i32 1400424; Rust_primitives.mk_i32 (-846154); - Rust_primitives.mk_i32 1976782 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); - Rust_primitives.Hax.array_of_list 256 list - let montgomery_multiply_by_fer (#v_S: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_S) (simd_unit: v_S) (fer: i32) - : v_S = f_montgomery_multiply_by_constant #v_S #FStar.Tactics.Typeclasses.solve simd_unit fer + = f_montgomery_multiply_by_constant #v_S #FStar.Tactics.Typeclasses.solve simd_unit fer diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index 629c4fa90..b18bea023 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -148,24 +148,15 @@ class t_Operations (v_Self: Type0) = { f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; f_t1_deserialize:x0: t_Slice u8 -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); - f_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; - f_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; - f_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 - -> Prims.Pure v_Self - (f_ntt_at_layer_0_pre x0 x1 x2 x3 x4) - (fun result -> f_ntt_at_layer_0_post x0 x1 x2 x3 x4 result); - f_ntt_at_layer_1_pre:v_Self -> i32 -> i32 -> Type0; - f_ntt_at_layer_1_post:v_Self -> i32 -> i32 -> v_Self -> Type0; - f_ntt_at_layer_1_:x0: v_Self -> x1: i32 -> x2: i32 - -> Prims.Pure v_Self - (f_ntt_at_layer_1_pre x0 x1 x2) - (fun result -> f_ntt_at_layer_1_post x0 x1 x2 result); - f_ntt_at_layer_2_pre:v_Self -> i32 -> Type0; - f_ntt_at_layer_2_post:v_Self -> i32 -> v_Self -> Type0; - f_ntt_at_layer_2_:x0: v_Self -> x1: i32 - -> Prims.Pure v_Self - (f_ntt_at_layer_2_pre x0 x1) - (fun result -> f_ntt_at_layer_2_post x0 x1 result); + f_ntt_pre:t_Array v_Self (Rust_primitives.mk_usize 32) -> Type0; + f_ntt_post: + t_Array v_Self (Rust_primitives.mk_usize 32) -> + t_Array v_Self (Rust_primitives.mk_usize 32) + -> Type0; + f_ntt:x0: t_Array v_Self (Rust_primitives.mk_usize 32) + -> Prims.Pure (t_Array v_Self (Rust_primitives.mk_usize 32)) + (f_ntt_pre x0) + (fun result -> f_ntt_post x0 result); f_invert_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; f_invert_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; f_invert_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 @@ -192,5 +183,136 @@ let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = Rust_primitives.mk_u64 58728449 +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT + +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (Rust_primitives.mk_usize 256) = + let list = + [ + Rust_primitives.mk_i32 0; Rust_primitives.mk_i32 25847; Rust_primitives.mk_i32 (-2608894); + Rust_primitives.mk_i32 (-518909); Rust_primitives.mk_i32 237124; + Rust_primitives.mk_i32 (-777960); Rust_primitives.mk_i32 (-876248); + Rust_primitives.mk_i32 466468; Rust_primitives.mk_i32 1826347; Rust_primitives.mk_i32 2353451; + Rust_primitives.mk_i32 (-359251); Rust_primitives.mk_i32 (-2091905); + Rust_primitives.mk_i32 3119733; Rust_primitives.mk_i32 (-2884855); + Rust_primitives.mk_i32 3111497; Rust_primitives.mk_i32 2680103; Rust_primitives.mk_i32 2725464; + Rust_primitives.mk_i32 1024112; Rust_primitives.mk_i32 (-1079900); + Rust_primitives.mk_i32 3585928; Rust_primitives.mk_i32 (-549488); + Rust_primitives.mk_i32 (-1119584); Rust_primitives.mk_i32 2619752; + Rust_primitives.mk_i32 (-2108549); Rust_primitives.mk_i32 (-2118186); + Rust_primitives.mk_i32 (-3859737); Rust_primitives.mk_i32 (-1399561); + Rust_primitives.mk_i32 (-3277672); Rust_primitives.mk_i32 1757237; + Rust_primitives.mk_i32 (-19422); Rust_primitives.mk_i32 4010497; Rust_primitives.mk_i32 280005; + Rust_primitives.mk_i32 2706023; Rust_primitives.mk_i32 95776; Rust_primitives.mk_i32 3077325; + Rust_primitives.mk_i32 3530437; Rust_primitives.mk_i32 (-1661693); + Rust_primitives.mk_i32 (-3592148); Rust_primitives.mk_i32 (-2537516); + Rust_primitives.mk_i32 3915439; Rust_primitives.mk_i32 (-3861115); + Rust_primitives.mk_i32 (-3043716); Rust_primitives.mk_i32 3574422; + Rust_primitives.mk_i32 (-2867647); Rust_primitives.mk_i32 3539968; + Rust_primitives.mk_i32 (-300467); Rust_primitives.mk_i32 2348700; + Rust_primitives.mk_i32 (-539299); Rust_primitives.mk_i32 (-1699267); + Rust_primitives.mk_i32 (-1643818); Rust_primitives.mk_i32 3505694; + Rust_primitives.mk_i32 (-3821735); Rust_primitives.mk_i32 3507263; + Rust_primitives.mk_i32 (-2140649); Rust_primitives.mk_i32 (-1600420); + Rust_primitives.mk_i32 3699596; Rust_primitives.mk_i32 811944; Rust_primitives.mk_i32 531354; + Rust_primitives.mk_i32 954230; Rust_primitives.mk_i32 3881043; Rust_primitives.mk_i32 3900724; + Rust_primitives.mk_i32 (-2556880); Rust_primitives.mk_i32 2071892; + Rust_primitives.mk_i32 (-2797779); Rust_primitives.mk_i32 (-3930395); + Rust_primitives.mk_i32 (-1528703); Rust_primitives.mk_i32 (-3677745); + Rust_primitives.mk_i32 (-3041255); Rust_primitives.mk_i32 (-1452451); + Rust_primitives.mk_i32 3475950; Rust_primitives.mk_i32 2176455; + Rust_primitives.mk_i32 (-1585221); Rust_primitives.mk_i32 (-1257611); + Rust_primitives.mk_i32 1939314; Rust_primitives.mk_i32 (-4083598); + Rust_primitives.mk_i32 (-1000202); Rust_primitives.mk_i32 (-3190144); + Rust_primitives.mk_i32 (-3157330); Rust_primitives.mk_i32 (-3632928); + Rust_primitives.mk_i32 126922; Rust_primitives.mk_i32 3412210; + Rust_primitives.mk_i32 (-983419); Rust_primitives.mk_i32 2147896; + Rust_primitives.mk_i32 2715295; Rust_primitives.mk_i32 (-2967645); + Rust_primitives.mk_i32 (-3693493); Rust_primitives.mk_i32 (-411027); + Rust_primitives.mk_i32 (-2477047); Rust_primitives.mk_i32 (-671102); + Rust_primitives.mk_i32 (-1228525); Rust_primitives.mk_i32 (-22981); + Rust_primitives.mk_i32 (-1308169); Rust_primitives.mk_i32 (-381987); + Rust_primitives.mk_i32 1349076; Rust_primitives.mk_i32 1852771; + Rust_primitives.mk_i32 (-1430430); Rust_primitives.mk_i32 (-3343383); + Rust_primitives.mk_i32 264944; Rust_primitives.mk_i32 508951; Rust_primitives.mk_i32 3097992; + Rust_primitives.mk_i32 44288; Rust_primitives.mk_i32 (-1100098); Rust_primitives.mk_i32 904516; + Rust_primitives.mk_i32 3958618; Rust_primitives.mk_i32 (-3724342); + Rust_primitives.mk_i32 (-8578); Rust_primitives.mk_i32 1653064; + Rust_primitives.mk_i32 (-3249728); Rust_primitives.mk_i32 2389356; + Rust_primitives.mk_i32 (-210977); Rust_primitives.mk_i32 759969; + Rust_primitives.mk_i32 (-1316856); Rust_primitives.mk_i32 189548; + Rust_primitives.mk_i32 (-3553272); Rust_primitives.mk_i32 3159746; + Rust_primitives.mk_i32 (-1851402); Rust_primitives.mk_i32 (-2409325); + Rust_primitives.mk_i32 (-177440); Rust_primitives.mk_i32 1315589; + Rust_primitives.mk_i32 1341330; Rust_primitives.mk_i32 1285669; + Rust_primitives.mk_i32 (-1584928); Rust_primitives.mk_i32 (-812732); + Rust_primitives.mk_i32 (-1439742); Rust_primitives.mk_i32 (-3019102); + Rust_primitives.mk_i32 (-3881060); Rust_primitives.mk_i32 (-3628969); + Rust_primitives.mk_i32 3839961; Rust_primitives.mk_i32 2091667; Rust_primitives.mk_i32 3407706; + Rust_primitives.mk_i32 2316500; Rust_primitives.mk_i32 3817976; + Rust_primitives.mk_i32 (-3342478); Rust_primitives.mk_i32 2244091; + Rust_primitives.mk_i32 (-2446433); Rust_primitives.mk_i32 (-3562462); + Rust_primitives.mk_i32 266997; Rust_primitives.mk_i32 2434439; + Rust_primitives.mk_i32 (-1235728); Rust_primitives.mk_i32 3513181; + Rust_primitives.mk_i32 (-3520352); Rust_primitives.mk_i32 (-3759364); + Rust_primitives.mk_i32 (-1197226); Rust_primitives.mk_i32 (-3193378); + Rust_primitives.mk_i32 900702; Rust_primitives.mk_i32 1859098; Rust_primitives.mk_i32 909542; + Rust_primitives.mk_i32 819034; Rust_primitives.mk_i32 495491; + Rust_primitives.mk_i32 (-1613174); Rust_primitives.mk_i32 (-43260); + Rust_primitives.mk_i32 (-522500); Rust_primitives.mk_i32 (-655327); + Rust_primitives.mk_i32 (-3122442); Rust_primitives.mk_i32 2031748; + Rust_primitives.mk_i32 3207046; Rust_primitives.mk_i32 (-3556995); + Rust_primitives.mk_i32 (-525098); Rust_primitives.mk_i32 (-768622); + Rust_primitives.mk_i32 (-3595838); Rust_primitives.mk_i32 342297; + Rust_primitives.mk_i32 286988; Rust_primitives.mk_i32 (-2437823); + Rust_primitives.mk_i32 4108315; Rust_primitives.mk_i32 3437287; + Rust_primitives.mk_i32 (-3342277); Rust_primitives.mk_i32 1735879; + Rust_primitives.mk_i32 203044; Rust_primitives.mk_i32 2842341; Rust_primitives.mk_i32 2691481; + Rust_primitives.mk_i32 (-2590150); Rust_primitives.mk_i32 1265009; + Rust_primitives.mk_i32 4055324; Rust_primitives.mk_i32 1247620; Rust_primitives.mk_i32 2486353; + Rust_primitives.mk_i32 1595974; Rust_primitives.mk_i32 (-3767016); + Rust_primitives.mk_i32 1250494; Rust_primitives.mk_i32 2635921; + Rust_primitives.mk_i32 (-3548272); Rust_primitives.mk_i32 (-2994039); + Rust_primitives.mk_i32 1869119; Rust_primitives.mk_i32 1903435; + Rust_primitives.mk_i32 (-1050970); Rust_primitives.mk_i32 (-1333058); + Rust_primitives.mk_i32 1237275; Rust_primitives.mk_i32 (-3318210); + Rust_primitives.mk_i32 (-1430225); Rust_primitives.mk_i32 (-451100); + Rust_primitives.mk_i32 1312455; Rust_primitives.mk_i32 3306115; + Rust_primitives.mk_i32 (-1962642); Rust_primitives.mk_i32 (-1279661); + Rust_primitives.mk_i32 1917081; Rust_primitives.mk_i32 (-2546312); + Rust_primitives.mk_i32 (-1374803); Rust_primitives.mk_i32 1500165; + Rust_primitives.mk_i32 777191; Rust_primitives.mk_i32 2235880; Rust_primitives.mk_i32 3406031; + Rust_primitives.mk_i32 (-542412); Rust_primitives.mk_i32 (-2831860); + Rust_primitives.mk_i32 (-1671176); Rust_primitives.mk_i32 (-1846953); + Rust_primitives.mk_i32 (-2584293); Rust_primitives.mk_i32 (-3724270); + Rust_primitives.mk_i32 594136; Rust_primitives.mk_i32 (-3776993); + Rust_primitives.mk_i32 (-2013608); Rust_primitives.mk_i32 2432395; + Rust_primitives.mk_i32 2454455; Rust_primitives.mk_i32 (-164721); + Rust_primitives.mk_i32 1957272; Rust_primitives.mk_i32 3369112; Rust_primitives.mk_i32 185531; + Rust_primitives.mk_i32 (-1207385); Rust_primitives.mk_i32 (-3183426); + Rust_primitives.mk_i32 162844; Rust_primitives.mk_i32 1616392; Rust_primitives.mk_i32 3014001; + Rust_primitives.mk_i32 810149; Rust_primitives.mk_i32 1652634; + Rust_primitives.mk_i32 (-3694233); Rust_primitives.mk_i32 (-1799107); + Rust_primitives.mk_i32 (-3038916); Rust_primitives.mk_i32 3523897; + Rust_primitives.mk_i32 3866901; Rust_primitives.mk_i32 269760; Rust_primitives.mk_i32 2213111; + Rust_primitives.mk_i32 (-975884); Rust_primitives.mk_i32 1717735; + Rust_primitives.mk_i32 472078; Rust_primitives.mk_i32 (-426683); + Rust_primitives.mk_i32 1723600; Rust_primitives.mk_i32 (-1803090); + Rust_primitives.mk_i32 1910376; Rust_primitives.mk_i32 (-1667432); + Rust_primitives.mk_i32 (-1104333); Rust_primitives.mk_i32 (-260646); + Rust_primitives.mk_i32 (-3833893); Rust_primitives.mk_i32 (-2939036); + Rust_primitives.mk_i32 (-2235985); Rust_primitives.mk_i32 (-420899); + Rust_primitives.mk_i32 (-2286327); Rust_primitives.mk_i32 183443; + Rust_primitives.mk_i32 (-976891); Rust_primitives.mk_i32 1612842; + Rust_primitives.mk_i32 (-3545687); Rust_primitives.mk_i32 (-554416); + Rust_primitives.mk_i32 3919660; Rust_primitives.mk_i32 (-48306); + Rust_primitives.mk_i32 (-1362209); Rust_primitives.mk_i32 3937738; + Rust_primitives.mk_i32 1400424; Rust_primitives.mk_i32 (-846154); + Rust_primitives.mk_i32 1976782 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); + Rust_primitives.Hax.array_of_list 256 list + val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32) : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index 0493ef835..ec1147591 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -1,43 +1,34 @@ module Libcrux_ml_dsa.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// The number of bytes -let impl__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () -/// The number of bytes -let impl_2__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE +let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -/// The number of bytes -let impl_4__len (v_SIZE: usize) (_: Prims.unit) : usize = v_SIZE +let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -///An ML-DSA signature. -type t_MLDSASignature (v_SIZE: usize) = - | MLDSASignature : t_Array u8 v_SIZE -> t_MLDSASignature v_SIZE +let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -/// A reference to the raw byte slice. -let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) : t_Slice u8 = - self._0 <: t_Slice u8 +let t_SigningError_cast_to_repr (x: t_SigningError) = + match x with + | SigningError_RejectionSamplingError -> Rust_primitives.mk_isize 0 + | SigningError_ContextTooLongError -> Rust_primitives.mk_isize 1 -///An ML-DSA signature key. -type t_MLDSASigningKey (v_SIZE: usize) = - | MLDSASigningKey : t_Array u8 v_SIZE -> t_MLDSASigningKey v_SIZE +let t_VerificationError_cast_to_repr (x: t_VerificationError) = + match x with + | VerificationError_MalformedHintError -> Rust_primitives.mk_isize 0 + | VerificationError_SignerResponseExceedsBoundError -> Rust_primitives.mk_isize 1 + | VerificationError_CommitmentHashesDontMatchError -> Rust_primitives.mk_isize 3 + | VerificationError_ContextTooLongError -> Rust_primitives.mk_isize 6 -/// A reference to the raw byte slice. -let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) : t_Slice u8 = - self._0 <: t_Slice u8 +let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self._0 <: t_Slice u8 -///An ML-DSA verification key. -type t_MLDSAVerificationKey (v_SIZE: usize) = - | MLDSAVerificationKey : t_Array u8 v_SIZE -> t_MLDSAVerificationKey v_SIZE +let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self._0 <: t_Slice u8 -/// A reference to the raw byte slice. -let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) : t_Slice u8 = - self._0 <: t_Slice u8 - -/// An ML-DSA key pair. -type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = { - f_signing_key:t_MLDSASigningKey v_SIGNING_KEY_SIZE; - f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE -} +let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self._0 <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti index 9ad1e315d..e1c781c13 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -3,6 +3,12 @@ module Libcrux_ml_dsa.Types open Core open FStar.Mul +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + /// The number of bytes val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) @@ -14,6 +20,22 @@ val impl_2__len: v_SIZE: usize -> Prims.unit val impl_4__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) +type t_SigningError = + | SigningError_RejectionSamplingError : t_SigningError + | SigningError_ContextTooLongError : t_SigningError + +val t_SigningError_cast_to_repr (x: t_SigningError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +type t_VerificationError = + | VerificationError_MalformedHintError : t_VerificationError + | VerificationError_SignerResponseExceedsBoundError : t_VerificationError + | VerificationError_CommitmentHashesDontMatchError : t_VerificationError + | VerificationError_ContextTooLongError : t_VerificationError + +val t_VerificationError_cast_to_repr (x: t_VerificationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + ///An ML-DSA signature. type t_MLDSASignature (v_SIZE: usize) = | MLDSASignature : t_Array u8 v_SIZE -> t_MLDSASignature v_SIZE @@ -43,3 +65,13 @@ type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) f_signing_key:t_MLDSASigningKey v_SIGNING_KEY_SIZE; f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE } + +type t_Signature + (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { + f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; + f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A; + f_hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A +} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst index 13b18355d..02b37aa5a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst @@ -1,10 +1,9 @@ module Libcrux_ml_dsa.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -/// Pad the `slice` with `0`s at the end. -let into_padded_array (v_LEN: usize) (slice: t_Slice u8) : t_Array u8 v_LEN = +let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = let _:Prims.unit = if true then diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph index 4f0f1efe3..2c831085a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph +++ b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph @@ -3,30 +3,14 @@ digraph { "fstar_reflection_const" -> "fstar_pervasives" "fstar_reflection_const" -> "prims" "fstar_reflection_const" -> "prims" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "core_ops_range" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "prims" - "rust_primitives_hax_folds" -> "prims" - "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_87__portable" -> "core_result" "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" - "libcrux_ml_dsa_ntt" -> "fstar_int32" - "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" @@ -34,6 +18,8 @@ digraph { "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" "libcrux_ml_dsa_ntt" -> "core_slice" "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_ntt" -> "rust_primitives" + "libcrux_ml_dsa_ntt" -> "rust_primitives" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" @@ -49,19 +35,9 @@ digraph { "libcrux_ml_dsa_ntt" -> "prims" "libcrux_ml_dsa_ntt" -> "prims" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_ntt" - "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "prims" - "libcrux_sha3_portable" -> "prims" - "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_44_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44_" -> "core" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" @@ -71,6 +47,24 @@ digraph { "fstar_functionalextensionality" -> "fstar_pervasives" "fstar_functionalextensionality" -> "prims" "fstar_functionalextensionality" -> "prims" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "prims" + "core_ops_range" -> "prims" "fstar_bitvector" -> "fstar_seq" "fstar_bitvector" -> "fstar_seq" "fstar_bitvector" -> "fstar_mul" @@ -85,33 +79,29 @@ digraph { "fstar_sealed_inhabited" -> "fstar_pervasives" "fstar_sealed_inhabited" -> "prims" "fstar_sealed_inhabited" -> "prims" - "core" -> "core_ops" - "core" -> "core_ops" - "core" -> "core_iter" - "core" -> "core_num" - "core" -> "rust_primitives" - "core" -> "rust_primitives" - "core" -> "fstar_pervasives" - "core" -> "fstar_pervasives" - "core" -> "prims" - "core" -> "prims" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "prims" - "libcrux_sha3_generic_keccak" -> "prims" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" + "core_fmt" -> "core_fmt_rt" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "core_result" + "core_fmt" -> "core_result" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "prims" + "core_fmt" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" "fstar_reflection_v1_derived" -> "fstar_list_tot_base" "fstar_reflection_v1_derived" -> "fstar_list_tot_base" "fstar_reflection_v1_derived" -> "fstar_pervasives_native" @@ -144,6 +134,25 @@ digraph { "fstar_tactics_v1_logic" -> "fstar_pervasives" "fstar_tactics_v1_logic" -> "prims" "fstar_tactics_v1_logic" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_ml_dsa_simd_avx2_vector_type" "fstar_uint8" -> "fstar_uint32" "fstar_uint8" -> "fstar_uint32" "fstar_uint8" -> "fstar_mul" @@ -173,66 +182,89 @@ digraph { "fstar_tactics_bv" -> "prims" "fstar_tactics_bv" -> "prims" "fstar_tactics_bv" -> "fstar_tactics_bv" + "libcrux_platform_platform" -> "fstar_mul" + "libcrux_platform_platform" -> "core" + "libcrux_platform_platform" -> "fstar_pervasives" + "libcrux_platform_platform" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_slice" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "core_ops_range" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "core_ops" - "core_iter" -> "core_ops" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "rust_primitives" - "core_iter" -> "rust_primitives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "prims" - "core_iter" -> "prims" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_num" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" - "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" @@ -245,6 +277,19 @@ digraph { "fstar_seq" -> "fstar_pervasives" "fstar_seq" -> "prims" "fstar_seq" -> "prims" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "rust_primitives_arrays" "fstar_int64" -> "fstar_uint" "fstar_int64" -> "fstar_uint" "fstar_int64" -> "fstar_uint32" @@ -257,6 +302,28 @@ digraph { "fstar_int64" -> "fstar_pervasives" "fstar_int64" -> "prims" "fstar_int64" -> "prims" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "prims" + "core_iter_traits_iterator" -> "prims" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "prims" + "core_slice_iter" -> "prims" + "core_option" -> "fstar_pervasives" + "core_option" -> "fstar_pervasives" + "core_option" -> "prims" + "core_option" -> "prims" "fstar_tactics_bv_lemmas" -> "fstar_uint" "fstar_tactics_bv_lemmas" -> "fstar_uint" "fstar_tactics_bv_lemmas" -> "fstar_bv" @@ -265,18 +332,16 @@ digraph { "fstar_tactics_bv_lemmas" -> "fstar_pervasives" "fstar_tactics_bv_lemmas" -> "prims" "fstar_tactics_bv_lemmas" -> "prims" - "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" - "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "prims" - "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "prims" + "libcrux_sha3_portable_incremental" -> "prims" "fstar_uint" -> "fstar_seq_base" "fstar_uint" -> "fstar_seq_base" "fstar_uint" -> "fstar_math_lemmas" @@ -314,39 +379,34 @@ digraph { "fstar_reflection_v2_arith" -> "prims" "fstar_reflection_v2_arith" -> "prims" "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_pervasives_native" "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "lib_loopcombinators" "lib_sequence" -> "lib_loopcombinators" "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_seq" "lib_sequence" -> "fstar_seq" "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "lib_inttypes" "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" "lib_sequence" -> "fstar_pervasives" "lib_sequence" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic" + "lib_sequence" -> "prims" "libcrux_ml_dsa_ml_dsa_65_" -> "core_result" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_65_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65_" -> "core" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65_" -> "prims" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "prims" - "core_ops_arith" -> "prims" - "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_87_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87_" -> "core" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" @@ -356,6 +416,8 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" @@ -366,19 +428,32 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_gamma1" -> "prims" "libcrux_ml_dsa_encoding_gamma1" -> "prims" - "libcrux_platform_platform" -> "fstar_mul" - "libcrux_platform_platform" -> "core" - "libcrux_platform_platform" -> "fstar_pervasives" - "libcrux_platform_platform" -> "prims" - "core_result" -> "fstar_pervasives" - "core_result" -> "fstar_pervasives" - "core_result" -> "prims" - "core_result" -> "prims" "fstar_pervasives" -> "prims" "fstar_pervasives" -> "prims" "fstar_pervasives" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "core_slice" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "prims" + "rust_primitives_hax" -> "prims" "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" @@ -397,10 +472,14 @@ digraph { "fstar_squash" -> "fstar_pervasives" "fstar_squash" -> "prims" "fstar_squash" -> "prims" - "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" - "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" - "libcrux_ml_dsa_simd_traits" -> "fstar_int32" - "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives" "libcrux_ml_dsa_simd_traits" -> "core_clone" "libcrux_ml_dsa_simd_traits" -> "core_clone" "libcrux_ml_dsa_simd_traits" -> "core_marker" @@ -415,35 +494,53 @@ digraph { "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" "libcrux_ml_dsa_simd_traits" -> "prims" "libcrux_ml_dsa_simd_traits" -> "prims" - "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_65__neon" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" "libcrux_ml_dsa_encoding_t0" -> "core_slice" "libcrux_ml_dsa_encoding_t0" -> "core_ops_range" "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "prims" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_encoding_t0" "fstar_heap" -> "fstar_preorder" "fstar_heap" -> "fstar_preorder" @@ -475,6 +572,7 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_platform_platform" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" @@ -485,30 +583,6 @@ digraph { "fstar_ghost" -> "prims" "fstar_ghost" -> "prims" "fstar_ghost" -> "fstar_ghost" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" @@ -524,64 +598,78 @@ digraph { "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" "fstar_reflection_v1_derived_lemmas" -> "prims" "fstar_reflection_v1_derived_lemmas" -> "prims" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "core_ops_arith" - "core_num" -> "core_num_error" - "core_num" -> "core_result" - "core_num" -> "core_result" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "lib_inttypes" - "core_num" -> "lib_inttypes" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint32" - "core_num" -> "fstar_uint32" - "core_num" -> "rust_primitives" - "core_num" -> "rust_primitives" - "core_num" -> "fstar_pervasives" - "core_num" -> "fstar_pervasives" - "core_num" -> "prims" - "core_num" -> "prims" "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" "fstar_stubs_errors_msg" -> "fstar_pervasives" "fstar_stubs_errors_msg" -> "fstar_pervasives" "fstar_stubs_errors_msg" -> "prims" "fstar_stubs_errors_msg" -> "prims" - "core_option" -> "fstar_pervasives" - "core_option" -> "fstar_pervasives" - "core_option" -> "prims" - "core_option" -> "prims" + "fstar_string" -> "fstar_all" "fstar_string" -> "fstar_all" "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_list" "fstar_string" -> "fstar_char" "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_list_tot" "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "prims" "fstar_string" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "spec_sha3" -> "fstar_pervasives_native" "spec_sha3" -> "fstar_pervasives_native" "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "lib_loopcombinators" "spec_sha3" -> "lib_loopcombinators" "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "lib_bytesequence" "spec_sha3" -> "lib_bytesequence" "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_inttypes" "spec_sha3" -> "lib_inttypes" "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "prims" "spec_sha3" -> "prims" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4_incremental" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "libcrux_ml_dsa_hash_functions_simd256" -> "prims" "fstar_calc" -> "fstar_classical" "fstar_calc" -> "fstar_classical" "fstar_calc" -> "fstar_preorder" @@ -593,47 +681,54 @@ digraph { "fstar_calc" -> "prims" "fstar_calc" -> "prims" "fstar_calc" -> "fstar_calc" - "spec_utils" -> "rust_primitives_integers" - "spec_utils" -> "fstar_calc" - "spec_utils" -> "fstar_int32" - "spec_utils" -> "fstar_int16" - "spec_utils" -> "fstar_math_lemmas" - "spec_utils" -> "fstar_classical_sugar" - "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" - "spec_utils" -> "core_ops_range" - "spec_utils" -> "lib_inttypes" - "spec_utils" -> "lib_rawinttypes" - "spec_utils" -> "spec_sha3" - "spec_utils" -> "fstar_list_tot" - "spec_utils" -> "rust_primitives_hax" - "spec_utils" -> "lib_loopcombinators" - "spec_utils" -> "fstar_seq" - "spec_utils" -> "core" - "spec_utils" -> "fstar_mul" - "spec_utils" -> "fstar_pervasives" - "spec_utils" -> "prims" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_num" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_ops_arith_neg" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_avx2_arithmetic" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" "fstar_stubs_reflection_types" -> "fstar_sealed" "fstar_stubs_reflection_types" -> "fstar_range" @@ -641,6 +736,16 @@ digraph { "fstar_stubs_reflection_types" -> "fstar_pervasives" "fstar_stubs_reflection_types" -> "prims" "fstar_stubs_reflection_types" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" "lib_inttypes" -> "fstar_uint" "lib_inttypes" -> "fstar_uint" "lib_inttypes" -> "fstar_int" @@ -671,43 +776,43 @@ digraph { "lib_inttypes" -> "fstar_pervasives" "lib_inttypes" -> "prims" "lib_inttypes" -> "prims" - "hax_lib" -> "fstar_tactics" - "hax_lib" -> "fstar_tactics" - "hax_lib" -> "fstar_pervasives" - "hax_lib" -> "fstar_pervasives" - "hax_lib" -> "prims" - "hax_lib" -> "prims" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" - "core_fmt_rt" -> "fstar_pervasives" - "core_fmt_rt" -> "fstar_pervasives" - "core_fmt_rt" -> "prims" - "core_fmt_rt" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "prims" + "core_iter_traits_collect" -> "prims" "libcrux_ml_dsa_encoding_signature" -> "core_convert" "libcrux_ml_dsa_encoding_signature" -> "core_convert" "libcrux_ml_dsa_encoding_signature" -> "core_array" "libcrux_ml_dsa_encoding_signature" -> "core_array" - "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" - "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_encoding_signature" -> "core_result" "libcrux_ml_dsa_encoding_signature" -> "core_result" - "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" - "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" - "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" - "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" - "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" - "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" "libcrux_ml_dsa_encoding_signature" -> "core_ops_range" "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" @@ -727,15 +832,29 @@ digraph { "libcrux_ml_dsa_encoding_signature" -> "prims" "libcrux_ml_dsa_encoding_signature" -> "prims" "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_signature" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "prims" + "hax_lib" -> "prims" "libcrux_ml_dsa_utils" -> "core_ops_range" "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_utils" -> "rust_primitives" + "libcrux_ml_dsa_utils" -> "rust_primitives" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax" "libcrux_ml_dsa_utils" -> "rust_primitives_hax" "libcrux_ml_dsa_utils" -> "core_slice" "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "fstar_mul" "libcrux_ml_dsa_utils" -> "fstar_mul" "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "core" "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" "libcrux_ml_dsa_utils" -> "prims" "libcrux_ml_dsa_utils" -> "libcrux_ml_dsa_utils" "fstar_math_lemmas" -> "fstar_calc" @@ -772,11 +891,19 @@ digraph { "fstar_tactics_util" -> "fstar_tactics_effect" "fstar_tactics_util" -> "fstar_pervasives" "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "prims" - "fstar_tactics_util" -> "prims" - "core_ops_arith_neg" -> "rust_primitives" - "core_ops_arith_neg" -> "fstar_pervasives" - "core_ops_arith_neg" -> "prims" + "fstar_tactics_util" -> "prims" + "fstar_tactics_util" -> "prims" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "prims" + "core_ops_arith" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" @@ -797,6 +924,21 @@ digraph { "fstar_tactics_smt" -> "prims" "fstar_tactics_smt" -> "prims" "fstar_tactics_smt" -> "fstar_tactics_smt" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "prims" + "core_core_arch_arm_shared_neon" -> "prims" "fstar_tactics_smt" -> "fstar_tactics_effect" "fstar_tactics_smt" -> "fstar_tactics_effect" "fstar_tactics_smt" -> "fstar_pervasives" @@ -821,24 +963,35 @@ digraph { "fstar_tactics_names" -> "prims" "fstar_tactics_names" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_slice" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_ml_dsa_simd_avx2_encoding_error" "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" @@ -851,25 +1004,21 @@ digraph { "fstar_list_tot_properties" -> "prims" "fstar_list_tot_properties" -> "prims" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" "libcrux_ml_dsa_simd_avx2_ntt" -> "core" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" - "libcrux_sha3_avx2_x4" -> "fstar_mul" - "libcrux_sha3_avx2_x4" -> "core" - "libcrux_sha3_avx2_x4" -> "fstar_pervasives" - "libcrux_sha3_avx2_x4" -> "prims" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "prims" - "libcrux_sha3_portable" -> "prims" - "libcrux_sha3_portable" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" @@ -881,10 +1030,16 @@ digraph { "libcrux_ml_dsa_hash_functions_shake128" -> "prims" "libcrux_ml_dsa_hash_functions_shake128" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" "fstar_reflection_termeq" -> "fstar_classical_sugar" "fstar_reflection_termeq" -> "fstar_classical_sugar" @@ -903,61 +1058,106 @@ digraph { "fstar_reflection_termeq" -> "prims" "fstar_reflection_termeq" -> "prims" "fstar_reflection_termeq" -> "fstar_reflection_termeq" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "core_ops_range" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "prims" + "rust_primitives_hax_folds" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" "libcrux_ml_dsa_encoding_signing_key" -> "core_result" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_signing_key" -> "core_slice" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_encoding_signing_key" -> "core_ops_range" "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_signing_key" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "prims" - "core_ops_index" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core_slice" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "hax_lib" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_uint8" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "prims" + "core_iter_adapters_step_by" -> "prims" "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_portable_sample" -> "core_slice" "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_sample" -> "fstar_int32" - "libcrux_ml_dsa_simd_portable_sample" -> "fstar_uint8" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_portable_sample" -> "core_slice_iter" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_collect" "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_sample" -> "core" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" @@ -972,69 +1172,90 @@ digraph { "fstar_stubs_tactics_types" -> "fstar_pervasives" "fstar_stubs_tactics_types" -> "prims" "fstar_stubs_tactics_types" -> "prims" - "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "core_panicking" "libcrux_ml_dsa_samplex4" -> "core_panicking" "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_samplex4" -> "fstar_uint8" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "rust_primitives" + "libcrux_ml_dsa_samplex4" -> "rust_primitives" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" "libcrux_ml_dsa_samplex4" -> "fstar_mul" "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "prims" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_samplex4" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" "fstar_stubs_tactics_result" -> "fstar_pervasives" "fstar_stubs_tactics_result" -> "fstar_pervasives" "fstar_stubs_tactics_result" -> "prims" "fstar_stubs_tactics_result" -> "prims" - "core_array" -> "rust_primitives" - "core_array" -> "rust_primitives" - "core_array" -> "fstar_pervasives" - "core_array" -> "fstar_pervasives" - "core_array" -> "prims" - "core_array" -> "prims" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" - "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" - "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" - "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" - "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" - "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" - "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" - "rust_primitives_hax_monomorphized_update_at" -> "prims" - "rust_primitives_hax_monomorphized_update_at" -> "prims" - "libcrux_ml_dsa_constants" -> "fstar_int32" - "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "rust_primitives" "libcrux_ml_dsa_constants" -> "fstar_mul" "libcrux_ml_dsa_constants" -> "fstar_mul" "libcrux_ml_dsa_constants" -> "core" @@ -1043,17 +1264,6 @@ digraph { "libcrux_ml_dsa_constants" -> "fstar_pervasives" "libcrux_ml_dsa_constants" -> "prims" "libcrux_ml_dsa_constants" -> "prims" - "core_fmt" -> "core_fmt_rt" - "core_fmt" -> "fstar_tactics_typeclasses" - "core_fmt" -> "fstar_tactics_typeclasses" - "core_fmt" -> "core_result" - "core_fmt" -> "core_result" - "core_fmt" -> "rust_primitives" - "core_fmt" -> "rust_primitives" - "core_fmt" -> "fstar_pervasives" - "core_fmt" -> "fstar_pervasives" - "core_fmt" -> "prims" - "core_fmt" -> "prims" "fstar_int32" -> "fstar_uint" "fstar_int32" -> "fstar_uint" "fstar_int32" -> "fstar_uint32" @@ -1066,22 +1276,6 @@ digraph { "fstar_int32" -> "fstar_pervasives" "fstar_int32" -> "prims" "fstar_int32" -> "prims" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_slice_iter" - "core_slice" -> "core_slice_iter" - "core_slice" -> "fstar_seq" - "core_slice" -> "fstar_seq" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "prims" - "core_slice" -> "prims" "fstar_int" -> "fstar_seq" "fstar_int" -> "fstar_seq" "fstar_int" -> "fstar_uint" @@ -1096,26 +1290,45 @@ digraph { "fstar_int" -> "fstar_pervasives" "fstar_int" -> "prims" "fstar_int" -> "prims" - "libcrux_ml_dsa_matrix" -> "fstar_int32" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "rust_primitives" + "libcrux_ml_dsa_matrix" -> "rust_primitives" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" "libcrux_ml_dsa_matrix" -> "core" "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" "libcrux_ml_dsa_matrix" -> "prims" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_matrix" - "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_44__neon" "fstar_uint16" -> "fstar_uint32" @@ -1183,6 +1396,30 @@ digraph { "lib_inttypes" -> "prims" "lib_inttypes" -> "prims" "lib_inttypes" -> "lib_inttypes" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" "fstar_monotonic_witnessed" -> "fstar_classical" "fstar_monotonic_witnessed" -> "fstar_classical" "fstar_monotonic_witnessed" -> "fstar_preorder" @@ -1192,17 +1429,9 @@ digraph { "fstar_monotonic_witnessed" -> "prims" "fstar_monotonic_witnessed" -> "prims" "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" - "core_iter_traits_collect" -> "core_iter_traits_iterator" - "core_iter_traits_collect" -> "core_iter_traits_iterator" - "core_iter_traits_collect" -> "fstar_tactics_typeclasses" - "core_iter_traits_collect" -> "fstar_tactics_typeclasses" - "core_iter_traits_collect" -> "fstar_pervasives" - "core_iter_traits_collect" -> "fstar_pervasives" - "core_iter_traits_collect" -> "prims" - "core_iter_traits_collect" -> "prims" - "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_65__neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" @@ -1250,26 +1479,32 @@ digraph { "fstar_tactics_effect" -> "fstar_pervasives" "fstar_tactics_effect" -> "prims" "fstar_tactics_effect" -> "prims" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "rust_primitives_arrays" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" "libcrux_ml_dsa_encoding_signing_key" -> "core" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" "libcrux_ml_dsa_encoding_signing_key" -> "prims" "fstar_tactics_print" -> "fstar_tactics_effect" "fstar_tactics_print" -> "fstar_tactics_effect" @@ -1279,13 +1514,27 @@ digraph { "fstar_tactics_print" -> "fstar_pervasives" "fstar_tactics_print" -> "prims" "fstar_tactics_print" -> "prims" - "libcrux_ml_dsa_simd_avx2_ntt" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" - "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" "libcrux_ml_dsa_simd_avx2_ntt" -> "core" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_ntt" "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" @@ -1301,9 +1550,10 @@ digraph { "fstar_stubs_syntax_syntax" -> "fstar_pervasives" "fstar_stubs_syntax_syntax" -> "prims" "fstar_stubs_syntax_syntax" -> "prims" + "libcrux_ml_dsa_polynomial" -> "rust_primitives" + "libcrux_ml_dsa_polynomial" -> "rust_primitives" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_polynomial" -> "fstar_mul" @@ -1314,6 +1564,14 @@ digraph { "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" "libcrux_ml_dsa_polynomial" -> "prims" "libcrux_ml_dsa_polynomial" -> "prims" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "prims" + "core_fmt_rt" -> "prims" + "libcrux_ml_dsa_types" -> "rust_primitives" + "libcrux_ml_dsa_types" -> "rust_primitives" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_types" -> "fstar_mul" "libcrux_ml_dsa_types" -> "fstar_mul" "libcrux_ml_dsa_types" -> "core" @@ -1323,18 +1581,40 @@ digraph { "libcrux_ml_dsa_types" -> "prims" "libcrux_ml_dsa_types" -> "prims" "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_types" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "libcrux_sha3_portable" + "lib_bytesequence" -> "fstar_pervasives_native" "lib_bytesequence" -> "fstar_pervasives_native" "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_math_lemmas" "lib_bytesequence" -> "fstar_math_lemmas" "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_uint8" "lib_bytesequence" -> "fstar_uint8" "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "lib_loopcombinators" "lib_bytesequence" -> "lib_loopcombinators" "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_sequence" "lib_bytesequence" -> "lib_sequence" "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" "lib_bytesequence" -> "fstar_mul" "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" "lib_bytesequence" -> "prims" "lib_bytesequence" -> "lib_bytesequence" "fstar_uint64" -> "fstar_uint32" @@ -1349,12 +1629,47 @@ digraph { "fstar_uint64" -> "prims" "fstar_uint64" -> "fstar_uint64" "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_list_tot" "spec_sha3_constants" -> "fstar_list_tot" "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "lib_sequence" "spec_sha3_constants" -> "lib_sequence" "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "fstar_pervasives" "spec_sha3_constants" -> "fstar_pervasives" "spec_sha3_constants" -> "prims" + "spec_sha3_constants" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" + "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" + "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_pre_hash" -> "core_convert" + "libcrux_ml_dsa_pre_hash" -> "core_convert" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives" + "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "prims" "fstar_tactics_v1" -> "fstar_tactics_smt" "fstar_tactics_v1" -> "fstar_tactics_smt" "fstar_tactics_v1" -> "fstar_tactics_visit" @@ -1388,32 +1703,60 @@ digraph { "fstar_tactics_v1" -> "prims" "fstar_tactics_v1" -> "prims" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" - "libcrux_ml_dsa_simd_portable" -> "core_ops_range" - "libcrux_ml_dsa_simd_portable" -> "core_convert" - "libcrux_ml_dsa_simd_portable" -> "core_array" - "libcrux_ml_dsa_simd_portable" -> "core_result" - "libcrux_ml_dsa_simd_portable" -> "fstar_int32" - "libcrux_ml_dsa_simd_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" "libcrux_ml_dsa_simd_portable" -> "fstar_mul" "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "libcrux_sha3_avx2_x4_incremental" -> "prims" "fstar_seq_base" -> "fstar_list_tot" "fstar_seq_base" -> "fstar_list_tot" "fstar_seq_base" -> "fstar_pervasives" @@ -1436,13 +1779,30 @@ digraph { "fstar_int8" -> "fstar_int8" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" "libcrux_ml_dsa_hash_functions_portable" -> "core" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" "libcrux_ml_dsa_hash_functions_portable" -> "prims" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "prims" + "core_clone" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_ntt" -> "core_slice" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_arithmetic" "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_ntt" -> "core" @@ -1458,8 +1818,6 @@ digraph { "fstar_bv" -> "prims" "fstar_bv" -> "prims" "libcrux_ml_dsa_polynomial" -> "core_ops_range" - "libcrux_ml_dsa_polynomial" -> "fstar_int32" - "libcrux_ml_dsa_polynomial" -> "fstar_int32" "libcrux_ml_dsa_polynomial" -> "core_array_iter" "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" @@ -1477,6 +1835,8 @@ digraph { "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_polynomial" -> "core_slice" "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_polynomial" -> "rust_primitives" + "libcrux_ml_dsa_polynomial" -> "rust_primitives" "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" @@ -1492,13 +1852,14 @@ digraph { "libcrux_ml_dsa_polynomial" -> "prims" "libcrux_ml_dsa_polynomial" -> "prims" "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_polynomial" - "core_array_iter" -> "core_iter" - "core_array_iter" -> "rust_primitives" - "core_array_iter" -> "rust_primitives" - "core_array_iter" -> "fstar_pervasives" - "core_array_iter" -> "fstar_pervasives" - "core_array_iter" -> "prims" - "core_array_iter" -> "prims" + "libcrux_ml_dsa_types" -> "rust_primitives" + "libcrux_ml_dsa_types" -> "rust_primitives" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_types" -> "fstar_mul" "libcrux_ml_dsa_types" -> "fstar_mul" "libcrux_ml_dsa_types" -> "core" @@ -1507,13 +1868,9 @@ digraph { "libcrux_ml_dsa_types" -> "fstar_pervasives" "libcrux_ml_dsa_types" -> "prims" "libcrux_ml_dsa_types" -> "prims" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "prims" - "core_iter_adapters_enumerate" -> "prims" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" @@ -1525,6 +1882,12 @@ digraph { "fstar_erasedlogic" -> "fstar_pervasives" "fstar_erasedlogic" -> "prims" "fstar_erasedlogic" -> "prims" + "core_array" -> "rust_primitives" + "core_array" -> "rust_primitives" + "core_array" -> "fstar_pervasives" + "core_array" -> "fstar_pervasives" + "core_array" -> "prims" + "core_array" -> "prims" "fstar_math_lemmas" -> "fstar_mul" "fstar_math_lemmas" -> "fstar_mul" "fstar_math_lemmas" -> "fstar_pervasives" @@ -1560,66 +1923,82 @@ digraph { "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" "fstar_tactics_v2_syntaxhelpers" -> "prims" "fstar_tactics_v2_syntaxhelpers" -> "prims" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "prims" - "core_slice_iter" -> "prims" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "prims" - "core_ops_range" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_v2_syntaxhelpers" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "rust_primitives_integers" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "prims" + "core_marker" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "core_ops_range" + "libcrux_ml_dsa_simd_portable" -> "core_convert" + "libcrux_ml_dsa_simd_portable" -> "core_array" + "libcrux_ml_dsa_simd_portable" -> "core_result" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_result" "libcrux_ml_dsa_encoding_verification_key" -> "core_result" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_encoding_verification_key" -> "core_slice" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_encoding_verification_key" -> "core_ops_range" "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" "libcrux_ml_dsa_encoding_verification_key" -> "core" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" "libcrux_ml_dsa_encoding_verification_key" -> "prims" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_verification_key" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "prims" + "core_ops_control_flow" -> "prims" "fstar_uint32" -> "fstar_mul" "fstar_uint32" -> "fstar_mul" "fstar_uint32" -> "fstar_uint" @@ -1666,22 +2045,9 @@ digraph { "fstar_tactics_v2_derived" -> "fstar_pervasives" "fstar_tactics_v2_derived" -> "prims" "fstar_tactics_v2_derived" -> "prims" - "core_convert" -> "rust_primitives_integers" - "core_convert" -> "rust_primitives_integers" - "core_convert" -> "core_slice" - "core_convert" -> "core_array" - "core_convert" -> "core_array" - "core_convert" -> "core_result" - "core_convert" -> "core_result" - "core_convert" -> "fstar_tactics_typeclasses" - "core_convert" -> "fstar_tactics_typeclasses" - "core_convert" -> "rust_primitives" - "core_convert" -> "rust_primitives" - "core_convert" -> "fstar_pervasives" - "core_convert" -> "fstar_pervasives" - "core_convert" -> "prims" - "core_convert" -> "prims" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" @@ -1731,12 +2097,20 @@ digraph { "fstar_tactics_v1_syntaxhelpers" -> "prims" "fstar_tactics_v1_syntaxhelpers" -> "prims" "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint64" "lib_rawinttypes" -> "fstar_uint64" "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint16" "lib_rawinttypes" -> "fstar_uint16" "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "lib_inttypes" "lib_rawinttypes" -> "lib_inttypes" "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" "lib_rawinttypes" -> "prims" "fstar_uint8" -> "fstar_uint32" "fstar_uint8" -> "fstar_uint32" @@ -1749,25 +2123,53 @@ digraph { "fstar_uint8" -> "prims" "fstar_uint8" -> "prims" "fstar_uint8" -> "fstar_uint8" - "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" - "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "prims" - "libcrux_sha3_traits" -> "prims" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_option" + "rust_primitives" -> "core_option" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "prims" + "rust_primitives" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" "fstar_int16" -> "fstar_uint32" "fstar_int16" -> "fstar_uint32" @@ -1796,6 +2198,17 @@ digraph { "fstar_reflection_v1" -> "fstar_pervasives" "fstar_reflection_v1" -> "prims" "fstar_reflection_v1" -> "prims" + "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "libcrux_sha3_neon_x2_incremental" -> "prims" "fstar_tactics_v2_logic" -> "fstar_pervasives_native" "fstar_tactics_v2_logic" -> "fstar_pervasives_native" "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" @@ -1814,34 +2227,34 @@ digraph { "fstar_tactics_v2_logic" -> "fstar_pervasives" "fstar_tactics_v2_logic" -> "prims" "fstar_tactics_v2_logic" -> "prims" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "core_slice" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "prims" - "rust_primitives_hax" -> "prims" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_sha3_avx2_x4" -> "prims" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "rust_primitives" + "libcrux_ml_dsa_samplex4" -> "rust_primitives" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" "libcrux_ml_dsa_samplex4" -> "fstar_mul" "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "prims" "fstar_functionalextensionality" -> "fstar_pervasives_native" "fstar_functionalextensionality" -> "fstar_pervasives_native" "fstar_functionalextensionality" -> "fstar_tactics_effect" @@ -1854,6 +2267,38 @@ digraph { "fstar_functionalextensionality" -> "prims" "fstar_functionalextensionality" -> "prims" "fstar_functionalextensionality" -> "fstar_functionalextensionality" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" "fstar_set" -> "fstar_classical" "fstar_set" -> "fstar_classical" "fstar_set" -> "fstar_functionalextensionality" @@ -1870,12 +2315,32 @@ digraph { "fstar_tactics" -> "prims" "fstar_tactics" -> "prims" "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq" "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "lib_sequence" "lib_bytesequence" -> "lib_sequence" "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" "lib_bytesequence" -> "fstar_mul" "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" "lib_bytesequence" -> "prims" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" @@ -1884,8 +2349,8 @@ digraph { "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" "libcrux_ml_dsa_ntt" -> "fstar_list_tot" "libcrux_ml_dsa_ntt" -> "fstar_list_tot" - "libcrux_ml_dsa_ntt" -> "fstar_int32" - "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "rust_primitives" + "libcrux_ml_dsa_ntt" -> "rust_primitives" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ntt" -> "fstar_mul" @@ -1900,12 +2365,6 @@ digraph { "fstar_classical_sugar" -> "fstar_pervasives" "fstar_classical_sugar" -> "prims" "fstar_classical_sugar" -> "prims" - "core_marker" -> "fstar_tactics_typeclasses" - "core_marker" -> "fstar_tactics_typeclasses" - "core_marker" -> "fstar_pervasives" - "core_marker" -> "fstar_pervasives" - "core_marker" -> "prims" - "core_marker" -> "prims" "fstar_tactics_bv_lemmas" -> "fstar_uint" "fstar_tactics_bv_lemmas" -> "fstar_uint" "fstar_tactics_bv_lemmas" -> "fstar_bv" @@ -1915,10 +2374,6 @@ digraph { "fstar_tactics_bv_lemmas" -> "prims" "fstar_tactics_bv_lemmas" -> "prims" "fstar_tactics_bv_lemmas" -> "fstar_tactics_bv_lemmas" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "prims" - "core_ops_control_flow" -> "prims" "fstar_int8" -> "fstar_uint" "fstar_int8" -> "fstar_uint" "fstar_int8" -> "fstar_uint32" @@ -1931,24 +2386,61 @@ digraph { "fstar_int8" -> "fstar_pervasives" "fstar_int8" -> "prims" "fstar_int8" -> "prims" - "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_neon" "libcrux_ml_dsa_ml_dsa_44_" -> "core_result" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_44_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44_" -> "core" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_44_" -> "prims" - "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_87_" -> "core_result" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_87_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87_" -> "core" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" "fstar_tactics_unseal" -> "fstar_tactics_effect" "fstar_tactics_unseal" -> "fstar_tactics_effect" "fstar_tactics_unseal" -> "fstar_sealed" @@ -1956,10 +2448,31 @@ digraph { "fstar_tactics_unseal" -> "fstar_pervasives" "fstar_tactics_unseal" -> "prims" "fstar_tactics_unseal" -> "prims" - "rust_primitives_hax_control_flow_monad_mexception" -> "core_ops_control_flow" - "rust_primitives_hax_control_flow_monad_mexception" -> "fstar_pervasives" - "rust_primitives_hax_control_flow_monad_mexception" -> "prims" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_pre_hash" -> "core_slice" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" @@ -1995,8 +2508,8 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" - "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" @@ -2014,9 +2527,9 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "prims" "libcrux_ml_dsa_encoding_gamma1" -> "prims" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_encoding_gamma1" - "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" @@ -2030,6 +2543,14 @@ digraph { "fstar_list_tot_base" -> "fstar_pervasives" "fstar_list_tot_base" -> "prims" "fstar_list_tot_base" -> "prims" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "prims" + "fstar_option" -> "prims" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_sample" -> "core" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" @@ -2057,6 +2578,17 @@ digraph { "fstar_reflection_v2_formula" -> "fstar_pervasives" "fstar_reflection_v2_formula" -> "prims" "fstar_reflection_v2_formula" -> "prims" + "core_panicking" -> "core_fmt" + "core_panicking" -> "core_option" + "core_panicking" -> "core_option" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "prims" + "core_panicking" -> "prims" "fstar_char" -> "fstar_uint32" "fstar_char" -> "fstar_uint32" "fstar_char" -> "fstar_pervasives" @@ -2087,16 +2619,12 @@ digraph { "fstar_tactics_mapply" -> "prims" "fstar_tactics_mapply" -> "prims" "fstar_tactics_mapply" -> "fstar_tactics_mapply" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "prims" - "core_iter_adapters_step_by" -> "prims" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_error" -> "fstar_mul" @@ -2108,9 +2636,14 @@ digraph { "libcrux_ml_dsa_encoding_error" -> "prims" "libcrux_ml_dsa_encoding_error" -> "prims" "lib_loopcombinators" -> "fstar_tactics_effect" + "lib_loopcombinators" -> "fstar_tactics_effect" "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_tactics" "lib_loopcombinators" -> "fstar_tactics" "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" "lib_loopcombinators" -> "prims" "lib_loopcombinators" -> "lib_loopcombinators" "fstar_seq_base" -> "fstar_list_tot" @@ -2119,16 +2652,6 @@ digraph { "fstar_seq_base" -> "fstar_pervasives" "fstar_seq_base" -> "prims" "fstar_seq_base" -> "prims" - "core_ops" -> "core_ops_index" - "core_ops" -> "core_ops_index" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "rust_primitives" - "core_ops" -> "rust_primitives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "prims" - "core_ops" -> "prims" "fstar_uint64" -> "fstar_uint32" "fstar_uint64" -> "fstar_uint32" "fstar_uint64" -> "fstar_mul" @@ -2146,12 +2669,44 @@ digraph { "fstar_classical_sugar" -> "prims" "fstar_classical_sugar" -> "prims" "fstar_classical_sugar" -> "fstar_classical_sugar" + "core_result" -> "fstar_pervasives" + "core_result" -> "fstar_pervasives" + "core_result" -> "prims" + "core_result" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_ops_range" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" "fstar_exn" -> "fstar_pervasives" "fstar_exn" -> "fstar_pervasives" "fstar_exn" -> "prims" @@ -2161,6 +2716,16 @@ digraph { "fstar_reflection_termeq_simple" -> "fstar_pervasives" "fstar_reflection_termeq_simple" -> "prims" "fstar_reflection_termeq_simple" -> "prims" + "core_ops" -> "core_ops_index" + "core_ops" -> "core_ops_index" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "rust_primitives" + "core_ops" -> "rust_primitives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "prims" + "core_ops" -> "prims" "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" "fstar_tactics_typeclasses" -> "fstar_tactics_effect" "fstar_tactics_typeclasses" -> "fstar_tactics_effect" @@ -2173,18 +2738,13 @@ digraph { "fstar_pervasives" -> "prims" "fstar_pervasives" -> "prims" "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "fstar_mul" "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" "libcrux_ml_dsa_utils" -> "fstar_pervasives" "libcrux_ml_dsa_utils" -> "prims" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "prims" - "libcrux_sha3_traits" -> "prims" - "libcrux_sha3_traits" -> "libcrux_sha3_traits" + "libcrux_ml_dsa_utils" -> "prims" "fstar_ghost" -> "fstar_pervasives" "fstar_ghost" -> "fstar_pervasives" "fstar_ghost" -> "prims" @@ -2240,26 +2800,12 @@ digraph { "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" "fstar_stubs_tactics_v2_builtins" -> "prims" "fstar_stubs_tactics_v2_builtins" -> "prims" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_option" - "rust_primitives" -> "core_option" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "prims" - "rust_primitives" -> "prims" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "prims" + "core_num_error" -> "prims" "fstar_int_cast_full" -> "fstar_uint128" "fstar_int_cast_full" -> "fstar_uint128" "fstar_int_cast_full" -> "fstar_uint64" @@ -2280,49 +2826,56 @@ digraph { "fstar_all" -> "fstar_pervasives" "fstar_all" -> "prims" "fstar_all" -> "prims" - "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "core_ops_range" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "core" + "spec_utils" -> "core" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "prims" + "spec_utils" -> "prims" "libcrux_ml_dsa_ml_dsa_65__portable" -> "core_result" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" @@ -2333,16 +2886,21 @@ digraph { "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_commitment" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "prims" - "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" - "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" - "libcrux_sha3_portable_incremental" -> "fstar_mul" - "libcrux_sha3_portable_incremental" -> "fstar_mul" - "libcrux_sha3_portable_incremental" -> "core" - "libcrux_sha3_portable_incremental" -> "core" - "libcrux_sha3_portable_incremental" -> "fstar_pervasives" - "libcrux_sha3_portable_incremental" -> "fstar_pervasives" - "libcrux_sha3_portable_incremental" -> "prims" - "libcrux_sha3_portable_incremental" -> "prims" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "core_slice" + "core_convert" -> "core_array" + "core_convert" -> "core_array" + "core_convert" -> "core_result" + "core_convert" -> "core_result" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "rust_primitives" + "core_convert" -> "rust_primitives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "prims" + "core_convert" -> "prims" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_base" @@ -2357,34 +2915,37 @@ digraph { "fstar_seq_properties" -> "fstar_pervasives" "fstar_seq_properties" -> "prims" "fstar_seq_properties" -> "prims" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "rust_primitives_integers" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" - "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" - "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" - "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" - "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" @@ -2399,15 +2960,21 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic" -> "core" @@ -2454,37 +3021,71 @@ digraph { "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" "fstar_stubs_tactics_v1_builtins" -> "prims" "fstar_stubs_tactics_v1_builtins" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_slice" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" - "core_core_arch_arm_shared_neon" -> "fstar_pervasives" - "core_core_arch_arm_shared_neon" -> "prims" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" @@ -2492,24 +3093,12 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_string" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "rust_primitives_bitvectors" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "fstar_functionalextensionality" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "prims" - "libcrux_ml_dsa_arithmetic" -> "fstar_int32" - "libcrux_ml_dsa_arithmetic" -> "fstar_int32" - "libcrux_ml_dsa_arithmetic" -> "core_slice" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "prims" + "core_ops_arith_neg" -> "prims" "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" @@ -2518,8 +3107,11 @@ digraph { "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "core_slice" "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" @@ -2539,14 +3131,21 @@ digraph { "libcrux_ml_dsa_arithmetic" -> "prims" "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_arithmetic" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" "fstar_uint128" -> "fstar_pervasives_native" @@ -2620,33 +3219,73 @@ digraph { "fstar_tactics_v1_derived" -> "fstar_pervasives" "fstar_tactics_v1_derived" -> "prims" "fstar_tactics_v1_derived" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" - "core_panicking" -> "core_fmt" - "core_panicking" -> "core_option" - "core_panicking" -> "core_option" - "core_panicking" -> "rust_primitives_hax" - "core_panicking" -> "rust_primitives_hax" - "core_panicking" -> "rust_primitives" - "core_panicking" -> "rust_primitives" - "core_panicking" -> "fstar_pervasives" - "core_panicking" -> "fstar_pervasives" - "core_panicking" -> "prims" - "core_panicking" -> "prims" - "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_87__neon" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_char" + "tactics_utils" -> "fstar_string" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "core" + "tactics_utils" -> "core" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "prims" + "tactics_utils" -> "prims" "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" "fstar_tactics_typeclasses" -> "fstar_list_tot" "fstar_tactics_typeclasses" -> "fstar_list_tot" @@ -2679,12 +3318,39 @@ digraph { "fstar_tactics_typeclasses" -> "prims" "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "core_ops_arith" + "core_num" -> "core_num_error" + "core_num" -> "core_result" + "core_num" -> "core_result" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "lib_inttypes" + "core_num" -> "lib_inttypes" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint32" + "core_num" -> "fstar_uint32" + "core_num" -> "rust_primitives" + "core_num" -> "rust_primitives" + "core_num" -> "fstar_pervasives" + "core_num" -> "fstar_pervasives" + "core_num" -> "prims" + "core_num" -> "prims" "fstar_tactics_v1_logic" -> "fstar_pervasives_native" "fstar_tactics_v1_logic" -> "fstar_pervasives_native" "fstar_tactics_v1_logic" -> "fstar_squash" @@ -2727,56 +3393,114 @@ digraph { "fstar_int128" -> "prims" "fstar_int128" -> "fstar_int128" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" - "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2" -> "core_array" + "libcrux_ml_dsa_simd_avx2" -> "core_array" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" - "libcrux_ml_dsa_simd_avx2" -> "fstar_int32" - "libcrux_ml_dsa_simd_avx2" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2" -> "prims" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_slice" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "libcrux_ml_dsa_hash_functions_shake256" "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" @@ -2788,33 +3512,52 @@ digraph { "fstar_tactics_v1_logic_lemmas" -> "prims" "fstar_tactics_v1_logic_lemmas" -> "prims" "fstar_tactics_v1_logic_lemmas" -> "fstar_tactics_v1_logic_lemmas" - "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" - "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" - "libcrux_ml_dsa_sample" -> "fstar_mul" - "libcrux_ml_dsa_sample" -> "core" - "libcrux_ml_dsa_sample" -> "fstar_pervasives" - "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" "libcrux_ml_dsa_encoding_t0" -> "core" "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" "libcrux_ml_dsa_encoding_t0" -> "prims" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" - "core_clone" -> "fstar_tactics_typeclasses" - "core_clone" -> "fstar_tactics_typeclasses" - "core_clone" -> "fstar_pervasives" - "core_clone" -> "fstar_pervasives" - "core_clone" -> "prims" - "core_clone" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "prims" "fstar_sealed" -> "fstar_pervasives" "fstar_sealed" -> "fstar_pervasives" "fstar_sealed" -> "prims" @@ -2823,15 +3566,6 @@ digraph { "fstar_vconfig" -> "fstar_pervasives" "fstar_vconfig" -> "prims" "fstar_vconfig" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "core_slice" - "libcrux_intrinsics_avx2_extract" -> "fstar_int32" - "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" - "libcrux_intrinsics_avx2_extract" -> "spec_utils" - "libcrux_intrinsics_avx2_extract" -> "fstar_seq" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_base" @@ -2851,16 +3585,30 @@ digraph { "fstar_seq_properties" -> "prims" "fstar_seq_properties" -> "prims" "fstar_seq_properties" -> "fstar_seq_properties" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" - "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "prims" + "core_iter_adapters_enumerate" -> "prims" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "prims" + "core_ops_index" -> "prims" "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" @@ -2870,18 +3618,21 @@ digraph { "fstar_float" -> "fstar_pervasives" "fstar_float" -> "prims" "fstar_float" -> "prims" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "bitvec_equality" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax_monomorphized_update_at" "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" "fstar_tactics_v2" -> "fstar_tactics_smt" @@ -2917,19 +3668,6 @@ digraph { "fstar_tactics_v2" -> "fstar_pervasives" "fstar_tactics_v2" -> "prims" "fstar_tactics_v2" -> "prims" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_int32" -> "fstar_int32" "fstar_reflection_v2_derived" -> "fstar_list_tot_base" "fstar_reflection_v2_derived" -> "fstar_list_tot_base" "fstar_reflection_v2_derived" -> "fstar_pervasives_native" @@ -2950,12 +3688,43 @@ digraph { "fstar_reflection_v2_derived" -> "fstar_pervasives" "fstar_reflection_v2_derived" -> "prims" "fstar_reflection_v2_derived" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "libcrux_sha3_traits" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" "libcrux_ml_dsa_encoding_t1" -> "core" "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" "libcrux_ml_dsa_encoding_t1" -> "prims" "fstar_uint32" -> "fstar_mul" "fstar_uint32" -> "fstar_mul" @@ -3011,18 +3780,29 @@ digraph { "fstar_int_cast" -> "fstar_pervasives" "fstar_int_cast" -> "prims" "fstar_int_cast" -> "prims" - "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_44__neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" @@ -3038,8 +3818,8 @@ digraph { "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" - "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" @@ -3057,6 +3837,24 @@ digraph { "libcrux_ml_dsa_encoding_commitment" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_intrinsics_avx2_extract" -> "core_slice" + "libcrux_intrinsics_avx2_extract" -> "rust_primitives" + "libcrux_intrinsics_avx2_extract" -> "rust_primitives" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" "fstar_reflection_v2" -> "fstar_reflection_v2_collect" "fstar_reflection_v2" -> "fstar_reflection_v2_collect" "fstar_reflection_v2" -> "fstar_reflection_v2_compare" @@ -3074,30 +3872,40 @@ digraph { "fstar_reflection_v2" -> "fstar_pervasives" "fstar_reflection_v2" -> "prims" "fstar_reflection_v2" -> "prims" - "lib_rawinttypes" -> "lib_inttypes" - "lib_rawinttypes" -> "lib_inttypes" - "lib_rawinttypes" -> "fstar_pervasives" - "lib_rawinttypes" -> "prims" - "lib_rawinttypes" -> "lib_rawinttypes" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_neon" -> "prims" - "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" - "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" - "libcrux_sha3_avx2_x4_incremental" -> "core" - "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" - "libcrux_sha3_avx2_x4_incremental" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "lib_rawinttypes" "fstar_tactics_namedview" -> "fstar_range" "fstar_tactics_namedview" -> "fstar_reflection_v2" "fstar_tactics_namedview" -> "fstar_reflection_v2" @@ -3128,32 +3936,40 @@ digraph { "fstar_stubs_reflection_v1_data" -> "prims" "fstar_stubs_reflection_v1_data" -> "prims" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" "libcrux_ml_dsa_matrix" -> "fstar_mul" "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" "libcrux_ml_dsa_matrix" -> "fstar_pervasives" "libcrux_ml_dsa_matrix" -> "prims" - "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_matrix" -> "prims" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_65__portable" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core_panicking" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_int32" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives" "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" @@ -3168,9 +3984,9 @@ digraph { "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" "libcrux_ml_dsa_arithmetic" -> "prims" "libcrux_ml_dsa_arithmetic" -> "prims" - "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" @@ -3193,16 +4009,69 @@ digraph { "fstar_tactics_namedview" -> "prims" "fstar_tactics_namedview" -> "prims" "fstar_tactics_namedview" -> "fstar_tactics_namedview" - "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" - "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" - "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" - "rust_primitives_hax_monomorphized_update_at" -> "prims" - "rust_primitives_hax_monomorphized_update_at" -> "prims" - "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax_monomorphized_update_at" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_slice_iter" + "core_slice" -> "core_slice_iter" + "core_slice" -> "fstar_seq" + "core_slice" -> "fstar_seq" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "prims" + "core_slice" -> "prims" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "libcrux_ml_dsa_constants" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "bitvec_intrinsics" -> "prims" "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" @@ -3256,17 +4125,12 @@ digraph { "fstar_int64" -> "prims" "fstar_int64" -> "prims" "fstar_int64" -> "fstar_int64" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_generic" -> "core_ops_range" "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" - "libcrux_ml_dsa_ml_dsa_generic" -> "core_array" - "libcrux_ml_dsa_ml_dsa_generic" -> "core_array" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" @@ -3275,12 +4139,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" - "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" - "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" @@ -3298,17 +4156,26 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_ml_dsa_generic" -> "core_slice" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_list_tot" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_list_tot" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" @@ -3319,9 +4186,9 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "prims" "libcrux_ml_dsa_ml_dsa_generic" -> "prims" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ml_dsa_generic" - "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_87__neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" @@ -3338,13 +4205,30 @@ digraph { "fstar_reflection_termeq_simple" -> "prims" "fstar_reflection_termeq_simple" -> "prims" "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "fstar_propositionalextensionality" -> "fstar_pervasives" "fstar_propositionalextensionality" -> "fstar_pervasives" @@ -3359,63 +4243,68 @@ digraph { "fstar_predicateextensionality" -> "prims" "fstar_predicateextensionality" -> "prims" "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" "libcrux_ml_dsa_encoding_t1" -> "core_slice" "libcrux_ml_dsa_encoding_t1" -> "core_ops_range" "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" "libcrux_ml_dsa_encoding_t1" -> "core" "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" "libcrux_ml_dsa_encoding_t1" -> "prims" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_encoding_t1" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_num" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_slice" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_65_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65_" -> "core" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" @@ -3435,53 +4324,83 @@ digraph { "fstar_int16" -> "prims" "libcrux_ml_dsa_sample" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" - "libcrux_ml_dsa_sample" -> "fstar_uint8" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_array" "libcrux_ml_dsa_sample" -> "core_array" "libcrux_ml_dsa_sample" -> "core_result" + "libcrux_ml_dsa_sample" -> "core_result" "libcrux_ml_dsa_sample" -> "core_num" - "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "core_panicking" "libcrux_ml_dsa_sample" -> "core_panicking" "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_sample" -> "core_ops_range" "libcrux_ml_dsa_sample" -> "core_slice" "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" - "libcrux_ml_dsa_sample" -> "fstar_uint16" - "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "rust_primitives" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" "libcrux_ml_dsa_sample" -> "fstar_mul" "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" "libcrux_ml_dsa_sample" -> "fstar_pervasives" "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "prims" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_sample" - "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_error" -> "core_slice" "libcrux_ml_dsa_simd_portable_encoding_error" -> "hax_lib" "libcrux_ml_dsa_simd_portable_encoding_error" -> "core_panicking" "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_int32" "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" @@ -3503,36 +4422,90 @@ digraph { "fstar_int128" -> "prims" "fstar_int128" -> "prims" "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_pervasives" "lib_loopcombinators" -> "fstar_pervasives" "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "prims" + "lib_sequence" -> "fstar_list_tot" "lib_sequence" -> "fstar_list_tot" "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_math_lemmas" "lib_sequence" -> "fstar_math_lemmas" "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_seq_properties" "lib_sequence" -> "fstar_seq_properties" "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_loopcombinators" "lib_sequence" -> "lib_loopcombinators" "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" "lib_sequence" -> "fstar_mul" "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" "lib_sequence" -> "prims" "lib_sequence" -> "lib_sequence" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core_slice" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "hax_lib" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_int32" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_uint8" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "core" -> "core_ops" + "core" -> "core_ops" + "core" -> "core_iter" + "core" -> "core_num" + "core" -> "rust_primitives" + "core" -> "rust_primitives" + "core" -> "fstar_pervasives" + "core" -> "fstar_pervasives" + "core" -> "prims" + "core" -> "prims" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_char" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_string" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "prims" + "fstar_class_printable" -> "prims" "fstar_uint128" -> "fstar_uint64" "fstar_uint128" -> "fstar_uint64" "fstar_uint128" -> "fstar_uint32" @@ -3545,12 +4518,34 @@ digraph { "fstar_uint128" -> "fstar_pervasives" "fstar_uint128" -> "prims" "fstar_uint128" -> "prims" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "core" + "bitvec_utils" -> "core" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "prims" + "bitvec_utils" -> "prims" "fstar_tset" -> "fstar_set" "fstar_tset" -> "fstar_set" "fstar_tset" -> "fstar_pervasives" "fstar_tset" -> "fstar_pervasives" "fstar_tset" -> "prims" "fstar_tset" -> "prims" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "prims" + "libcrux_sha3_neon_x2" -> "prims" "fstar_list_tot" -> "fstar_list_tot_properties" "fstar_list_tot" -> "fstar_list_tot_properties" "fstar_list_tot" -> "fstar_list_tot_base" @@ -3577,22 +4572,16 @@ digraph { "fstar_reflection_v2_compare" -> "prims" "fstar_reflection_v2_compare" -> "prims" "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "prims" - "core_num_error" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core_slice" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "hax_lib" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core_panicking" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_int32" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" @@ -3653,12 +4642,6 @@ digraph { "fstar_tset" -> "prims" "fstar_tset" -> "prims" "fstar_tset" -> "fstar_tset" - "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" - "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" - "libcrux_sha3_neon_x2_incremental" -> "core" - "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" - "libcrux_sha3_neon_x2_incremental" -> "prims" "fstar_tactics_visit" -> "fstar_pervasives_native" "fstar_tactics_visit" -> "fstar_pervasives_native" "fstar_tactics_visit" -> "fstar_tactics_util" @@ -3684,10 +4667,15 @@ digraph { "libcrux_ml_dsa_simd_traits" -> "prims" "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" @@ -3724,8 +4712,8 @@ digraph { "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" - "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" @@ -3752,8 +4740,8 @@ digraph { "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" "fstar_stubs_reflection_v1_builtins" -> "prims" "fstar_stubs_reflection_v1_builtins" -> "prims" - "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" - "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_encoding_signature" -> "core_result" "libcrux_ml_dsa_encoding_signature" -> "core_result" "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" @@ -3768,16 +4756,35 @@ digraph { "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_signature" -> "prims" "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" "libcrux_ml_dsa_encoding_verification_key" -> "core" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" "libcrux_ml_dsa_encoding_verification_key" -> "prims" - "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" "libcrux_ml_dsa_ml_dsa_44__portable" -> "core_result" "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" @@ -3801,20 +4808,23 @@ digraph { "fstar_reflection_v2_compare" -> "fstar_pervasives" "fstar_reflection_v2_compare" -> "prims" "fstar_reflection_v2_compare" -> "prims" - "libcrux_sha3_neon_x2" -> "fstar_mul" - "libcrux_sha3_neon_x2" -> "core" - "libcrux_sha3_neon_x2" -> "fstar_pervasives" - "libcrux_sha3_neon_x2" -> "prims" "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" "fstar_tactics_v1_logic_lemmas" -> "prims" "fstar_tactics_v1_logic_lemmas" -> "prims" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_44__avx2" "fstar_tactics_effect" -> "fstar_stubs_tactics_result" @@ -3825,18 +4835,13 @@ digraph { "fstar_tactics_effect" -> "prims" "fstar_tactics_effect" -> "prims" "fstar_tactics_effect" -> "fstar_tactics_effect" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "prims" - "core_iter_traits_iterator" -> "prims" + "core_array_iter" -> "core_iter" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "prims" + "core_array_iter" -> "prims" "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_slice" "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_folds" @@ -3844,8 +4849,7 @@ digraph { "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_array_iter" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_iter_traits_collect" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_iter_traits_iterator" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_ops_control_flow" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_control_flow_monad_mexception" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_fmt_rt" @@ -3853,10 +4857,9 @@ digraph { "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_fmt" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_panicking" "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_uint64" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" @@ -3891,4 +4894,35 @@ digraph { "fstar_tactics_v2_logic" -> "prims" "fstar_tactics_v2_logic" -> "prims" "fstar_tactics_v2_logic" -> "fstar_tactics_v2_logic" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "core_ops_range" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "core_ops" + "core_iter" -> "core_ops" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "rust_primitives" + "core_iter" -> "rust_primitives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "prims" + "core_iter" -> "prims" } diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 233f3e224..867141959 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -1,5 +1,5 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, encoding, ml_dsa_generic::Signature, + constants::COEFFICIENTS_IN_RING_ELEMENT, encoding, types::Signature, polynomial::PolynomialRingElement, simd::traits::Operations, VerificationError, }; diff --git a/libcrux-ml-dsa/src/lib.rs b/libcrux-ml-dsa/src/lib.rs index c83f0ce20..3a9090beb 100644 --- a/libcrux-ml-dsa/src/lib.rs +++ b/libcrux-ml-dsa/src/lib.rs @@ -16,10 +16,7 @@ mod types; mod utils; // Public interface -pub use { - ml_dsa_generic::{SigningError, VerificationError}, - types::*, -}; +pub use types::*; pub use crate::constants::KEY_GENERATION_RANDOMNESS_SIZE; pub use crate::constants::SIGNING_RANDOMNESS_SIZE; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index d13930b0b..366f5def4 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -12,7 +12,7 @@ use crate::{ vector_times_ring_element, }, ntt::ntt, - polynomial::PolynomialRingElement, + types::{SigningError, VerificationError, Signature}, pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4, @@ -24,16 +24,6 @@ use crate::{ pub(crate) mod instantiations; pub(crate) mod multiplexing; -pub(crate) struct Signature< - SIMDUnit: Operations, - const COMMITMENT_HASH_SIZE: usize, - const COLUMNS_IN_A: usize, - const ROWS_IN_A: usize, -> { - pub commitment_hash: [u8; COMMITMENT_HASH_SIZE], - pub signer_response: [PolynomialRingElement; COLUMNS_IN_A], - pub hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], -} /// Generate a key pair. pub(crate) fn generate_key_pair< @@ -99,20 +89,6 @@ pub(crate) fn generate_key_pair< (signing_key_serialized, verification_key_serialized) } -#[derive(Debug)] -pub enum VerificationError { - MalformedHintError, - SignerResponseExceedsBoundError, - CommitmentHashesDontMatchError, - ContextTooLongError, -} - -#[derive(Debug)] -pub enum SigningError { - RejectionSamplingError, - ContextTooLongError, -} - #[allow(non_snake_case)] pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 1718f6c01..89b8fe4cb 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -3,7 +3,7 @@ macro_rules! instantiate { pub mod $modp { use crate::{ constants::*, - ml_dsa_generic::{SigningError, VerificationError}, + types::{SigningError, VerificationError}, pre_hash::SHAKE128_PH, types::*, }; diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index e21e412c2..677e24299 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -5,7 +5,8 @@ //!/perform the pre-hash of the message. This module implements the //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. use crate::{ - constants::CONTEXT_MAX_LEN, hash_functions::shake128::Xof, SigningError, VerificationError, + constants::CONTEXT_MAX_LEN, hash_functions::shake128::Xof, + types::{SigningError, VerificationError}, }; pub(crate) const PRE_HASH_OID_LEN: usize = 11; diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 82192638a..ed6d52177 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,36 +1,24 @@ use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; -use libcrux_intrinsics; +mod vector_type; mod arithmetic; mod encoding; mod ntt; mod rejection_sample; -#[derive(Clone, Copy)] -pub struct AVX2SIMDUnit { - pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, -} - -impl From for AVX2SIMDUnit { - fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { - Self { coefficients } - } -} +pub(crate) use vector_type::AVX2SIMDUnit; impl Operations for AVX2SIMDUnit { fn ZERO() -> Self { - libcrux_intrinsics::avx2::mm256_setzero_si256().into() + vector_type::ZERO() } fn from_coefficient_array(coefficient_array: &[i32]) -> Self { - libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() + vector_type::from_coefficient_array(coefficient_array) } fn to_coefficient_array(&self) -> [i32; 8] { - let mut coefficient_array = [0i32; 8]; - libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, self.coefficients); - - coefficient_array + vector_type::to_coefficient_array(&self) } fn add(lhs: &Self, rhs: &Self) -> Self { diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 05098b5c7..375f7eca1 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,34 +1,26 @@ use crate::simd::traits::{Operations, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; +mod vector_type; mod arithmetic; - // Some of the portable implementations are used in lieu of vectorized ones in // the AVX2 module. pub(crate) mod encoding; - mod ntt; mod sample; -#[derive(Clone, Copy)] -pub struct PortableSIMDUnit { - pub(crate) coefficients: [arithmetic::FieldElement; COEFFICIENTS_IN_SIMD_UNIT], -} +pub(crate) use vector_type::PortableSIMDUnit; impl Operations for PortableSIMDUnit { fn ZERO() -> Self { - PortableSIMDUnit { - coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], - } + vector_type::ZERO() } fn from_coefficient_array(array: &[i32]) -> Self { - PortableSIMDUnit { - coefficients: array[0..8].try_into().unwrap(), - } + vector_type::from_coefficient_array(array) } fn to_coefficient_array(&self) -> [i32; 8] { - self.coefficients.try_into().unwrap() + vector_type::to_coefficient_array(&self) } fn add(lhs: &Self, rhs: &Self) -> Self { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 1785d108e..1b194c40d 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,17 +1,12 @@ +use super::vector_type::{PortableSIMDUnit, FieldElement}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, - simd::{ - portable::PortableSIMDUnit, - traits::{ + simd::traits::{ FieldElementTimesMontgomeryR, Operations, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, - }, }, }; -/// Values having this type hold a representative 'x' of the Kyber field. -/// We use 'fe' as a shorthand for this type. -pub(crate) type FieldElement = i32; /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index c6886ba50..6ffafe423 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -1,4 +1,4 @@ -use crate::simd::portable::PortableSIMDUnit; +use super::super::vector_type::PortableSIMDUnit; #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; OUTPUT_SIZE] { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index d7878fbc8..1ad003932 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,4 +1,5 @@ -use crate::simd::{portable::PortableSIMDUnit, traits::Operations}; +use crate::simd::traits::Operations; +use super::super::vector_type::PortableSIMDUnit; #[inline(always)] fn serialize_when_eta_is_2( diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index eabb2fd81..cecefafc9 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,5 +1,5 @@ -use crate::simd::{portable::PortableSIMDUnit, traits::Operations}; - +use crate::simd::traits::Operations; +use super::super::vector_type::PortableSIMDUnit; // This function is marked public since it is called in the corresponding AVX2 code. #[inline(always)] pub fn serialize_when_gamma1_is_2_pow_17( diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index da66b7729..c8db3cf54 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -1,8 +1,10 @@ use crate::{ constants::BITS_IN_LOWER_PART_OF_T, - simd::{portable::PortableSIMDUnit, traits::Operations}, + simd::traits::Operations, }; +use super::super::vector_type::PortableSIMDUnit; + // If t0 is a signed representative, change it to an unsigned one and // vice versa. #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index 3b8c56515..52edb0914 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -1,8 +1,10 @@ use crate::{ constants::BITS_IN_UPPER_PART_OF_T, - simd::{portable::PortableSIMDUnit, traits::Operations}, + simd::traits::Operations, }; +use super::super::vector_type::PortableSIMDUnit; + #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { let mut serialized = [0u8; 10]; diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index ac40a9c1c..78aaa7aad 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,10 +1,8 @@ use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; -use crate::simd::{ - portable::PortableSIMDUnit, - traits::{ +use super::vector_type::PortableSIMDUnit; +use crate::simd::traits::{ montgomery_multiply_by_fer, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, - }, }; #[inline(always)] diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index 72c5e1479..12cc34779 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -33,3 +33,34 @@ pub struct MLDSAKeyPair, pub verification_key: MLDSAVerificationKey, } + +use crate::{ + constants::*, + simd::traits::Operations, + polynomial::PolynomialRingElement, +}; + +pub(crate) struct Signature< + SIMDUnit: Operations, + const COMMITMENT_HASH_SIZE: usize, + const COLUMNS_IN_A: usize, + const ROWS_IN_A: usize, +> { + pub commitment_hash: [u8; COMMITMENT_HASH_SIZE], + pub signer_response: [PolynomialRingElement; COLUMNS_IN_A], + pub hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], +} + +#[derive(Debug)] +pub enum VerificationError { + MalformedHintError, + SignerResponseExceedsBoundError, + CommitmentHashesDontMatchError, + ContextTooLongError, +} + +#[derive(Debug)] +pub enum SigningError { + RejectionSamplingError, + ContextTooLongError, +} \ No newline at end of file From 08ce4acfef2660b7875fcb8e12e4afc5f0d1c33a Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 11 Oct 2024 17:24:33 +0200 Subject: [PATCH 06/74] refreshed fstar --- .../extraction/Libcrux_ml_dsa.Constants.fst | 46 ++ .../Libcrux_ml_dsa.Hash_functions.Neon.fst | 555 ++++++++++++++++++ ...Libcrux_ml_dsa.Hash_functions.Shake128.fst | 80 +++ ...Libcrux_ml_dsa.Hash_functions.Shake256.fst | 114 ++++ .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 33 ++ .../extraction/Libcrux_ml_dsa.Pre_hash.fsti | 130 ++++ .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 29 + .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 27 + ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 47 ++ ...crux_ml_dsa.Simd.Portable.Vector_type.fsti | 14 + .../Libcrux_ml_dsa.Simd.Portable.fst | 340 +++++++++++ libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 25 + .../src/simd/portable/vector_type.rs | 25 + 13 files changed, 1465 insertions(+) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst create mode 100644 libcrux-ml-dsa/src/simd/avx2/vector_type.rs create mode 100644 libcrux-ml-dsa/src/simd/portable/vector_type.rs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst new file mode 100644 index 000000000..2837735e9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst @@ -0,0 +1,46 @@ +module Libcrux_ml_dsa.Constants +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let v_BITS_IN_LOWER_PART_OF_T: usize = Rust_primitives.mk_usize 13 + +let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = Rust_primitives.mk_usize 64 + +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = Rust_primitives.mk_usize 256 + +/// The length of `context` is serialized to a single `u8`. +let v_CONTEXT_MAX_LEN: usize = Rust_primitives.mk_usize 255 + +let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 + +let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = Rust_primitives.mk_usize 23 + +let v_BITS_IN_UPPER_PART_OF_T: usize = + v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T + +/// Number of bytes of entropy required for key generation. +let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 + +let v_MASK_SEED_SIZE: usize = Rust_primitives.mk_usize 64 + +let v_MESSAGE_REPRESENTATIVE_SIZE: usize = Rust_primitives.mk_usize 64 + +let v_REJECTION_SAMPLE_BOUND_SIGN: usize = Rust_primitives.mk_usize 814 + +let v_RING_ELEMENT_OF_T0S_SIZE: usize = + (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + Rust_primitives.mk_usize 8 + +let v_RING_ELEMENT_OF_T1S_SIZE: usize = + (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + Rust_primitives.mk_usize 8 + +let v_SEED_FOR_A_SIZE: usize = Rust_primitives.mk_usize 32 + +let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = Rust_primitives.mk_usize 64 + +let v_SEED_FOR_SIGNING_SIZE: usize = Rust_primitives.mk_usize 32 + +/// Number of bytes of entropy required for signing. +let v_SIGNING_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst new file mode 100644 index 000000000..f993463d8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst @@ -0,0 +1,555 @@ +module Libcrux_ml_dsa.Hash_functions.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +type t_Shake128x4 = { + f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (Rust_primitives.mk_usize 2) +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState + (Rust_primitives.mk_usize 2) = + let list = + [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState + (Rust_primitives.mk_usize 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (Rust_primitives.mk_usize 0) + (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ Rust_primitives.mk_usize + 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input0 + input1 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState + (Rust_primitives.mk_usize 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (Rust_primitives.mk_usize 1) + (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ Rust_primitives.mk_usize + 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input2 + input3 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + { f_state = state } <: t_Shake128x4); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (Rust_primitives.mk_usize 840)) + (out1: t_Array u8 (Rust_primitives.mk_usize 840)) + (out2: t_Array u8 (Rust_primitives.mk_usize 840)) + (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (Rust_primitives.mk_usize 840)) + (out1: t_Array u8 (Rust_primitives.mk_usize 840)) + (out2: t_Array u8 (Rust_primitives.mk_usize 840)) + (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out4: + (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (Rust_primitives.mk_usize 840)) + (out1: t_Array u8 (Rust_primitives.mk_usize 840)) + (out2: t_Array u8 (Rust_primitives.mk_usize 840)) + (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + -> + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ Rust_primitives.mk_usize + 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 0) + tmp0 + } + <: + t_Shake128x4 + in + let out0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in + let out1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ Rust_primitives.mk_usize + 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 1) + tmp0 + } + <: + t_Shake128x4 + in + let out2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in + let out3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out4: + (t_Shake128x4 & + (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168)))) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let out0:t_Array u8 (Rust_primitives.mk_usize 168) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) + in + let out1:t_Array u8 (Rust_primitives.mk_usize 168) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) + in + let out2:t_Array u8 (Rust_primitives.mk_usize 168) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) + in + let out3:t_Array u8 (Rust_primitives.mk_usize 168) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) + in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize + 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 0) + tmp0 + } + <: + t_Shake128x4 + in + let out0:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in + let out1:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize + 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake128x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 1) + tmp0 + } + <: + t_Shake128x4 + in + let out2:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in + let out3:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168)) = + out0, out1, out2, out3 + <: + (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168)) + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168))) + } + +/// Neon SHAKE 256 x4 state +type t_Shake256x4 = { + f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (Rust_primitives.mk_usize 2) +} + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState + (Rust_primitives.mk_usize 2) = + let list = + [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState + (Rust_primitives.mk_usize 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (Rust_primitives.mk_usize 0) + (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ Rust_primitives.mk_usize + 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input0 + input1 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState + (Rust_primitives.mk_usize 2) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state + (Rust_primitives.mk_usize 1) + (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ Rust_primitives.mk_usize + 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + input2 + input3 + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + in + { f_state = state } <: t_Shake256x4); + f_squeeze_first_block_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_post + = + (fun + (self: t_Shake256x4) + (out4: + (t_Shake256x4 & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)))) + -> + true); + f_squeeze_first_block + = + (fun (self: t_Shake256x4) -> + let out0:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let out1:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let out2:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let out3:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ Rust_primitives.mk_usize + 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 0) + tmp0 + } + <: + t_Shake256x4 + in + let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ Rust_primitives.mk_usize + 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 1) + tmp0 + } + <: + t_Shake256x4 + in + let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)))); + f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake256x4) + (out4: + (t_Shake256x4 & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)))) + -> + true); + f_squeeze_next_block + = + (fun (self: t_Shake256x4) -> + let out0:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let out1:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let out2:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let out3:t_Array u8 (Rust_primitives.mk_usize 136) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) + in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize + 0 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out0 + out1 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 0) + tmp0 + } + <: + t_Shake256x4 + in + let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let _:Prims.unit = () in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize + 1 ] + <: + Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) + out2 + out3 + in + let self:t_Shake256x4 = + { + self with + f_state + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state + (Rust_primitives.mk_usize 1) + tmp0 + } + <: + t_Shake256x4 + in + let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let _:Prims.unit = () in + let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) = + out0, out1, out2, out3 + <: + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)) + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136)))); + f_shake256_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = + Libcrux_sha3.Neon.X2.shake256 input0 input1 out0 out1 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = + Libcrux_sha3.Neon.X2.shake256 input2 input3 out2 out3 + in + let out2:t_Array u8 v_OUT_LEN = tmp0 in + let out3:t_Array u8 v_OUT_LEN = tmp1 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst new file mode 100644 index 000000000..9dd9ad636 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst @@ -0,0 +1,80 @@ +module Libcrux_ml_dsa.Hash_functions.Shake128 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake128_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake128_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) +} + +/// When sampling matrix A we always want to do 4 absorb/squeeze calls in +/// parallel. +class t_XofX4 (v_Self: Type0) = { + f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_post x0 x1 x2 x3 result); + f_squeeze_first_five_blocks_pre: + v_Self -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + t_Array u8 (Rust_primitives.mk_usize 840) + -> Type0; + f_squeeze_first_five_blocks_post: + v_Self -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + t_Array u8 (Rust_primitives.mk_usize 840) -> + (v_Self & t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840)) + -> Type0; + f_squeeze_first_five_blocks: + x0: v_Self -> + x1: t_Array u8 (Rust_primitives.mk_usize 840) -> + x2: t_Array u8 (Rust_primitives.mk_usize 840) -> + x3: t_Array u8 (Rust_primitives.mk_usize 840) -> + x4: t_Array u8 (Rust_primitives.mk_usize 840) + -> Prims.Pure + (v_Self & t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840) & + t_Array u8 (Rust_primitives.mk_usize 840)) + (f_squeeze_first_five_blocks_pre x0 x1 x2 x3 x4) + (fun result -> f_squeeze_first_five_blocks_post x0 x1 x2 x3 x4 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post: + v_Self -> + (v_Self & + (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168))) + -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168) & + t_Array u8 (Rust_primitives.mk_usize 168))) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +let v_BLOCK_SIZE: usize = Rust_primitives.mk_usize 168 + +let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! Rust_primitives.mk_usize 5 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst new file mode 100644 index 000000000..a37c4e5d7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst @@ -0,0 +1,114 @@ +module Libcrux_ml_dsa.Hash_functions.Shake256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake256_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake256:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake256_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result); + f_init_absorb_pre:t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 + -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); + f_squeeze_first_block_pre:v_Self -> Type0; + f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) -> Type0; + f_squeeze_first_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) + (f_squeeze_first_block_pre x0) + (fun result -> f_squeeze_first_block_post x0 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +class t_XofX4 (v_Self: Type0) = { + f_shake256_pre: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN + -> Type0; + f_shake256_post: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + -> Type0; + f_shake256: + v_OUT_LEN: usize -> + x0: t_Slice u8 -> + x1: t_Slice u8 -> + x2: t_Slice u8 -> + x3: t_Slice u8 -> + x4: t_Array u8 v_OUT_LEN -> + x5: t_Array u8 v_OUT_LEN -> + x6: t_Array u8 v_OUT_LEN -> + x7: t_Array u8 v_OUT_LEN + -> Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + (f_shake256_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) + (fun result -> f_shake256_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result); + f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_post x0 x1 x2 x3 result); + f_squeeze_first_block_pre:v_Self -> Type0; + f_squeeze_first_block_post: + v_Self -> + (v_Self & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136))) + -> Type0; + f_squeeze_first_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136))) + (f_squeeze_first_block_pre x0) + (fun result -> f_squeeze_first_block_post x0 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post: + v_Self -> + (v_Self & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136))) + -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136) & + t_Array u8 (Rust_primitives.mk_usize 136))) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +let v_BLOCK_SIZE: usize = Rust_primitives.mk_usize 136 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst new file mode 100644 index 000000000..2f05fdbf1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -0,0 +1,33 @@ +module Libcrux_ml_dsa.Pre_hash +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + () + +let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = + match x with | DomainSeparationError_ContextTooLongError -> Rust_primitives.mk_isize 0 + +let impl_1__context (self: t_DomainSeparationContext) = self.f_context + +let impl_1__new + (context: t_Slice u8) + (pre_hash_oid: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + else + Core.Result.Result_Ok + ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + +let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti new file mode 100644 index 000000000..07397201f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -0,0 +1,130 @@ +module Libcrux_ml_dsa.Pre_hash +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + () + +type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError + +val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { + f_oid_pre:Prims.unit -> Type0; + f_oid_post:Prims.unit -> t_Array u8 (Rust_primitives.mk_usize 11) -> Type0; + f_oid:x0: Prims.unit + -> Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 11)) + (f_oid_pre x0) + (fun result -> f_oid_post x0 result); + f_hash_pre:t_Slice u8 -> Type0; + f_hash_post:t_Slice u8 -> t_Array u8 v_DIGEST_LEN -> Type0; + f_hash:x0: t_Slice u8 + -> Prims.Pure (t_Array u8 v_DIGEST_LEN) (f_hash_pre x0) (fun result -> f_hash_post x0 result) +} + +let v_PRE_HASH_OID_LEN: usize = Rust_primitives.mk_usize 11 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError + } + +/// Binds the context string to an optional pre-hash OID identifying +/// the hash function or XOF used for pre-hashing. +type t_DomainSeparationContext = { + f_context:t_Slice u8; + f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11)) +} + +/// Returns the context, guaranteed to be at most 255 bytes long. +val impl_1__context (self: t_DomainSeparationContext) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// `context` must be at most 255 bytes long. +val impl_1__new + (context: t_Slice u8) + (pre_hash_oid: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Returns the pre-hash OID, if any. +val impl_1__pre_hash_oid (self: t_DomainSeparationContext) + : Prims.Pure (Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// An implementation of the pre-hash trait for the SHAKE-128 XOF with +/// digest length 256 bytes. +type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: t_PreHash t_SHAKE128_PH (Rust_primitives.mk_usize 256) = + { + f_oid_pre = (fun (_: Prims.unit) -> true); + f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (Rust_primitives.mk_usize 11)) -> true); + f_oid + = + (fun (_: Prims.unit) -> + let list = + [ + Rust_primitives.mk_u8 6; Rust_primitives.mk_u8 9; Rust_primitives.mk_u8 96; + Rust_primitives.mk_u8 134; Rust_primitives.mk_u8 72; Rust_primitives.mk_u8 1; + Rust_primitives.mk_u8 101; Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 4; + Rust_primitives.mk_u8 2; Rust_primitives.mk_u8 11 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); + Rust_primitives.Hax.array_of_list 11 list); + f_hash_pre = (fun (message: t_Slice u8) -> true); + f_hash_post + = + (fun (message: t_Slice u8) (out: t_Array u8 (Rust_primitives.mk_usize 256)) -> true); + f_hash + = + fun (message: t_Slice u8) -> + let output:t_Array u8 (Rust_primitives.mk_usize 256) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 256) + in + let output:t_Array u8 (Rust_primitives.mk_usize 256) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #FStar.Tactics.Typeclasses.solve + (Rust_primitives.mk_usize 256) + message + output + in + output + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst new file mode 100644 index 000000000..09fb347fe --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -0,0 +1,29 @@ +module Libcrux_ml_dsa.Simd.Avx2.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_ZERO (_: Prims.unit) = + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let from_coefficient_array (coefficient_array: t_Slice i32) = + Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array + <: + Libcrux_intrinsics.Avx2_extract.t_Vec256) + +let to_coefficient_array (x: t_AVX2SIMDUnit) = + let coefficient_array:t_Array i32 (Rust_primitives.mk_usize 8) = + Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) + in + let coefficient_array:t_Array i32 (Rust_primitives.mk_usize 8) = + Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array x.f_coefficients + in + coefficient_array diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti new file mode 100644 index 000000000..a35eb5b9e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -0,0 +1,27 @@ +module Libcrux_ml_dsa.Simd.Avx2.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_AVX2SIMDUnit = { f_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 = + { + f_from_pre = (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); + f_from_post + = + (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_AVX2SIMDUnit) -> true); + f_from + = + fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> + { f_coefficients = coefficients } <: t_AVX2SIMDUnit + } + +val v_ZERO: Prims.unit -> Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val from_coefficient_array (coefficient_array: t_Slice i32) + : Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (x: t_AVX2SIMDUnit) + : Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst new file mode 100644 index 000000000..e2eb675b4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -0,0 +1,47 @@ +module Libcrux_ml_dsa.Simd.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_ZERO (_: Prims.unit) = + { + f_coefficients + = + Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) + } + <: + t_PortableSIMDUnit + +let from_coefficient_array (array: t_Slice i32) = + { + f_coefficients + = + Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice i32) + #(t_Array i32 (Rust_primitives.mk_usize 8)) + #FStar.Tactics.Typeclasses.solve + (array.[ { + Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; + Core.Ops.Range.f_end = Rust_primitives.mk_usize 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) + Core.Array.t_TryFromSliceError) + } + <: + t_PortableSIMDUnit + +let to_coefficient_array (x: t_PortableSIMDUnit) = + Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) + #Core.Convert.t_Infallible + (Core.Convert.f_try_into #(t_Array i32 (Rust_primitives.mk_usize 8)) + #(t_Array i32 (Rust_primitives.mk_usize 8)) + #FStar.Tactics.Typeclasses.solve + x.f_coefficients + <: + Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) Core.Convert.t_Infallible) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti new file mode 100644 index 000000000..f8e0810cc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti @@ -0,0 +1,14 @@ +module Libcrux_ml_dsa.Simd.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (Rust_primitives.mk_usize 8) } + +val v_ZERO: Prims.unit -> Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val from_coefficient_array (array: t_Slice i32) + : Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (x: t_PortableSIMDUnit) + : Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst new file mode 100644 index 000000000..7c8759eec --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst @@ -0,0 +1,340 @@ +module Libcrux_ml_dsa.Simd.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (Rust_primitives.mk_usize 8) } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations t_PortableSIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post = (fun (_: Prims.unit) (out: t_PortableSIMDUnit) -> true); + f_ZERO + = + (fun (_: Prims.unit) -> + { + f_coefficients + = + Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) + } + <: + t_PortableSIMDUnit); + f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); + f_from_coefficient_array_post = (fun (array: t_Slice i32) (out: t_PortableSIMDUnit) -> true); + f_from_coefficient_array + = + (fun (array: t_Slice i32) -> + { + f_coefficients + = + Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice i32) + #(t_Array i32 (Rust_primitives.mk_usize 8)) + #FStar.Tactics.Typeclasses.solve + (array.[ { + Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; + Core.Ops.Range.f_end = Rust_primitives.mk_usize 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) + Core.Array.t_TryFromSliceError) + } + <: + t_PortableSIMDUnit); + f_to_coefficient_array_pre = (fun (self: t_PortableSIMDUnit) -> true); + f_to_coefficient_array_post + = + (fun (self: t_PortableSIMDUnit) (out: t_Array i32 (Rust_primitives.mk_usize 8)) -> true); + f_to_coefficient_array + = + (fun (self: t_PortableSIMDUnit) -> + Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) + #Core.Convert.t_Infallible + (Core.Convert.f_try_into #(t_Array i32 (Rust_primitives.mk_usize 8)) + #(t_Array i32 (Rust_primitives.mk_usize 8)) + #FStar.Tactics.Typeclasses.solve + self.f_coefficients + <: + Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) + Core.Convert.t_Infallible)); + f_add_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_add_post + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_add + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); + f_subtract_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_subtract_post + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_subtract + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); + f_montgomery_multiply_by_constant_pre = (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun (simd_unit: t_PortableSIMDUnit) (c: i32) (out: t_PortableSIMDUnit) -> true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); + f_montgomery_multiply_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); + f_montgomery_multiply_post + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_montgomery_multiply + = + (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); + f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> true); + f_shift_left_then_reduce_post + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); + f_power2round_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_power2round_post + = + (fun (simd_unit: t_PortableSIMDUnit) (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) -> true); + f_power2round + = + (fun (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); + f_infinity_norm_exceeds_pre = (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) (out: bool) -> true); + f_infinity_norm_exceeds + = + (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> true); + f_decompose_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: t_PortableSIMDUnit) + (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) + -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); + f_compute_hint_pre + = + (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: t_PortableSIMDUnit) + (high: t_PortableSIMDUnit) + (out: (usize & t_PortableSIMDUnit)) + -> + true); + f_compute_hint + = + (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); + f_use_hint_pre + = + (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> true); + f_use_hint_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: t_PortableSIMDUnit) + (hint: t_PortableSIMDUnit) + (out: t_PortableSIMDUnit) + -> + true); + f_use_hint + = + (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_gamma1_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + true); + f_gamma1_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); + f_commitment_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_commitment_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + true); + f_commitment_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); + f_error_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); + f_error_serialize_post + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> + true); + f_error_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun (v_ETA: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); + f_t0_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_t0_serialize_post + = + (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 13)) -> true); + f_t0_serialize + = + (fun (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized + ); + f_t1_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); + f_t1_serialize_post + = + (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 10)) -> true); + f_t1_serialize + = + (fun (simd_unit: t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized + ); + f_ntt_pre = (fun (simd_units: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) -> true); + f_ntt_post + = + (fun + (simd_units: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) + (out: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); + f_invert_ntt_at_layer_0_pre + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true + ); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + f_invert_ntt_at_layer_1_pre + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> true); + f_invert_ntt_at_layer_1_post + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_PortableSIMDUnit) -> true + ); + f_invert_ntt_at_layer_1_ + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); + f_invert_ntt_at_layer_2_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_post + = + (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) (out: t_PortableSIMDUnit) -> true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta + } diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs new file mode 100644 index 000000000..2fb5d62dd --- /dev/null +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -0,0 +1,25 @@ +#[derive(Clone, Copy)] +pub struct AVX2SIMDUnit { + pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, +} + +impl From for AVX2SIMDUnit { + fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { + Self { coefficients } + } +} + +#[allow(non_snake_case)] +pub(crate) fn ZERO() -> AVX2SIMDUnit { + libcrux_intrinsics::avx2::mm256_setzero_si256().into() +} + +pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> AVX2SIMDUnit { + libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() +} + +pub(crate) fn to_coefficient_array(x: &AVX2SIMDUnit) -> [i32; 8] { + let mut coefficient_array = [0i32; 8]; + libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, x.coefficients); + coefficient_array +} \ No newline at end of file diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs new file mode 100644 index 000000000..824453132 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -0,0 +1,25 @@ +/// Values having this type hold a representative 'x' of the Kyber field. +/// We use 'fe' as a shorthand for this type. +pub(crate) type FieldElement = i32; + +#[derive(Clone, Copy)] +pub struct PortableSIMDUnit { + pub(crate) coefficients: [FieldElement; super::COEFFICIENTS_IN_SIMD_UNIT], +} + +#[allow(non_snake_case)] +pub(crate) fn ZERO() -> PortableSIMDUnit { + PortableSIMDUnit { + coefficients: [0i32; super::COEFFICIENTS_IN_SIMD_UNIT], + } +} + +pub(crate) fn from_coefficient_array(array: &[i32]) -> PortableSIMDUnit { + PortableSIMDUnit { + coefficients: array[0..8].try_into().unwrap(), + } +} + +pub(crate) fn to_coefficient_array(x:&PortableSIMDUnit) -> [i32; 8] { + x.coefficients.try_into().unwrap() +} \ No newline at end of file From c4e0ab685ded58d61be1ac8453abc18971179e3a Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 17 Oct 2024 16:27:48 +0200 Subject: [PATCH 07/74] fixes to benches --- benchmarks/benches/kyber768.rs | 2 +- libcrux-ml-dsa/src/simd.rs | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/benchmarks/benches/kyber768.rs b/benchmarks/benches/kyber768.rs index 2fec056a9..0341a881e 100644 --- a/benchmarks/benches/kyber768.rs +++ b/benchmarks/benches/kyber768.rs @@ -80,7 +80,7 @@ pub fn comparisons_pk_validation(c: &mut Criterion) { b.iter_batched( || libcrux_kem::deterministic::mlkem768_generate_keypair_derand(seed), |key_pair| { - let _valid = libcrux_kem::ml_kem768_validate_public_key(key_pair.into_parts().1); + let _valid = libcrux_kem::ml_kem768_validate_public_key(&key_pair.into_parts().1); }, BatchSize::SmallInput, ) diff --git a/libcrux-ml-dsa/src/simd.rs b/libcrux-ml-dsa/src/simd.rs index 7228eefe2..653246a60 100644 --- a/libcrux-ml-dsa/src/simd.rs +++ b/libcrux-ml-dsa/src/simd.rs @@ -3,3 +3,7 @@ pub(crate) mod avx2; pub(crate) mod portable; pub(crate) mod traits; + +#[cfg(test)] +pub(crate) mod tests; + From 7a3dff18e4c475ac1007cebd3319f60fe5d565a7 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 22 Oct 2024 09:26:28 +0200 Subject: [PATCH 08/74] after cycle bundling fix --- .../Libcrux_intrinsics.Avx2_extract.fsti | 2 +- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 69 +- .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 4 +- .../extraction/Libcrux_ml_dsa.Constants.fst | 46 - .../extraction/Libcrux_ml_dsa.Constants.fsti | 34 +- .../Libcrux_ml_dsa.Encoding.Commitment.fst | 38 +- .../Libcrux_ml_dsa.Encoding.Commitment.fsti | 4 +- .../Libcrux_ml_dsa.Encoding.Error.fst | 236 +- .../Libcrux_ml_dsa.Encoding.Error.fsti | 18 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 184 +- .../Libcrux_ml_dsa.Encoding.Gamma1.fsti | 18 +- .../Libcrux_ml_dsa.Encoding.Signature.fst | 93 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 184 +- .../Libcrux_ml_dsa.Encoding.Signing_key.fsti | 23 +- .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 115 +- .../Libcrux_ml_dsa.Encoding.T0.fsti | 14 +- .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 115 +- .../Libcrux_ml_dsa.Encoding.T1.fsti | 14 +- ...bcrux_ml_dsa.Encoding.Verification_key.fst | 150 +- ...crux_ml_dsa.Encoding.Verification_key.fsti | 18 +- .../Libcrux_ml_dsa.Hash_functions.Neon.fst | 555 --- .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 319 +- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 325 +- ...Libcrux_ml_dsa.Hash_functions.Shake128.fst | 80 - ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 44 +- ...Libcrux_ml_dsa.Hash_functions.Shake256.fst | 114 - ...ibcrux_ml_dsa.Hash_functions.Shake256.fsti | 24 +- ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 249 +- .../extraction/Libcrux_ml_dsa.Matrix.fst | 6 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 77 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti | 30 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 77 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti | 30 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 78 +- .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti | 30 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 74 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 62 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 77 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti | 30 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 77 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti | 30 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 78 +- .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti | 30 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 74 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 62 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 77 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti | 30 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 77 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti | 30 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 78 +- .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti | 30 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 74 +- .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 62 +- ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 23 +- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 6 +- ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 25 +- ...sa.Ml_dsa_generic.Instantiations.Neon.fsti | 6 +- ...Ml_dsa_generic.Instantiations.Portable.fst | 23 +- ...l_dsa_generic.Instantiations.Portable.fsti | 6 +- ...rux_ml_dsa.Ml_dsa_generic.Multiplexing.fst | 6 +- ...ux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti | 6 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 400 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 40 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 188 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 166 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 155 +- .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 24 +- .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 13 +- .../extraction/Libcrux_ml_dsa.Pre_hash.fsti | 87 +- .../extraction/Libcrux_ml_dsa.Sample.fst | 836 ++-- .../extraction/Libcrux_ml_dsa.Sample.fsti | 44 +- .../extraction/Libcrux_ml_dsa.Samplex4.fst | 1160 +++-- .../extraction/Libcrux_ml_dsa.Samplex4.fsti | 16 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 96 +- ...x_ml_dsa.Simd.Avx2.Encoding.Commitment.fst | 129 +- ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 199 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 10 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 196 +- ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 18 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst | 107 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti | 5 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst | 114 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti | 5 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 386 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 32 +- ...md.Avx2.Rejection_sample.Less_than_eta.fst | 40 +- ...jection_sample.Less_than_field_modulus.fst | 64 +- ...ection_sample.Less_than_field_modulus.fsti | 3 +- ...md.Avx2.Rejection_sample.Shuffle_table.fst | 122 +- ...d.Avx2.Rejection_sample.Shuffle_table.fsti | 137 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 6 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 2 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 44 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 737 +--- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 96 - ..._dsa.Simd.Portable.Encoding.Commitment.fst | 44 +- ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 434 +- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 49 - ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 971 +--- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 61 - ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 857 +--- ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 28 - ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 238 +- ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 19 - .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 1556 +------ .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 101 - ...dsa.Simd.Portable.Rec_bundle_437004224.fst | 3895 +++++++++++++++++ ...a.Simd.Portable.Rec_bundle_437004224.fsti} | 341 +- .../Libcrux_ml_dsa.Simd.Portable.Sample.fst | 70 +- ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 32 +- ...crux_ml_dsa.Simd.Portable.Vector_type.fsti | 8 +- .../Libcrux_ml_dsa.Simd.Portable.fst | 356 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 185 +- .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 16 +- .../extraction/Libcrux_ml_dsa.Types.fsti | 58 +- .../fstar/extraction/Libcrux_ml_dsa.Utils.fst | 6 +- .../proofs/fstar/extraction/dep.graph | 1223 +++--- 117 files changed, 8453 insertions(+), 12342 deletions(-) delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst rename libcrux-ml-dsa/proofs/fstar/extraction/{Libcrux_ml_dsa.Simd.Portable.fsti => Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti} (57%) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 85b37b740..16d93fb14 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -126,7 +126,7 @@ include BitVec.Intrinsics {mm256_sllv_epi32} val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) : Prims.Pure t_Vec256 - (requires v_SHIFT_BY >=. Rust_primitives.mk_i32 0 && v_SHIFT_BY <. Rust_primitives.mk_i32 16) + (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) (ensures fun result -> let result:t_Vec256 = result in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 3abc0037c..4899b5510 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -35,7 +35,7 @@ let decompose_vector let vector_high, vector_low:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_DIMENSION (fun temp_0_ temp_1_ -> let vector_high, vector_low:(t_Array @@ -56,11 +56,9 @@ let decompose_vector temp_0_ in let i:usize = i in - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit - ((vector_low.[ Rust_primitives.mk_usize 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) + ((vector_low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun temp_0_ temp_1_ -> @@ -111,7 +109,7 @@ let decompose_vector j low <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -134,7 +132,7 @@ let decompose_vector j high <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -245,7 +243,7 @@ let power2round_vector j t0_unit <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -265,7 +263,7 @@ let power2round_vector j t1_unit <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -321,7 +319,7 @@ let shift_left_then_reduce <: v_SIMDUnit) <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -335,7 +333,7 @@ let use_hint (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (hint: t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = @@ -346,7 +344,7 @@ let use_hint v_DIMENSION in let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_DIMENSION (fun result temp_1_ -> let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -365,11 +363,9 @@ let use_hint let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (hint.[ i ] <: t_Slice i32) in - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit - ((result.[ Rust_primitives.mk_usize 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) + ((result.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun result temp_1_ -> @@ -410,7 +406,7 @@ let use_hint <: v_SIMDUnit) <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -463,39 +459,28 @@ let make_hint Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = - let hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_usize 256) - <: - t_Array i32 (Rust_primitives.mk_usize 256)) + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) v_DIMENSION in - let true_hints:usize = Rust_primitives.mk_usize 0 in - let hint, true_hints:(t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + let true_hints:usize = sz 0 in + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) v_DIMENSION (fun temp_0_ temp_1_ -> - let hint, true_hints:(t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & - usize) = - temp_0_ - in + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in let _:usize = temp_1_ in true) - (hint, true_hints - <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & usize)) + (hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) (fun temp_0_ i -> - let hint, true_hints:(t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & - usize) = - temp_0_ - in + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in let i:usize = i in let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () in let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: @@ -549,15 +534,13 @@ let make_hint <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) in - let hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION = + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint i (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd <: - t_Array i32 (Rust_primitives.mk_usize 256)) + t_Array i32 (sz 256)) in - hint, true_hints - <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & usize)) + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) in - hint, true_hints <: (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & usize) + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti index 17f6f2d36..aa749b797 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -46,7 +46,7 @@ val use_hint (v_DIMENSION: usize) (v_GAMMA2: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (hint: t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION ) : Prims.Pure @@ -68,6 +68,6 @@ val make_hint (v_GAMMA2: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) - : Prims.Pure (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_DIMENSION & usize) + : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst deleted file mode 100644 index 2837735e9..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fst +++ /dev/null @@ -1,46 +0,0 @@ -module Libcrux_ml_dsa.Constants -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -let v_BITS_IN_LOWER_PART_OF_T: usize = Rust_primitives.mk_usize 13 - -let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = Rust_primitives.mk_usize 64 - -let v_COEFFICIENTS_IN_RING_ELEMENT: usize = Rust_primitives.mk_usize 256 - -/// The length of `context` is serialized to a single `u8`. -let v_CONTEXT_MAX_LEN: usize = Rust_primitives.mk_usize 255 - -let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 - -let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = Rust_primitives.mk_usize 23 - -let v_BITS_IN_UPPER_PART_OF_T: usize = - v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T - -/// Number of bytes of entropy required for key generation. -let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 - -let v_MASK_SEED_SIZE: usize = Rust_primitives.mk_usize 64 - -let v_MESSAGE_REPRESENTATIVE_SIZE: usize = Rust_primitives.mk_usize 64 - -let v_REJECTION_SAMPLE_BOUND_SIGN: usize = Rust_primitives.mk_usize 814 - -let v_RING_ELEMENT_OF_T0S_SIZE: usize = - (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 - -let v_RING_ELEMENT_OF_T1S_SIZE: usize = - (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 - -let v_SEED_FOR_A_SIZE: usize = Rust_primitives.mk_usize 32 - -let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = Rust_primitives.mk_usize 64 - -let v_SEED_FOR_SIGNING_SIZE: usize = Rust_primitives.mk_usize 32 - -/// Number of bytes of entropy required for signing. -let v_SIGNING_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti index f0d48b7bc..6263c2610 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -3,44 +3,42 @@ module Libcrux_ml_dsa.Constants open Core open FStar.Mul -let v_BITS_IN_LOWER_PART_OF_T: usize = Rust_primitives.mk_usize 13 +let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 -let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = Rust_primitives.mk_usize 64 +let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 -let v_COEFFICIENTS_IN_RING_ELEMENT: usize = Rust_primitives.mk_usize 256 +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 /// The length of `context` is serialized to a single `u8`. -let v_CONTEXT_MAX_LEN: usize = Rust_primitives.mk_usize 255 +let v_CONTEXT_MAX_LEN: usize = sz 255 -let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 +let v_FIELD_MODULUS: i32 = 8380417l -let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = Rust_primitives.mk_usize 23 +let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 let v_BITS_IN_UPPER_PART_OF_T: usize = v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T /// Number of bytes of entropy required for key generation. -let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 +let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32 -let v_MASK_SEED_SIZE: usize = Rust_primitives.mk_usize 64 +let v_MASK_SEED_SIZE: usize = sz 64 -let v_MESSAGE_REPRESENTATIVE_SIZE: usize = Rust_primitives.mk_usize 64 +let v_MESSAGE_REPRESENTATIVE_SIZE: usize = sz 64 -let v_REJECTION_SAMPLE_BOUND_SIGN: usize = Rust_primitives.mk_usize 814 +let v_REJECTION_SAMPLE_BOUND_SIGN: usize = sz 814 let v_RING_ELEMENT_OF_T0S_SIZE: usize = - (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 let v_RING_ELEMENT_OF_T1S_SIZE: usize = - (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 -let v_SEED_FOR_A_SIZE: usize = Rust_primitives.mk_usize 32 +let v_SEED_FOR_A_SIZE: usize = sz 32 -let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = Rust_primitives.mk_usize 64 +let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64 -let v_SEED_FOR_SIGNING_SIZE: usize = Rust_primitives.mk_usize 32 +let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 /// Number of bytes of entropy required for signing. -let v_SIGNING_RANDOMNESS_SIZE: usize = Rust_primitives.mk_usize 32 +let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst index 0474a942c..8634dfbe9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -17,11 +17,9 @@ let serialize Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 128 -> + | 128uy -> let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: @@ -39,10 +37,7 @@ let serialize Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize } <: Core.Ops.Range.t_Range usize) @@ -51,10 +46,7 @@ let serialize Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize } <: Core.Ops.Range.t_Range usize ] @@ -62,7 +54,7 @@ let serialize t_Slice u8) (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 4) + (sz 4) simd_unit <: t_Slice u8) @@ -72,7 +64,7 @@ let serialize t_Array u8 v_OUTPUT_SIZE) in serialized - | 192 -> + | 192uy -> let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: @@ -90,10 +82,7 @@ let serialize Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize } <: Core.Ops.Range.t_Range usize) @@ -104,10 +93,7 @@ let serialize i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize } <: Core.Ops.Range.t_Range usize ] @@ -115,7 +101,7 @@ let serialize t_Slice u8) (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 6) + (sz 6) simd_unit <: t_Slice u8) @@ -139,10 +125,8 @@ let serialize_vector Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in - let (offset: usize):usize = Rust_primitives.mk_usize 0 in + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let (offset: usize):usize = sz 0 in let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti index cde34c804..0becaf037 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti @@ -9,9 +9,9 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 4 +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 4 -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = Rust_primitives.mk_usize 6 +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 6 val serialize (#v_SIMDUnit: Type0) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst index 3cc36259d..84a413aa5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -9,128 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize - (#v_SIMDUnit: Type0) - (v_ETA v_OUTPUT_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in - match cast (v_ETA <: usize) <: u8 with - | 2 -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 3) - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_SIZE) - in - serialized - | 4 -> - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 - <: - usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start - = - i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 4) - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 v_OUTPUT_SIZE) - in - serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - let deserialize (#v_SIMDUnit: Type0) (v_ETA: usize) @@ -141,8 +19,8 @@ let deserialize = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = match cast (v_ETA <: usize) <: u8 with - | 2 -> Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 3) - | 4 -> Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 4) + | 2uy -> Core.Slice.impl__chunks #u8 serialized (sz 3) + | 4uy -> Core.Slice.impl__chunks #u8 serialized (sz 4) | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -154,7 +32,7 @@ let deserialize in let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: @@ -255,3 +133,111 @@ let deserialize_to_vector_then_ntt t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) in ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 3) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti index af124508e..199d62d48 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -9,16 +9,9 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 3 +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 3 -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = Rust_primitives.mk_usize 4 - -val serialize - (#v_SIMDUnit: Type0) - (v_ETA v_OUTPUT_SIZE: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 4 val deserialize (#v_SIMDUnit: Type0) @@ -38,3 +31,10 @@ val deserialize_to_vector_then_ntt (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst index 97c3946ad..470cf8ab6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -9,6 +9,82 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> Core.Slice.impl__chunks #u8 serialized (sz 18) + | 19uy -> Core.Slice.impl__chunks #u8 serialized (sz 20) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA1_EXPONENT + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + let serialize (#v_SIMDUnit: Type0) (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) @@ -17,11 +93,9 @@ let serialize Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let serialized:t_Array u8 v_OUTPUT_BYTES = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_BYTES - in + let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat 0uy v_OUTPUT_BYTES in match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17 -> + | 17uy -> let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: @@ -39,10 +113,7 @@ let serialize Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize } <: Core.Ops.Range.t_Range usize) @@ -51,10 +122,7 @@ let serialize Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize } <: Core.Ops.Range.t_Range usize ] @@ -62,7 +130,7 @@ let serialize t_Slice u8) (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 18) + (sz 18) simd_unit <: t_Slice u8) @@ -72,7 +140,7 @@ let serialize t_Array u8 v_OUTPUT_BYTES) in serialized - | 19 -> + | 19uy -> let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: @@ -90,10 +158,7 @@ let serialize Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize } <: Core.Ops.Range.t_Range usize) @@ -104,10 +169,7 @@ let serialize i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 - <: - usize + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize } <: Core.Ops.Range.t_Range usize ] @@ -115,7 +177,7 @@ let serialize t_Slice u8) (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 20) + (sz 20) simd_unit <: t_Slice u8) @@ -130,79 +192,3 @@ let serialize <: Rust_primitives.Hax.t_Never) - -let deserialize - (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Slice u8) - = - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17 -> Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 18) - | 19 -> Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 20) - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - in - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #v_SIMDUnit - (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (result, serialized_chunks - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) - ) - (fun temp_0_ i -> - let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement - v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8) = - temp_0_ - in - let i:usize = i in - let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = - Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) - #FStar.Tactics.Typeclasses.solve - serialized_chunks - in - let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in - ({ - result with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Polynomial.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - v_GAMMA1_EXPONENT - (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), - serialized_chunks - <: - (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - Core.Slice.Iter.t_Chunks u8)) - in - result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti index e29d4b782..c6b16420b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -9,16 +9,9 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 18 +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 18 -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = Rust_primitives.mk_usize 20 - -val serialize - (#v_SIMDUnit: Type0) - (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 20 val deserialize (#v_SIMDUnit: Type0) @@ -28,3 +21,10 @@ val deserialize : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst index 301e92d69..974a66ac7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -35,7 +35,7 @@ let impl__deserialize in let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_COLUMNS_IN_A (fun signer_response temp_1_ -> let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -59,9 +59,7 @@ let impl__deserialize Core.Ops.Range.f_start = i *! v_GAMMA1_RING_ELEMENT_SIZE <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! v_GAMMA1_RING_ELEMENT_SIZE - <: - usize + (i +! sz 1 <: usize) *! v_GAMMA1_RING_ELEMENT_SIZE <: usize } <: Core.Ops.Range.t_Range usize ] @@ -72,24 +70,20 @@ let impl__deserialize <: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) in - let hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_usize 256) - <: - t_Array i32 (Rust_primitives.mk_usize 256)) + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) v_ROWS_IN_A in - let previous_true_hints_seen:usize = Rust_primitives.mk_usize 0 in - let i:usize = Rust_primitives.mk_usize 0 in + let previous_true_hints_seen:usize = sz 0 in + let i:usize = sz 0 in let malformed_hint:bool = false in - let hint, i, malformed_hint, previous_true_hints_seen:(t_Array - (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize) = Rust_primitives.f_while_loop (fun temp_0_ -> - let hint, i, malformed_hint, previous_true_hints_seen:(t_Array - (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & usize & bool & usize) = @@ -98,10 +92,10 @@ let impl__deserialize (i <. v_ROWS_IN_A <: bool) && (~.malformed_hint <: bool)) (hint, i, malformed_hint, previous_true_hints_seen <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & usize & bool & usize)) + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) (fun temp_0_ -> - let hint, i, malformed_hint, previous_true_hints_seen:(t_Array - (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & usize & bool & usize) = @@ -120,25 +114,18 @@ let impl__deserialize else malformed_hint in let j:usize = previous_true_hints_seen in - let hint, j, malformed_hint:(t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) - v_ROWS_IN_A & - usize & - bool) = + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = Rust_primitives.f_while_loop (fun temp_0_ -> - let hint, j, malformed_hint:(t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) - v_ROWS_IN_A & - usize & + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = temp_0_ in (~.malformed_hint <: bool) && (j <. current_true_hints_seen <: bool)) (hint, j, malformed_hint <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & usize & bool)) + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) (fun temp_0_ -> - let hint, j, malformed_hint:(t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) - v_ROWS_IN_A & - usize & + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = temp_0_ in @@ -146,7 +133,7 @@ let impl__deserialize if j >. previous_true_hints_seen && (hint_serialized.[ j ] <: u8) <=. - (hint_serialized.[ j -! Rust_primitives.mk_usize 1 <: usize ] <: u8) + (hint_serialized.[ j -! sz 1 <: usize ] <: u8) then let malformed_hint:bool = true in malformed_hint @@ -154,41 +141,37 @@ let impl__deserialize in if ~.malformed_hint then - let hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A = + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint i (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (hint.[ i ] <: - t_Array i32 (Rust_primitives.mk_usize 256)) + t_Array i32 (sz 256)) (cast (hint_serialized.[ j ] <: u8) <: usize) - (Rust_primitives.mk_i32 1) + 1l <: - t_Array i32 (Rust_primitives.mk_usize 256)) + t_Array i32 (sz 256)) in - let j:usize = j +! Rust_primitives.mk_usize 1 in + let j:usize = j +! sz 1 in hint, j, malformed_hint <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & usize & bool - ) + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) else hint, j, malformed_hint <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & usize & bool - )) + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) in if ~.malformed_hint then let previous_true_hints_seen:usize = current_true_hints_seen in - let i:usize = i +! Rust_primitives.mk_usize 1 in + let i:usize = i +! sz 1 in hint, i, malformed_hint, previous_true_hints_seen <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & usize & bool & usize - ) + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize) else hint, i, malformed_hint, previous_true_hints_seen <: - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A & usize & bool & usize - )) + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) in let i:usize = previous_true_hints_seen in let i, malformed_hint:(usize & bool) = @@ -199,13 +182,13 @@ let impl__deserialize (fun temp_0_ -> let i, malformed_hint:(usize & bool) = temp_0_ in let malformed_hint:bool = - if (hint_serialized.[ i ] <: u8) <>. Rust_primitives.mk_u8 0 + if (hint_serialized.[ i ] <: u8) <>. 0uy then let malformed_hint:bool = true in malformed_hint else malformed_hint in - let i:usize = i +! Rust_primitives.mk_usize 1 in + let i:usize = i +! sz 1 in i, malformed_hint <: (usize & bool)) in if malformed_hint @@ -254,10 +237,8 @@ let impl__serialize v_COLUMNS_IN_A v_ROWS_IN_A) = - let signature:t_Array u8 v_SIGNATURE_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_SIGNATURE_SIZE - in - let offset:usize = Rust_primitives.mk_usize 0 in + let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE in + let offset:usize = sz 0 in let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature ({ @@ -281,7 +262,7 @@ let impl__serialize in let offset:usize = offset +! v_COMMITMENT_HASH_SIZE in let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_COLUMNS_IN_A (fun temp_0_ temp_1_ -> let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in @@ -322,9 +303,9 @@ let impl__serialize let offset:usize = offset +! v_GAMMA1_RING_ELEMENT_SIZE in offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) in - let true_hints_seen:usize = Rust_primitives.mk_usize 0 in + let true_hints_seen:usize = sz 0 in let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_ROWS_IN_A (fun temp_0_ temp_1_ -> let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in @@ -337,7 +318,7 @@ let impl__serialize let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = Rust_primitives.Hax.Folds.fold_enumerated_slice (self.Libcrux_ml_dsa.Types.f_hint.[ i ] <: - t_Array i32 (Rust_primitives.mk_usize 256)) + t_Array i32 (sz 256)) (fun temp_0_ temp_1_ -> let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in let _:usize = temp_1_ in @@ -346,14 +327,14 @@ let impl__serialize (fun temp_0_ temp_1_ -> let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in let j, hint:(usize & i32) = temp_1_ in - if hint =. Rust_primitives.mk_i32 1 <: bool + if hint =. 1l <: bool then let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature (offset +! true_hints_seen <: usize) (cast (j <: usize) <: u8) in - let true_hints_seen:usize = true_hints_seen +! Rust_primitives.mk_usize 1 in + let true_hints_seen:usize = true_hints_seen +! sz 1 in signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize) else signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst index faed8897f..1394c5939 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -10,6 +10,90 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + = + let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit v_ROWS_IN_A t0_serialized + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_signing + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 64)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 64)) + #FStar.Tactics.Typeclasses.solve + verification_key_hash + <: + Core.Result.t_Result (t_Array u8 (sz 64)) Core.Array.t_TryFromSliceError), + s1_as_ntt, + s2_as_ntt, + t0_as_ntt + <: + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + let generate_serialized (#v_SIMDUnit #v_Shake256: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) @@ -24,9 +108,9 @@ let generate_serialized (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_SIGNING_KEY_SIZE + Rust_primitives.Hax.repeat 0uy v_SIGNING_KEY_SIZE in - let offset:usize = Rust_primitives.mk_usize 0 in + let offset:usize = sz 0 in let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized ({ @@ -73,13 +157,11 @@ let generate_serialized t_Slice u8) in let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in - let verification_key_hash:t_Array u8 (Rust_primitives.mk_usize 64) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 64) - in - let verification_key_hash:t_Array u8 (Rust_primitives.mk_usize 64) = + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 64) + (sz 64) verification_key verification_key_hash in @@ -244,91 +326,3 @@ let generate_serialized offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) in signing_key_serialized - -let deserialize_then_ntt - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Array u8 v_SIGNING_KEY_SIZE) - = - let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (serialized <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE - in - let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH - in - let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) - in - let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - remaining_serialized - (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) - in - let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_COLUMNS_IN_A = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - v_COLUMNS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - s1_serialized - in - let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit - v_ROWS_IN_A - v_ETA - v_ERROR_RING_ELEMENT_SIZE - s2_serialized - in - let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit v_ROWS_IN_A t0_serialized - in - Core.Result.impl__unwrap #(t_Array u8 (Rust_primitives.mk_usize 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 32)) Core.Array.t_TryFromSliceError - ), - Core.Result.impl__unwrap #(t_Array u8 (Rust_primitives.mk_usize 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_signing - <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 32)) Core.Array.t_TryFromSliceError - ), - Core.Result.impl__unwrap #(t_Array u8 (Rust_primitives.mk_usize 64)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 64)) - #FStar.Tactics.Typeclasses.solve - verification_key_hash - <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 64)) Core.Array.t_TryFromSliceError - ), - s1_as_ntt, - s2_as_ntt, - t0_as_ntt - <: - (t_Array u8 (Rust_primitives.mk_usize 32) & t_Array u8 (Rust_primitives.mk_usize 32) & - t_Array u8 (Rust_primitives.mk_usize 64) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti index 42b146b91..b8a8f2d90 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti @@ -10,26 +10,25 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -val generate_serialized - (#v_SIMDUnit #v_Shake256: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - (seed_for_A seed_for_signing verification_key: t_Slice u8) - (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - val deserialize_then_ntt (#v_SIMDUnit: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (serialized: t_Array u8 v_SIGNING_KEY_SIZE) : Prims.Pure - (t_Array u8 (Rust_primitives.mk_usize 32) & t_Array u8 (Rust_primitives.mk_usize 32) & - t_Array u8 (Rust_primitives.mk_usize 64) & + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst index 69d5736a2..b1193d6cd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -9,65 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - let serialized:t_Array u8 (Rust_primitives.mk_usize 416) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 416) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 416) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 (Rust_primitives.mk_usize 416) = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 (Rust_primitives.mk_usize 416) = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 (Rust_primitives.mk_usize 416)) - in - serialized - let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -76,14 +17,14 @@ let deserialize (serialized: t_Slice u8) = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 13) + Core.Slice.impl__chunks #u8 serialized (sz 13) in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () in let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: @@ -185,3 +126,55 @@ let deserialize_to_vector_then_ntt t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) in ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 416) = Rust_primitives.Hax.repeat 0uy (sz 416) in + let serialized:t_Array u8 (sz 416) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 416)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti index aeed36259..3969d9d7c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -9,13 +9,7 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 13 - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 416)) Prims.l_True (fun _ -> Prims.l_True) +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 val deserialize (#v_SIMDUnit: Type0) @@ -34,3 +28,9 @@ val deserialize_to_vector_then_ntt (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 416)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst index 801629612..6a59315c3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -9,65 +9,6 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - let serialized:t_Array u8 (Rust_primitives.mk_usize 320) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 320) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 320) = - Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units - <: - t_Slice v_SIMDUnit) - (fun serialized temp_1_ -> - let serialized:t_Array u8 (Rust_primitives.mk_usize 320) = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 (Rust_primitives.mk_usize 320) = serialized in - let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - serialize__OUTPUT_BYTES_PER_SIMD_UNIT - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - <: - t_Slice u8) - <: - t_Slice u8) - <: - t_Array u8 (Rust_primitives.mk_usize 320)) - in - serialized - let deserialize (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -76,14 +17,14 @@ let deserialize (serialized: t_Slice u8) = let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = - Core.Slice.impl__chunks #u8 serialized (Rust_primitives.mk_usize 10) + Core.Slice.impl__chunks #u8 serialized (sz 10) in let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () in let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: @@ -134,3 +75,55 @@ let deserialize Core.Slice.Iter.t_Chunks u8)) in result + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.repeat 0uy (sz 320) in + let serialized:t_Array u8 (sz 320) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 320)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti index c46b9fe4f..f05c66a13 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -9,13 +9,7 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = Rust_primitives.mk_usize 10 - -val serialize - (#v_SIMDUnit: Type0) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 320)) Prims.l_True (fun _ -> Prims.l_True) +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 val deserialize (#v_SIMDUnit: Type0) @@ -24,3 +18,9 @@ val deserialize : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 320)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst index a7171dbe8..94a614a45 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -9,6 +9,77 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let seed_for_A, serialized_remaining:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun t1 temp_1_ -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let _:usize = temp_1_ in + true) + t1 + (fun t1 i -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit + (serialized_remaining.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + t1 + <: + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + let generate_serialized (#v_SIMDUnit: Type0) (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) @@ -19,19 +90,19 @@ let generate_serialized (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_VERIFICATION_KEY_SIZE + Rust_primitives.Hax.repeat 0uy v_VERIFICATION_KEY_SIZE in let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; + Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 (verification_key_serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; + Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE } <: @@ -93,76 +164,3 @@ let generate_serialized verification_key_serialized) in verification_key_serialized - -let deserialize - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) - = - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - v_ROWS_IN_A - in - let seed_for_A, serialized_remaining:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (serialized <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - v_ROWS_IN_A - (fun t1 temp_1_ -> - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - t1 - in - let _:usize = temp_1_ in - true) - t1 - (fun t1 i -> - let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A - = - t1 - in - let i:usize = i in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 - i - (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit - (serialized_remaining.[ { - Core.Ops.Range.f_start - = - i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; - Core.Ops.Range.f_end - = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - <: - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - in - Core.Result.impl__unwrap #(t_Array u8 (Rust_primitives.mk_usize 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 32)) Core.Array.t_TryFromSliceError - ), - t1 - <: - (t_Array u8 (Rust_primitives.mk_usize 32) & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti index 15eee61fe..59e60a0ee 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti @@ -9,21 +9,21 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -val generate_serialized - (#v_SIMDUnit: Type0) - (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) - {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (seed_for_A: t_Slice u8) - (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) - : Prims.Pure (t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - val deserialize (#v_SIMDUnit: Type0) (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) : Prims.Pure - (t_Array u8 (Rust_primitives.mk_usize 32) & + (t_Array u8 (sz 32) & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst deleted file mode 100644 index f993463d8..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fst +++ /dev/null @@ -1,555 +0,0 @@ -module Libcrux_ml_dsa.Hash_functions.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -type t_Shake128x4 = { - f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (Rust_primitives.mk_usize 2) -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = - { - f_init_absorb_pre - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true - ); - f_init_absorb_post - = - (fun - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out: t_Shake128x4) - -> - true); - f_init_absorb - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = - let list = - [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 0) - (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ Rust_primitives.mk_usize - 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input0 - input1 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 1) - (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ Rust_primitives.mk_usize - 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input2 - input3 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - { f_state = state } <: t_Shake128x4); - f_squeeze_first_five_blocks_pre - = - (fun - (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) - -> - true); - f_squeeze_first_five_blocks_post - = - (fun - (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) - (out4: - (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))) - -> - true); - f_squeeze_first_five_blocks - = - (fun - (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) - -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ Rust_primitives.mk_usize - 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 - } - <: - t_Shake128x4 - in - let out0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ Rust_primitives.mk_usize - 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 - } - <: - t_Shake128x4 - in - let out2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in - let _:Prims.unit = () in - self, out0, out1, out2, out3 - <: - (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))); - f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); - f_squeeze_next_block_post - = - (fun - (self: t_Shake128x4) - (out4: - (t_Shake128x4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)))) - -> - true); - f_squeeze_next_block - = - fun (self: t_Shake128x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 - } - <: - t_Shake128x4 - in - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 - } - <: - t_Shake128x4 - in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in - let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = - out0, out1, out2, out3 - <: - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) - in - self, hax_temp_output - <: - (t_Shake128x4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) - } - -/// Neon SHAKE 256 x4 state -type t_Shake256x4 = { - f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (Rust_primitives.mk_usize 2) -} - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = - { - f_init_absorb_pre - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true - ); - f_init_absorb_post - = - (fun - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out: t_Shake256x4) - -> - true); - f_init_absorb - = - (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = - let list = - [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 0) - (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ Rust_primitives.mk_usize - 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input0 - input1 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 1) - (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ Rust_primitives.mk_usize - 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input2 - input3 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - { f_state = state } <: t_Shake256x4); - f_squeeze_first_block_pre = (fun (self: t_Shake256x4) -> true); - f_squeeze_first_block_post - = - (fun - (self: t_Shake256x4) - (out4: - (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) - -> - true); - f_squeeze_first_block - = - (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ Rust_primitives.mk_usize - 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 - } - <: - t_Shake256x4 - in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ Rust_primitives.mk_usize - 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 - } - <: - t_Shake256x4 - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in - let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) - in - self, hax_temp_output - <: - (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); - f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); - f_squeeze_next_block_post - = - (fun - (self: t_Shake256x4) - (out4: - (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) - -> - true); - f_squeeze_next_block - = - (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 - } - <: - t_Shake256x4 - in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 - } - <: - t_Shake256x4 - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in - let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) - in - self, hax_temp_output - <: - (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); - f_shake256_pre - = - (fun - (v_OUT_LEN: usize) - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out0: t_Array u8 v_OUT_LEN) - (out1: t_Array u8 v_OUT_LEN) - (out2: t_Array u8 v_OUT_LEN) - (out3: t_Array u8 v_OUT_LEN) - -> - true); - f_shake256_post - = - (fun - (v_OUT_LEN: usize) - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out0: t_Array u8 v_OUT_LEN) - (out1: t_Array u8 v_OUT_LEN) - (out2: t_Array u8 v_OUT_LEN) - (out3: t_Array u8 v_OUT_LEN) - (out4: - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN - )) - -> - true); - f_shake256 - = - fun - (v_OUT_LEN: usize) - (input0: t_Slice u8) - (input1: t_Slice u8) - (input2: t_Slice u8) - (input3: t_Slice u8) - (out0: t_Array u8 v_OUT_LEN) - (out1: t_Array u8 v_OUT_LEN) - (out2: t_Array u8 v_OUT_LEN) - (out3: t_Array u8 v_OUT_LEN) - -> - let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = - Libcrux_sha3.Neon.X2.shake256 input0 input1 out0 out1 - in - let out0:t_Array u8 v_OUT_LEN = tmp0 in - let out1:t_Array u8 v_OUT_LEN = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = - Libcrux_sha3.Neon.X2.shake256 input2 input3 out2 out3 - in - let out2:t_Array u8 v_OUT_LEN = tmp0 in - let out3:t_Array u8 v_OUT_LEN = tmp1 in - let _:Prims.unit = () in - out0, out1, out2, out3 - <: - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti index ddbd358c4..6f4f9d9f4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -3,9 +3,10 @@ module Libcrux_ml_dsa.Hash_functions.Neon open Core open FStar.Mul -type t_Shake128x4 = { - f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (Rust_primitives.mk_usize 2) -} +type t_Shake128x4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } + +/// Neon SHAKE 256 x4 state +type t_Shake256x4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = @@ -27,20 +28,17 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = f_init_absorb = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = let list = [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 0) - (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ Rust_primitives.mk_usize - 0 ] + (sz 0) + (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 0 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) input0 @@ -48,12 +46,10 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 1) - (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ Rust_primitives.mk_usize - 1 ] + (sz 1) + (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 1 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) input2 @@ -66,41 +62,37 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = = (fun (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) -> true); f_squeeze_first_five_blocks_post = (fun (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) (out4: - (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))) + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) -> true); f_squeeze_first_five_blocks = (fun (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ Rust_primitives.mk_usize - 0 ] + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ sz 0 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 @@ -111,21 +103,17 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 } <: t_Shake128x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ Rust_primitives.mk_usize - 1 ] + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ sz 1 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 @@ -136,22 +124,18 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 } <: t_Shake128x4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp1 in + let out3:t_Array u8 (sz 840) = tmp2 in let _:Prims.unit = () in self, out0, out1, out2, out3 <: - (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))); + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); f_squeeze_next_block_post = @@ -159,31 +143,20 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (self: t_Shake128x4) (out4: (t_Shake128x4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) -> true); f_squeeze_next_block = fun (self: t_Shake128x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 0 ] + let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ sz 0 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 @@ -194,21 +167,17 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 } <: t_Shake128x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in + let out0:t_Array u8 (sz 168) = tmp1 in + let out1:t_Array u8 (sz 168) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 1 ] + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ sz 1 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 @@ -219,39 +188,26 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 } <: t_Shake128x4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in + let out2:t_Array u8 (sz 168) = tmp1 in + let out3:t_Array u8 (sz 168) = tmp2 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) in self, hax_temp_output <: (t_Shake128x4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -/// Neon SHAKE 256 x4 state -type t_Shake256x4 = { - f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (Rust_primitives.mk_usize 2) -} - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { @@ -272,20 +228,17 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_init_absorb = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = let list = [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 0) - (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ Rust_primitives.mk_usize - 0 ] + (sz 0) + (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ sz 0 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) input0 @@ -293,12 +246,10 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState - (Rust_primitives.mk_usize 2) = + let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (Rust_primitives.mk_usize 1) - (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ Rust_primitives.mk_usize - 1 ] + (sz 1) + (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ sz 1 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) input2 @@ -314,31 +265,20 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (self: t_Shake256x4) (out4: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) -> true); f_squeeze_first_block = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ Rust_primitives.mk_usize - 0 ] + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ sz 0 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 @@ -349,21 +289,17 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 } <: t_Shake256x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ Rust_primitives.mk_usize - 1 ] + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ sz 1 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 @@ -374,32 +310,24 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 } <: t_Shake256x4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let out2:t_Array u8 (sz 136) = tmp1 in + let out3:t_Array u8 (sz 136) = tmp2 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) in self, hax_temp_output <: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); f_squeeze_next_block_post = @@ -407,31 +335,20 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (self: t_Shake256x4) (out4: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) -> true); f_squeeze_next_block = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 0 ] + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ sz 0 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out0 @@ -442,21 +359,17 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 0) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 } <: t_Shake256x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ Rust_primitives.mk_usize - 1 ] + let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ sz 1 ] <: Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) out2 @@ -467,32 +380,24 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = self with f_state = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state - (Rust_primitives.mk_usize 1) - tmp0 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 } <: t_Shake256x4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in + let out2:t_Array u8 (sz 136) = tmp1 in + let out3:t_Array u8 (sz 136) = tmp2 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) in self, hax_temp_output <: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); f_shake256_pre = (fun diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 1f960b146..55811609f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -3,34 +3,9 @@ module Libcrux_ml_dsa.Hash_functions.Portable open Core open FStar.Mul -val init_absorb__init_absorb (input: t_Slice u8) - : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) - /// Portable SHAKE 128 state type t_Shake128 = | Shake128 : t_Shake128 -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = - { - f_shake128_pre - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); - f_shake128_post - = - (fun - (v_OUTPUT_LENGTH: usize) - (input: t_Slice u8) - (out: t_Array u8 v_OUTPUT_LENGTH) - (out1: t_Array u8 v_OUTPUT_LENGTH) - -> - true); - f_shake128 - = - fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> - let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake128 out input in - out - } - /// Portable SHAKE 128 x4 state. /// We're using a portable implementation so this is actually sequential. type t_Shake128X4 = { @@ -40,6 +15,21 @@ type t_Shake128X4 = { f_state3:Libcrux_sha3.Portable.t_KeccakState } +/// Portable SHAKE 256 state +type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } + +/// Portable SHAKE 256 x4 state. +/// We're using a portable implementation so this is actually sequential. +type t_Shake256X4 = { + f_state0:Libcrux_sha3.Portable.t_KeccakState; + f_state1:Libcrux_sha3.Portable.t_KeccakState; + f_state2:Libcrux_sha3.Portable.t_KeccakState; + f_state3:Libcrux_sha3.Portable.t_KeccakState +} + +val init_absorb__init_absorb (input: t_Slice u8) + : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = { @@ -71,70 +61,62 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = = (fun (self: t_Shake128X4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) -> true); f_squeeze_first_five_blocks_post = (fun (self: t_Shake128X4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) (out4: - (t_Shake128X4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))) + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) -> true); f_squeeze_first_five_blocks = (fun (self: t_Shake128X4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) -> - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state0 out0 in let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in + let out0:t_Array u8 (sz 840) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state1 out1 in let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state2 out2 in let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in + let out2:t_Array u8 (sz 840) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state3 out3 in let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in + let out3:t_Array u8 (sz 840) = tmp1 in let _:Prims.unit = () in self, out0, out1, out2, out3 <: - (t_Shake128X4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))); + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); f_squeeze_next_block_pre = (fun (self: t_Shake128X4) -> true); f_squeeze_next_block_post = @@ -142,74 +124,74 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = (self: t_Shake128X4) (out4: (t_Shake128X4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) -> true); f_squeeze_next_block = fun (self: t_Shake128X4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state0 out0 in let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in + let out0:t_Array u8 (sz 168) = tmp1 in let _:Prims.unit = () in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state1 out1 in let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in + let out1:t_Array u8 (sz 168) = tmp1 in let _:Prims.unit = () in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state2 out2 in let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in + let out2:t_Array u8 (sz 168) = tmp1 in let _:Prims.unit = () in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state3 out3 in let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in + let out3:t_Array u8 (sz 168) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) in self, hax_temp_output <: (t_Shake128X4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -/// Portable SHAKE 256 state -type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = + { + f_shake128_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake128_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake128 + = + fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake128 out input in + out + } [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = @@ -246,54 +228,37 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); f_squeeze_first_block_post = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))) -> true - ); + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); f_squeeze_first_block = (fun (self: t_Shake256) -> - let out:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out in let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))); + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); f_squeeze_next_block_post = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))) -> true - ); + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); f_squeeze_next_block = fun (self: t_Shake256) -> - let out:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out in let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136)) + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) } -/// Portable SHAKE 256 x4 state. -/// We're using a portable implementation so this is actually sequential. -type t_Shake256X4 = { - f_state0:Libcrux_sha3.Portable.t_KeccakState; - f_state1:Libcrux_sha3.Portable.t_KeccakState; - f_state2:Libcrux_sha3.Portable.t_KeccakState; - f_state3:Libcrux_sha3.Portable.t_KeccakState -} - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = { @@ -348,70 +313,51 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = (self: t_Shake256X4) (out4: (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) -> true); f_squeeze_first_block = (fun (self: t_Shake256X4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state0 out0 in let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out0:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state1 out1 in let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state2 out2 in let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out2:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state3 out3 in let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out3:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) in self, hax_temp_output <: (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); f_squeeze_next_block_pre = (fun (self: t_Shake256X4) -> true); f_squeeze_next_block_post = @@ -419,70 +365,51 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = (self: t_Shake256X4) (out4: (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) -> true); f_squeeze_next_block = (fun (self: t_Shake256X4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state0 out0 in let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out0:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state1 out1 in let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state2 out2 in let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out2:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state3 out3 in let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out3:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) in self, hax_temp_output <: (t_Shake256X4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); f_shake256_pre = (fun diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst deleted file mode 100644 index 9dd9ad636..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fst +++ /dev/null @@ -1,80 +0,0 @@ -module Libcrux_ml_dsa.Hash_functions.Shake128 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -class t_Xof (v_Self: Type0) = { - f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; - f_shake128_post: - v_OUTPUT_LENGTH: usize -> - t_Slice u8 -> - t_Array u8 v_OUTPUT_LENGTH -> - t_Array u8 v_OUTPUT_LENGTH - -> Type0; - f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) - (f_shake128_pre v_OUTPUT_LENGTH x0 x1) - (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) -} - -/// When sampling matrix A we always want to do 4 absorb/squeeze calls in -/// parallel. -class t_XofX4 (v_Self: Type0) = { - f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; - f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; - f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 - -> Prims.Pure v_Self - (f_init_absorb_pre x0 x1 x2 x3) - (fun result -> f_init_absorb_post x0 x1 x2 x3 result); - f_squeeze_first_five_blocks_pre: - v_Self -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) - -> Type0; - f_squeeze_first_five_blocks_post: - v_Self -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - (v_Self & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) - -> Type0; - f_squeeze_first_five_blocks: - x0: v_Self -> - x1: t_Array u8 (Rust_primitives.mk_usize 840) -> - x2: t_Array u8 (Rust_primitives.mk_usize 840) -> - x3: t_Array u8 (Rust_primitives.mk_usize 840) -> - x4: t_Array u8 (Rust_primitives.mk_usize 840) - -> Prims.Pure - (v_Self & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) - (f_squeeze_first_five_blocks_pre x0 x1 x2 x3 x4) - (fun result -> f_squeeze_first_five_blocks_post x0 x1 x2 x3 x4 result); - f_squeeze_next_block_pre:v_Self -> Type0; - f_squeeze_next_block_post: - v_Self -> - (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) - -> Type0; - f_squeeze_next_block:x0: v_Self - -> Prims.Pure - (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) - (f_squeeze_next_block_pre x0) - (fun result -> f_squeeze_next_block_post x0 result) -} - -let v_BLOCK_SIZE: usize = Rust_primitives.mk_usize 168 - -let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! Rust_primitives.mk_usize 5 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti index 71bceb4a7..d5bc80a18 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -28,49 +28,41 @@ class t_XofX4 (v_Self: Type0) = { (fun result -> f_init_absorb_post x0 x1 x2 x3 result); f_squeeze_first_five_blocks_pre: v_Self -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> Type0; f_squeeze_first_five_blocks_post: v_Self -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - t_Array u8 (Rust_primitives.mk_usize 840) -> - (v_Self & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) -> Type0; f_squeeze_first_five_blocks: x0: v_Self -> - x1: t_Array u8 (Rust_primitives.mk_usize 840) -> - x2: t_Array u8 (Rust_primitives.mk_usize 840) -> - x3: t_Array u8 (Rust_primitives.mk_usize 840) -> - x4: t_Array u8 (Rust_primitives.mk_usize 840) + x1: t_Array u8 (sz 840) -> + x2: t_Array u8 (sz 840) -> + x3: t_Array u8 (sz 840) -> + x4: t_Array u8 (sz 840) -> Prims.Pure - (v_Self & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) (f_squeeze_first_five_blocks_pre x0 x1 x2 x3 x4) (fun result -> f_squeeze_first_five_blocks_post x0 x1 x2 x3 x4 result); f_squeeze_next_block_pre:v_Self -> Type0; f_squeeze_next_block_post: v_Self -> (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) -> Type0; f_squeeze_next_block:x0: v_Self -> Prims.Pure (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) (f_squeeze_next_block_pre x0) (fun result -> f_squeeze_next_block_post x0 result) } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst deleted file mode 100644 index a37c4e5d7..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fst +++ /dev/null @@ -1,114 +0,0 @@ -module Libcrux_ml_dsa.Hash_functions.Shake256 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -class t_Xof (v_Self: Type0) = { - f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; - f_shake256_post: - v_OUTPUT_LENGTH: usize -> - t_Slice u8 -> - t_Array u8 v_OUTPUT_LENGTH -> - t_Array u8 v_OUTPUT_LENGTH - -> Type0; - f_shake256:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH - -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) - (f_shake256_pre v_OUTPUT_LENGTH x0 x1) - (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result); - f_init_absorb_pre:t_Slice u8 -> Type0; - f_init_absorb_post:t_Slice u8 -> v_Self -> Type0; - f_init_absorb:x0: t_Slice u8 - -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); - f_squeeze_first_block_pre:v_Self -> Type0; - f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) -> Type0; - f_squeeze_first_block:x0: v_Self - -> Prims.Pure (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) - (f_squeeze_first_block_pre x0) - (fun result -> f_squeeze_first_block_post x0 result); - f_squeeze_next_block_pre:v_Self -> Type0; - f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) -> Type0; - f_squeeze_next_block:x0: v_Self - -> Prims.Pure (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) - (f_squeeze_next_block_pre x0) - (fun result -> f_squeeze_next_block_post x0 result) -} - -class t_XofX4 (v_Self: Type0) = { - f_shake256_pre: - v_OUT_LEN: usize -> - t_Slice u8 -> - t_Slice u8 -> - t_Slice u8 -> - t_Slice u8 -> - t_Array u8 v_OUT_LEN -> - t_Array u8 v_OUT_LEN -> - t_Array u8 v_OUT_LEN -> - t_Array u8 v_OUT_LEN - -> Type0; - f_shake256_post: - v_OUT_LEN: usize -> - t_Slice u8 -> - t_Slice u8 -> - t_Slice u8 -> - t_Slice u8 -> - t_Array u8 v_OUT_LEN -> - t_Array u8 v_OUT_LEN -> - t_Array u8 v_OUT_LEN -> - t_Array u8 v_OUT_LEN -> - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - -> Type0; - f_shake256: - v_OUT_LEN: usize -> - x0: t_Slice u8 -> - x1: t_Slice u8 -> - x2: t_Slice u8 -> - x3: t_Slice u8 -> - x4: t_Array u8 v_OUT_LEN -> - x5: t_Array u8 v_OUT_LEN -> - x6: t_Array u8 v_OUT_LEN -> - x7: t_Array u8 v_OUT_LEN - -> Prims.Pure - (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - (f_shake256_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) - (fun result -> f_shake256_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result); - f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; - f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; - f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 - -> Prims.Pure v_Self - (f_init_absorb_pre x0 x1 x2 x3) - (fun result -> f_init_absorb_post x0 x1 x2 x3 result); - f_squeeze_first_block_pre:v_Self -> Type0; - f_squeeze_first_block_post: - v_Self -> - (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) - -> Type0; - f_squeeze_first_block:x0: v_Self - -> Prims.Pure - (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) - (f_squeeze_first_block_pre x0) - (fun result -> f_squeeze_first_block_post x0 result); - f_squeeze_next_block_pre:v_Self -> Type0; - f_squeeze_next_block_post: - v_Self -> - (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) - -> Type0; - f_squeeze_next_block:x0: v_Self - -> Prims.Pure - (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) - (f_squeeze_next_block_pre x0) - (fun result -> f_squeeze_next_block_post x0 result) -} - -let v_BLOCK_SIZE: usize = Rust_primitives.mk_usize 136 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti index a62590900..6ad902487 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -20,15 +20,15 @@ class t_Xof (v_Self: Type0) = { f_init_absorb:x0: t_Slice u8 -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); f_squeeze_first_block_pre:v_Self -> Type0; - f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) -> Type0; + f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; f_squeeze_first_block:x0: v_Self - -> Prims.Pure (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) (f_squeeze_first_block_pre x0) (fun result -> f_squeeze_first_block_post x0 result); f_squeeze_next_block_pre:v_Self -> Type0; - f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) -> Type0; + f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; f_squeeze_next_block:x0: v_Self - -> Prims.Pure (v_Self & t_Array u8 (Rust_primitives.mk_usize 136)) + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) (f_squeeze_next_block_pre x0) (fun result -> f_squeeze_next_block_post x0 result) } @@ -81,32 +81,24 @@ class t_XofX4 (v_Self: Type0) = { f_squeeze_first_block_post: v_Self -> (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) -> Type0; f_squeeze_first_block:x0: v_Self -> Prims.Pure (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) (f_squeeze_first_block_pre x0) (fun result -> f_squeeze_first_block_post x0 result); f_squeeze_next_block_pre:v_Self -> Type0; f_squeeze_next_block_post: v_Self -> (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) -> Type0; f_squeeze_next_block:x0: v_Self -> Prims.Pure (v_Self & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) (f_squeeze_next_block_pre x0) (fun result -> f_squeeze_next_block_post x0 result) } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index ce4488043..4d39cccaa 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -8,6 +8,12 @@ open FStar.Mul /// version is used. type t_Shake128x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } +/// AVX2 SHAKE 256 x4 state. +type t_Shake256x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } + +/// AVX2 SHAKE 256 state +type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = { @@ -39,41 +45,39 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = = (fun (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) -> true); f_squeeze_first_five_blocks_post = (fun (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) (out4: - (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))) + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) -> true); f_squeeze_first_five_blocks = (fun (self: t_Shake128x4) - (out0: t_Array u8 (Rust_primitives.mk_usize 840)) - (out1: t_Array u8 (Rust_primitives.mk_usize 840)) - (out2: t_Array u8 (Rust_primitives.mk_usize 840)) - (out3: t_Array u8 (Rust_primitives.mk_usize 840)) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) -> let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) = + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze_first_five_blocks self.f_state out0 out1 @@ -81,17 +85,15 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = out3 in let self:t_Shake128x4 = { self with f_state = tmp0 } <: t_Shake128x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in - let out2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp3 in - let out3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp4 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in let _:Prims.unit = () in self, out0, out1, out2, out3 <: - (t_Shake128x4 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840))); + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); f_squeeze_next_block_post = @@ -99,31 +101,22 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (self: t_Shake128x4) (out4: (t_Shake128x4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) -> true); f_squeeze_next_block = fun (self: t_Shake128x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 168) - in + let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in + let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = + t_Array u8 (sz 168) & + t_Array u8 (sz 168) & + t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze_next_block self.f_state out0 out1 @@ -131,32 +124,23 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = out3 in let self:t_Shake128x4 = { self with f_state = tmp0 } <: t_Shake128x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 168) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 168) = tmp2 in - let out2:t_Array u8 (Rust_primitives.mk_usize 168) = tmp3 in - let out3:t_Array u8 (Rust_primitives.mk_usize 168) = tmp4 in + let out0:t_Array u8 (sz 168) = tmp1 in + let out1:t_Array u8 (sz 168) = tmp2 in + let out2:t_Array u8 (sz 168) = tmp3 in + let out3:t_Array u8 (sz 168) = tmp4 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) in self, hax_temp_output <: (t_Shake128x4 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -/// AVX2 SHAKE 256 state -type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = { @@ -192,48 +176,37 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); f_squeeze_first_block_post = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))) -> true - ); + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); f_squeeze_first_block = (fun (self: t_Shake256) -> - let out:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out in let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))); + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); f_squeeze_next_block_post = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136))) -> true - ); + (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); f_squeeze_next_block = fun (self: t_Shake256) -> - let out:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out in let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in + let out:t_Array u8 (sz 136) = tmp1 in let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136)) + let hax_temp_output:t_Array u8 (sz 136) = out in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) } -/// AVX2 SHAKE 256 x4 state. -type t_Shake256x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { @@ -268,31 +241,22 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (self: t_Shake256x4) (out4: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) -> true); f_squeeze_first_block = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = Libcrux_sha3.Avx2.X4.Incremental.shake256_squeeze_first_block self.f_state out0 out1 @@ -300,27 +264,21 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = out3 in let self:t_Shake256x4 = { self with f_state = tmp0 } <: t_Shake256x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp3 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp4 in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in + let out2:t_Array u8 (sz 136) = tmp3 in + let out3:t_Array u8 (sz 136) = tmp4 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) in self, hax_temp_output <: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); f_squeeze_next_block_post = @@ -328,31 +286,22 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (self: t_Shake256x4) (out4: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) -> true); f_squeeze_next_block = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 136) - in + let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in + let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = Libcrux_sha3.Avx2.X4.Incremental.shake256_squeeze_next_block self.f_state out0 out1 @@ -360,27 +309,21 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = out3 in let self:t_Shake256x4 = { self with f_state = tmp0 } <: t_Shake256x4 in - let out0:t_Array u8 (Rust_primitives.mk_usize 136) = tmp1 in - let out1:t_Array u8 (Rust_primitives.mk_usize 136) = tmp2 in - let out2:t_Array u8 (Rust_primitives.mk_usize 136) = tmp3 in - let out3:t_Array u8 (Rust_primitives.mk_usize 136) = tmp4 in + let out0:t_Array u8 (sz 136) = tmp1 in + let out1:t_Array u8 (sz 136) = tmp2 in + let out2:t_Array u8 (sz 136) = tmp3 in + let out3:t_Array u8 (sz 136) = tmp4 in let _:Prims.unit = () in - let hax_temp_output:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out0, out1, out2, out3 <: - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) in self, hax_temp_output <: (t_Shake256x4 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)))); + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); f_shake256_pre = (fun diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst index 38057f92e..0f4339ffb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -75,7 +75,7 @@ let add_vectors v_DIMENSION in let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_DIMENSION (fun result temp_1_ -> let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -401,7 +401,7 @@ let compute_w_approx in let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Libcrux_ml_dsa.Arithmetic.shift_left_then_reduce #v_SIMDUnit - (Rust_primitives.mk_i32 13) + 13l (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement @@ -444,7 +444,7 @@ let subtract_vectors v_DIMENSION in let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) v_DIMENSION (fun result temp_1_ -> let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst index e371c24e0..e68b8fe9b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) randomness in { @@ -19,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) - (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) - (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) - (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti index 9bd343dc3..2cc5f13c7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-44 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-44 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst index 3c221beed..f27fbeff4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Neon open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) randomness in { @@ -19,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) - (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) - (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) - (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti index 198c8e600..58227663f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-44 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-44 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst index 34a714c2d..b28affb1d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -3,16 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_44_.Portable open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize - 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) randomness in { @@ -20,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) + 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) + (sz 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) - (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 4) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) - (Rust_primitives.mk_usize 1312) (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) - (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti index 7d700adf5..1e6653b8a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-44 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-44 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst index 76aa01067..4eff956f5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_44_ open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 2560) & - t_Array u8 (Rust_primitives.mk_usize 1312)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 1312) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) randomness in { @@ -19,63 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_i32 95232) (Rust_primitives.mk_usize 192) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) - (Rust_primitives.mk_usize 80) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_usize 2560) - (Rust_primitives.mk_usize 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) + (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) - (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 2420) (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 17) (Rust_primitives.mk_usize 576) (Rust_primitives.mk_i32 95232) - (Rust_primitives.mk_i32 78) (Rust_primitives.mk_usize 192) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 32) (Rust_primitives.mk_usize 39) (Rust_primitives.mk_usize 80) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) + (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti index 3960090e8..a677e8e9a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -3,46 +3,44 @@ module Libcrux_ml_dsa.Ml_dsa_44_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = Rust_primitives.mk_usize 6 +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 -let v_BITS_PER_ERROR_COEFFICIENT: usize = Rust_primitives.mk_usize 3 +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = Rust_primitives.mk_usize 18 +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 -let v_COLUMNS_IN_A: usize = Rust_primitives.mk_usize 4 +let v_COLUMNS_IN_A: usize = sz 4 -let v_COMMITMENT_HASH_SIZE: usize = Rust_primitives.mk_usize 32 +let v_COMMITMENT_HASH_SIZE: usize = sz 32 let v_COMMITMENT_RING_ELEMENT_SIZE: usize = (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 let v_ERROR_RING_ELEMENT_SIZE: usize = (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 -let v_ETA: usize = Rust_primitives.mk_usize 2 +let v_ETA: usize = sz 2 -let v_GAMMA1_EXPONENT: usize = Rust_primitives.mk_usize 17 +let v_GAMMA1_EXPONENT: usize = sz 17 let v_GAMMA1_RING_ELEMENT_SIZE: usize = (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize ) /! - Rust_primitives.mk_usize 8 + sz 8 -let v_GAMMA2: i32 = - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 88 +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l -let v_MAX_ONES_IN_HINT: usize = Rust_primitives.mk_usize 80 +let v_MAX_ONES_IN_HINT: usize = sz 80 -let v_ONES_IN_VERIFIER_CHALLENGE: usize = Rust_primitives.mk_usize 39 +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 -let v_ROWS_IN_A: usize = Rust_primitives.mk_usize 4 +let v_ROWS_IN_A: usize = sz 4 let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A @@ -74,7 +72,7 @@ let v_VERIFICATION_KEY_SIZE: usize = usize) <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 <: usize) @@ -82,10 +80,10 @@ let v_VERIFICATION_KEY_SIZE: usize = /// Generate an ML-DSA key pair. The input is a byte array of size /// [`KEY_GENERATION_RANDOMNESS_SIZE`]. /// This function returns an [`MLDSA44KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1312) - (Rust_primitives.mk_usize 2560)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) /// Sign with ML-DSA 44 /// Sign a `message` with the ML-DSA `signing_key`. @@ -94,11 +92,11 @@ val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) /// may also be empty. /// This function returns an [`MLDSA44Signature`]. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing @@ -109,11 +107,11 @@ val sign /// may also be empty. /// This function returns an [`MLDSA44Signature`]. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 2560)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-44 Signature @@ -123,10 +121,9 @@ val sign_pre_hashed_shake128 /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -138,10 +135,9 @@ val verify /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1312) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 2420)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst index 8ae4f70df..4dcf80489 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) randomness in { @@ -19,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) - (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) - (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti index 1ebca715f..bfcb87df8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-65 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-65 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst index 807dcf30c..b54a04df2 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Neon open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) randomness in { @@ -19,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) - (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) - (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti index 341c764be..ff39c5e48 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-65 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-65 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst index 91cf2cd7e..eaf1e627f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -3,16 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_65_.Portable open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize - 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) randomness in { @@ -20,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5) + (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) + (sz 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 6) (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) - (Rust_primitives.mk_usize 1952) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) - (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti index 28c5fb133..7568a9a1c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-65 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-65 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst index bc58d87b4..d75500055 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_65_ open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4032) & - t_Array u8 (Rust_primitives.mk_usize 1952)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) - (Rust_primitives.mk_usize 4) - (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 1952) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) randomness in { @@ -19,63 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l + (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 4) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 768) (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) - (Rust_primitives.mk_usize 55) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4032) - (Rust_primitives.mk_usize 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) + (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 6) - (Rust_primitives.mk_usize 5) (Rust_primitives.mk_usize 3309) (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 196) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 768) - (Rust_primitives.mk_usize 48) (Rust_primitives.mk_usize 49) (Rust_primitives.mk_usize 55) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) + (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti index 467b363d7..47735a500 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -3,46 +3,44 @@ module Libcrux_ml_dsa.Ml_dsa_65_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = Rust_primitives.mk_usize 4 +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 -let v_BITS_PER_ERROR_COEFFICIENT: usize = Rust_primitives.mk_usize 4 +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = Rust_primitives.mk_usize 20 +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 -let v_COLUMNS_IN_A: usize = Rust_primitives.mk_usize 5 +let v_COLUMNS_IN_A: usize = sz 5 -let v_COMMITMENT_HASH_SIZE: usize = Rust_primitives.mk_usize 48 +let v_COMMITMENT_HASH_SIZE: usize = sz 48 let v_COMMITMENT_RING_ELEMENT_SIZE: usize = (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 let v_ERROR_RING_ELEMENT_SIZE: usize = (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 -let v_ETA: usize = Rust_primitives.mk_usize 4 +let v_ETA: usize = sz 4 -let v_GAMMA1_EXPONENT: usize = Rust_primitives.mk_usize 19 +let v_GAMMA1_EXPONENT: usize = sz 19 let v_GAMMA1_RING_ELEMENT_SIZE: usize = (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize ) /! - Rust_primitives.mk_usize 8 + sz 8 -let v_GAMMA2: i32 = - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 32 +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l -let v_MAX_ONES_IN_HINT: usize = Rust_primitives.mk_usize 55 +let v_MAX_ONES_IN_HINT: usize = sz 55 -let v_ONES_IN_VERIFIER_CHALLENGE: usize = Rust_primitives.mk_usize 49 +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 -let v_ROWS_IN_A: usize = Rust_primitives.mk_usize 6 +let v_ROWS_IN_A: usize = sz 6 let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A @@ -74,7 +72,7 @@ let v_VERIFICATION_KEY_SIZE: usize = usize) <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 <: usize) @@ -82,10 +80,10 @@ let v_VERIFICATION_KEY_SIZE: usize = /// Generate an ML-DSA key pair. The input is a byte array of size /// [`KEY_GENERATION_RANDOMNESS_SIZE`]. /// This function returns an [`MLDSA65KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 1952) - (Rust_primitives.mk_usize 4032)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) /// Sign with ML-DSA 65 /// Sign a `message` with the ML-DSA `signing_key`. @@ -94,11 +92,11 @@ val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) /// may also be empty. /// This function returns an [`MLDSA65Signature`]. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing @@ -109,11 +107,11 @@ val sign /// may also be empty. /// This function returns an [`MLDSA65Signature`]. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4032)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-65 Signature @@ -123,10 +121,9 @@ val sign_pre_hashed_shake128 /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -138,10 +135,9 @@ val verify /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 1952) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 3309)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst index 913efa791..27eb5b514 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) randomness in { @@ -19,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) - (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) - (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) - (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti index 2e6bcab3b..2b2ba04ee 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-87 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-87 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst index 11749a2ed..e89d61679 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Neon open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) randomness in { @@ -19,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) - (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) - (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) - (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti index 97b5b98ad..499342491 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-87 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-87 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst index 83db066c7..8ff301da4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -3,16 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_87_.Portable open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (Rust_primitives.mk_usize - 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) randomness in { @@ -20,64 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (Rust_primitives.mk_usize - 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7) + (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) + (sz 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) - (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (Rust_primitives.mk_usize - 8) (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) - (Rust_primitives.mk_usize 2592) (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) - (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) verification_key.Libcrux_ml_dsa.Types._0 message context - signature.Libcrux_ml_dsa.Types._0 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti index dcfafcad1..5825b758b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti @@ -4,21 +4,21 @@ open Core open FStar.Mul /// Generate an ML-DSA-87 Key Pair -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate an ML-DSA-87 Signature /// The parameter `context` is used for domain separation /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing @@ -26,11 +26,11 @@ val sign /// and is a byte string of length at most 255 bytes. It /// may also be empty. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature @@ -38,10 +38,9 @@ val sign_pre_hashed_shake128 /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -51,10 +50,9 @@ val verify /// and is a byte string of length at most 255 bytes. It /// may also be empty. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst index 6b6638c60..7628dbe10 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -3,15 +3,14 @@ module Libcrux_ml_dsa.Ml_dsa_87_ open Core open FStar.Mul -let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = - let signing_key, verification_key:(t_Array u8 (Rust_primitives.mk_usize 4896) & - t_Array u8 (Rust_primitives.mk_usize 2592)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) - (Rust_primitives.mk_usize 2) - (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 2592) +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) randomness in { @@ -19,63 +18,48 @@ let generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) = = Libcrux_ml_dsa.Types.MLDSASigningKey signing_key <: - Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896); + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); Libcrux_ml_dsa.Types.f_verification_key = Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key <: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) } <: - Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896) + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) let sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l + (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 2) (Rust_primitives.mk_usize 96) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_i32 261888) (Rust_primitives.mk_usize 128) - (Rust_primitives.mk_usize 1024) (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) - (Rust_primitives.mk_usize 75) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_usize 4896) - (Rust_primitives.mk_usize 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) + (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness let verify - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) - (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 let verify_pre_hashed_shake128 - (verification_key: - Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592)) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) = - Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (Rust_primitives.mk_usize 8) - (Rust_primitives.mk_usize 7) (Rust_primitives.mk_usize 4627) (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 19) (Rust_primitives.mk_usize 640) (Rust_primitives.mk_i32 261888) - (Rust_primitives.mk_i32 120) (Rust_primitives.mk_usize 128) (Rust_primitives.mk_usize 1024) - (Rust_primitives.mk_usize 64) (Rust_primitives.mk_usize 60) (Rust_primitives.mk_usize 75) + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) + (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti index 96f044550..f5eb82a25 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -3,46 +3,44 @@ module Libcrux_ml_dsa.Ml_dsa_87_ open Core open FStar.Mul -let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = Rust_primitives.mk_usize 4 +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 -let v_BITS_PER_ERROR_COEFFICIENT: usize = Rust_primitives.mk_usize 3 +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 -let v_BITS_PER_GAMMA1_COEFFICIENT: usize = Rust_primitives.mk_usize 20 +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 -let v_COLUMNS_IN_A: usize = Rust_primitives.mk_usize 7 +let v_COLUMNS_IN_A: usize = sz 7 -let v_COMMITMENT_HASH_SIZE: usize = Rust_primitives.mk_usize 64 +let v_COMMITMENT_HASH_SIZE: usize = sz 64 let v_COMMITMENT_RING_ELEMENT_SIZE: usize = (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 let v_ERROR_RING_ELEMENT_SIZE: usize = (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 -let v_ETA: usize = Rust_primitives.mk_usize 2 +let v_ETA: usize = sz 2 -let v_GAMMA1_EXPONENT: usize = Rust_primitives.mk_usize 19 +let v_GAMMA1_EXPONENT: usize = sz 19 let v_GAMMA1_RING_ELEMENT_SIZE: usize = (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize ) /! - Rust_primitives.mk_usize 8 + sz 8 -let v_GAMMA2: i32 = - (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 32 +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l -let v_MAX_ONES_IN_HINT: usize = Rust_primitives.mk_usize 75 +let v_MAX_ONES_IN_HINT: usize = sz 75 -let v_ONES_IN_VERIFIER_CHALLENGE: usize = Rust_primitives.mk_usize 60 +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 -let v_ROWS_IN_A: usize = Rust_primitives.mk_usize 8 +let v_ROWS_IN_A: usize = sz 8 let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A @@ -74,7 +72,7 @@ let v_VERIFICATION_KEY_SIZE: usize = usize) <: usize) /! - Rust_primitives.mk_usize 8 + sz 8 <: usize) @@ -82,10 +80,10 @@ let v_VERIFICATION_KEY_SIZE: usize = /// Generate an ML-DSA key pair. The input is a byte array of size /// [`KEY_GENERATION_RANDOMNESS_SIZE`]. /// This function returns an [`MLDSA87KeyPair`]. -val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (Rust_primitives.mk_usize 2592) - (Rust_primitives.mk_usize 4896)) Prims.l_True (fun _ -> Prims.l_True) +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) /// Sign with ML-DSA 87 /// Sign a `message` with the ML-DSA `signing_key`. @@ -94,11 +92,11 @@ val generate_key_pair (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) /// may also be empty. /// This function returns an [`MLDSA87Signature`]. val sign - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing @@ -109,11 +107,11 @@ val sign /// may also be empty. /// This function returns an [`MLDSA87Signature`]. val sign_pre_hashed_shake128 - (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (Rust_primitives.mk_usize 4896)) + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure - (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) /// Verify an ML-DSA-87 Signature @@ -123,10 +121,9 @@ val sign_pre_hashed_shake128 /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) @@ -138,10 +135,9 @@ val verify /// Returns `Ok` when the `signature` is valid for the `message` and /// `verification_key`, and a [`VerificationError`] otherwise. val verify_pre_hashed_shake128 - (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (Rust_primitives.mk_usize 2592) - ) + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) (message context: t_Slice u8) - (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (Rust_primitives.mk_usize 4627)) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index b37a27bd0..6066f3058 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -17,7 +17,7 @@ let _ = let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 @@ -32,7 +32,7 @@ let sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 @@ -50,17 +50,16 @@ let sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE - v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness let verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: @@ -92,7 +91,7 @@ let verify_pre_hashed_shake128 Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index 4f5b62941..09d4842de 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -18,7 +18,7 @@ let _ = val generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) @@ -31,7 +31,7 @@ val sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -44,7 +44,7 @@ val sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst index 8ccc95911..9e12c192d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -18,7 +18,7 @@ let _ = let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 @@ -33,7 +33,7 @@ let sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 @@ -51,17 +51,16 @@ let sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE - v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) + v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness let verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: @@ -93,7 +92,7 @@ let verify_pre_hashed_shake128 Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti index 44a225bcb..93c40dc34 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -19,7 +19,7 @@ let _ = val generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) @@ -32,7 +32,7 @@ val sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -45,7 +45,7 @@ val sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst index 200472cb5..3ed0bdc8f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -17,7 +17,7 @@ let _ = let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 @@ -32,7 +32,7 @@ let sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 @@ -50,17 +50,16 @@ let sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE - v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE - v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT - v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context - randomness + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness let verify (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: @@ -92,7 +91,7 @@ let verify_pre_hashed_shake128 Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (Rust_primitives.mk_usize 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE - v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti index 572a02079..1e4399d64 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -18,7 +18,7 @@ let _ = val generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) @@ -31,7 +31,7 @@ val sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -44,7 +44,7 @@ val sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst index faaea5bc9..69d507f61 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst @@ -6,7 +6,7 @@ open FStar.Mul let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = if Libcrux_platform.Platform.simd256_support () then @@ -43,7 +43,7 @@ let sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = if Libcrux_platform.Platform.simd256_support () then @@ -74,7 +74,7 @@ let sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = if Libcrux_platform.Platform.simd256_support () then diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti index 871419f5c..c617ed3c3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti @@ -6,7 +6,7 @@ open FStar.Mul val generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) @@ -18,7 +18,7 @@ val sign usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -30,7 +30,7 @@ val sign_pre_hashed_shake128 usize) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index a3a0638df..df5dc6fe8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -14,21 +14,21 @@ let _ = () let derive_message_representative - (verification_key_hash: t_Array u8 (Rust_primitives.mk_usize 64)) + (verification_key_hash: t_Array u8 (sz 64)) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (message: t_Slice u8) - (message_representative: t_Array u8 (Rust_primitives.mk_usize 64)) + (message_representative: t_Array u8 (sz 64)) = let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve () in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (verification_key_hash <: t_Slice u8) @@ -38,15 +38,15 @@ let derive_message_representative | Core.Option.Option_Some domain_separation_context -> let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake ((let list = [ - cast (Core.Option.impl__is_some #(t_Array u8 (Rust_primitives.mk_usize 11)) + cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) (Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context <: - Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + Core.Option.t_Option (t_Array u8 (sz 11))) <: bool) <: @@ -60,7 +60,7 @@ let derive_message_representative in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake ((let list = @@ -82,7 +82,7 @@ let derive_message_representative in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8) @@ -90,7 +90,7 @@ let derive_message_representative (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with | Core.Option.Option_Some pre_hash_oid -> Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (pre_hash_oid <: t_Slice u8) @@ -99,135 +99,23 @@ let derive_message_representative in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake message in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & - t_Array u8 (Rust_primitives.mk_usize 64)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 64)) = Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake message_representative in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in - let message_representative:t_Array u8 (Rust_primitives.mk_usize 64) = tmp1 in + let message_representative:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in message_representative -let generate_key_pair - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i5: - Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i6: - Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i7: - Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - = - let seed_expanded:t_Array u8 (Rust_primitives.mk_usize 128) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 128) - in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) - #FStar.Tactics.Typeclasses.solve - () - in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) - in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = - Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) - #FStar.Tactics.Typeclasses.solve - shake - ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list) - <: - t_Slice u8) - in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & - t_Array u8 (Rust_primitives.mk_usize 128)) = - Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(Rust_primitives.mk_usize 136) - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded - in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in - let seed_expanded:t_Array u8 (Rust_primitives.mk_usize 128) = tmp1 in - let _:Prims.unit = () in - let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (seed_expanded <: t_Slice u8) - Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE - in - let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - seed_expanded - Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE - in - let a_as_ntt:t_Array - (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) - v_ROWS_IN_A = - Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit - #v_Shake128X4 - v_ROWS_IN_A - v_COLUMNS_IN_A - (Libcrux_ml_dsa.Utils.into_padded_array (Rust_primitives.mk_usize 34) seed_for_a - <: - t_Array u8 (Rust_primitives.mk_usize 34)) - in - let s1, s2:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit - #v_Shake256X4 - v_ETA - v_COLUMNS_IN_A - v_ROWS_IN_A - (Libcrux_ml_dsa.Utils.into_padded_array (Rust_primitives.mk_usize 66) seed_for_error_vectors - <: - t_Array u8 (Rust_primitives.mk_usize 66)) - in - let t:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = - Libcrux_ml_dsa.Matrix.compute_As1_plus_s2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A a_as_ntt s1 s2 - in - let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & - t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = - Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit v_ROWS_IN_A t - in - let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = - Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit - v_ROWS_IN_A - v_VERIFICATION_KEY_SIZE - seed_for_a - t1 - in - let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = - Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 v_ROWS_IN_A - v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE seed_for_a seed_for_signing - (verification_key_serialized <: t_Slice u8) s1 s2 t0 - in - signing_key_serialized, verification_key_serialized - <: - (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - let sign_internal (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) @@ -250,12 +138,12 @@ let sign_internal (message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = let seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt:(t_Array - u8 (Rust_primitives.mk_usize 32) & - t_Array u8 (Rust_primitives.mk_usize 32) & - t_Array u8 (Rust_primitives.mk_usize 64) & + u8 (sz 32) & + t_Array u8 (sz 32) & + t_Array u8 (sz 64) & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = @@ -274,65 +162,59 @@ let sign_internal #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A - (Libcrux_ml_dsa.Utils.into_padded_array (Rust_primitives.mk_usize 34) - (seed_for_A <: t_Slice u8) + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8) <: - t_Array u8 (Rust_primitives.mk_usize 34)) - in - let message_representative:t_Array u8 (Rust_primitives.mk_usize 64) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 64) + t_Array u8 (sz 34)) in - let message_representative:t_Array u8 (Rust_primitives.mk_usize 64) = + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = derive_message_representative verification_key_hash domain_separation_context message message_representative in - let mask_seed:t_Array u8 (Rust_primitives.mk_usize 64) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 64) - in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve () in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (seed_for_signing <: t_Slice u8) in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (randomness <: t_Slice u8) in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (message_representative <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & - t_Array u8 (Rust_primitives.mk_usize 64)) = + let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 64)) = Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake mask_seed in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in - let mask_seed:t_Array u8 (Rust_primitives.mk_usize 64) = tmp1 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in - let (domain_separator_for_mask: u16):u16 = Rust_primitives.mk_u16 0 in + let (domain_separator_for_mask: u16):u16 = 0us in let v_BETA:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in - let attempt:usize = Rust_primitives.mk_usize 0 in + let attempt:usize = sz 0 in let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) in @@ -343,22 +225,20 @@ let sign_internal Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) in - let hint:Core.Option.t_Option (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) = - Core.Option.Option_None - <: - Core.Option.t_Option (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) in let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = Rust_primitives.f_while_loop (fun temp_0_ -> let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = @@ -368,20 +248,20 @@ let sign_internal (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response <: (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) (fun temp_0_ -> let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & - Core.Option.t_Option (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & Core.Option.t_Option (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = temp_0_ in - let attempt:usize = attempt +! Rust_primitives.mk_usize 1 in + let attempt:usize = attempt +! sz 1 in let tmp0, out:(u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit @@ -389,10 +269,9 @@ let sign_internal #v_Shake256X4 v_COLUMNS_IN_A v_GAMMA1_EXPONENT - (Libcrux_ml_dsa.Utils.into_padded_array (Rust_primitives.mk_usize 66) - (mask_seed <: t_Slice u8) + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) (mask_seed <: t_Slice u8) <: - t_Array u8 (Rust_primitives.mk_usize 66)) + t_Array u8 (sz 66)) domain_separator_for_mask in let domain_separator_for_mask:u16 = tmp0 in @@ -417,7 +296,7 @@ let sign_internal v_A_times_mask in let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_COMMITMENT_HASH_SIZE + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE in let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit @@ -428,20 +307,20 @@ let sign_internal in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve () in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (message_representative <: t_Slice u8) in let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake (commitment_serialized <: t_Slice u8) @@ -449,7 +328,7 @@ let sign_internal let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 v_COMMITMENT_HASH_SIZE) = Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(Rust_primitives.mk_usize 136) + #(sz 136) #FStar.Tactics.Typeclasses.solve shake commitment_hash_candidate @@ -495,13 +374,12 @@ let sign_internal Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit v_COLUMNS_IN_A signer_response_candidate - ((Rust_primitives.mk_i32 1 < Core.Result.Result_Ok hint <: - Core.Result.t_Result - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) Libcrux_ml_dsa.Types.t_SigningError | Core.Option.Option_None -> Core.Result.Result_Err @@ -649,8 +519,7 @@ let sign_internal <: Libcrux_ml_dsa.Types.t_SigningError) <: - Core.Result.t_Result - (t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A) + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) Libcrux_ml_dsa.Types.t_SigningError with | Core.Result.Result_Ok hint -> @@ -717,11 +586,11 @@ let sign Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = match Libcrux_ml_dsa.Pre_hash.impl_1__new context - (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist36 -> sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A @@ -762,7 +631,7 @@ let sign_pre_hashed Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then @@ -780,9 +649,9 @@ let sign_pre_hashed (Core.Option.Option_Some (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () <: - t_Array u8 (Rust_primitives.mk_usize 11)) + t_Array u8 (sz 11)) <: - Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist39 -> sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A @@ -821,7 +690,7 @@ let verify_internal Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) = - let seed_for_A, t1:(t_Array u8 (Rust_primitives.mk_usize 32) & + let seed_for_A, t1:(t_Array u8 (sz 32) & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit v_ROWS_IN_A @@ -844,7 +713,7 @@ let verify_internal ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit v_COLUMNS_IN_A signature.Libcrux_ml_dsa.Types.f_signer_response - ((Rust_primitives.mk_i32 2 < verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A @@ -1041,9 +905,9 @@ let verify_pre_hashed (Core.Option.Option_Some (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () <: - t_Array u8 (Rust_primitives.mk_usize 11)) + t_Array u8 (sz 11)) <: - Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) + Core.Option.t_Option (t_Array u8 (sz 11))) with | Core.Result.Result_Ok hoist43 -> verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A @@ -1058,3 +922,107 @@ let verify_pre_hashed Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + = + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + () + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + (randomness <: t_Slice u8) + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = + Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 128)) = + Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze + #(sz 136) + #FStar.Tactics.Typeclasses.solve + shake + seed_expanded + in + let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34)) + in + let s1, s2:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + v_ETA + v_COLUMNS_IN_A + v_ROWS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) seed_for_error_vectors <: t_Array u8 (sz 66)) + in + let t:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_As1_plus_s2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A a_as_ntt s1 s2 + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit v_ROWS_IN_A t + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + seed_for_a + t1 + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE seed_for_a seed_for_signing + (verification_key_serialized <: t_Slice u8) s1 s2 t0 + in + signing_key_serialized, verification_key_serialized + <: + (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index a42a1a5c3..6ed00153a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -31,26 +31,12 @@ let _ = /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA /// variant. val derive_message_representative - (verification_key_hash: t_Array u8 (Rust_primitives.mk_usize 64)) + (verification_key_hash: t_Array u8 (sz 64)) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) (message: t_Slice u8) - (message_representative: t_Array u8 (Rust_primitives.mk_usize 64)) - : Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 64)) Prims.l_True (fun _ -> Prims.l_True) - -/// Generate a key pair. -val generate_key_pair - (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) - (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: - usize) - {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) - : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (message_representative: t_Array u8 (sz 64)) + : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) /// The internal signing API. /// If no `domain_separation_context` is supplied, it is assumed that @@ -69,7 +55,7 @@ val sign_internal (message: t_Slice u8) (domain_separation_context: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -86,7 +72,7 @@ val sign {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -105,7 +91,7 @@ val sign_pre_hashed {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) (message context: t_Slice u8) - (randomness: t_Array u8 (Rust_primitives.mk_usize 32)) + (randomness: t_Array u8 (sz 32)) : Prims.Pure (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) @@ -166,3 +152,17 @@ val verify_pre_hashed : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair. +val generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index d4a5e3b30..cd110c1ec 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -9,65 +9,22 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let invert_ntt_at_layer_0_ +let ntt (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #v_SIMDUnit - (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! Rust_primitives.mk_usize 1 <: usize ] - <: - i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! Rust_primitives.mk_usize 2 <: usize ] - <: - i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! Rust_primitives.mk_usize 3 <: usize ] - <: - i32) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 4 in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + { + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + re.Libcrux_ml_dsa.Polynomial.f_simd_units + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit let invert_ntt_at_layer_1_ (#v_SIMDUnit: Type0) @@ -77,12 +34,10 @@ let invert_ntt_at_layer_1_ (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in + let zeta_i:usize = zeta_i -! sz 1 in let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Rust_primitives.mk_usize 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - <: - usize) + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = temp_0_ @@ -107,19 +62,17 @@ let invert_ntt_at_layer_1_ #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! Rust_primitives.mk_usize 1 <: usize ] - <: - i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 2 in + let zeta_i:usize = zeta_i -! sz 2 in re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let zeta_i:usize = zeta_i +! sz 1 in zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) let invert_ntt_at_layer_2_ @@ -132,10 +85,8 @@ let invert_ntt_at_layer_2_ = let (re, zeta_i), hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Rust_primitives.mk_usize 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - <: - usize) + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = temp_0_ @@ -148,7 +99,7 @@ let invert_ntt_at_layer_2_ temp_0_ in let round:usize = round in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in + let zeta_i:usize = zeta_i -! sz 1 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { re with @@ -180,11 +131,11 @@ let invert_ntt_at_layer_3_plus (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let step:usize = Rust_primitives.mk_usize 1 <>! v_LAYER <: usize) + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 128 >>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = temp_0_ @@ -197,9 +148,9 @@ let invert_ntt_at_layer_3_plus temp_0_ in let round:usize = round in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in + let zeta_i:usize = zeta_i -! sz 1 in let offset:usize = - ((round *! step <: usize) *! Rust_primitives.mk_usize 2 <: usize) /! + ((round *! step <: usize) *! sz 2 <: usize) /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in @@ -265,6 +216,60 @@ let invert_ntt_at_layer_3_plus in zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i -! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i -! sz 4 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i +! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let invert_ntt_montgomery (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -292,37 +297,37 @@ let invert_ntt_montgomery let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (Rust_primitives.mk_usize 3) zeta_i re + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re in let zeta_i:usize = tmp0 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (Rust_primitives.mk_usize 4) zeta_i re + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re in let zeta_i:usize = tmp0 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (Rust_primitives.mk_usize 5) zeta_i re + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re in let zeta_i:usize = tmp0 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (Rust_primitives.mk_usize 6) zeta_i re + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re in let zeta_i:usize = tmp0 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (Rust_primitives.mk_usize 7) zeta_i re + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re in let zeta_i:usize = tmp0 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in let _:Prims.unit = () in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: @@ -345,34 +350,17 @@ let invert_ntt_montgomery (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply_by_constant #v_SIMDUnit #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) - (Rust_primitives.mk_i32 41978) + 41978l <: v_SIMDUnit) <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in re -let ntt - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - { - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - re.Libcrux_ml_dsa.Polynomial.f_simd_units - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - let ntt_multiply_montgomery (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -384,7 +372,7 @@ let ntt_multiply_montgomery Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () in let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (out.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) <: @@ -411,7 +399,7 @@ let ntt_multiply_montgomery <: v_SIMDUnit) <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti index bd0aa1fb8..d15c500f9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -9,140 +9,51 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (Rust_primitives.mk_usize 256) = +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = let list = [ - Rust_primitives.mk_i32 0; Rust_primitives.mk_i32 25847; Rust_primitives.mk_i32 (-2608894); - Rust_primitives.mk_i32 (-518909); Rust_primitives.mk_i32 237124; - Rust_primitives.mk_i32 (-777960); Rust_primitives.mk_i32 (-876248); - Rust_primitives.mk_i32 466468; Rust_primitives.mk_i32 1826347; Rust_primitives.mk_i32 2353451; - Rust_primitives.mk_i32 (-359251); Rust_primitives.mk_i32 (-2091905); - Rust_primitives.mk_i32 3119733; Rust_primitives.mk_i32 (-2884855); - Rust_primitives.mk_i32 3111497; Rust_primitives.mk_i32 2680103; Rust_primitives.mk_i32 2725464; - Rust_primitives.mk_i32 1024112; Rust_primitives.mk_i32 (-1079900); - Rust_primitives.mk_i32 3585928; Rust_primitives.mk_i32 (-549488); - Rust_primitives.mk_i32 (-1119584); Rust_primitives.mk_i32 2619752; - Rust_primitives.mk_i32 (-2108549); Rust_primitives.mk_i32 (-2118186); - Rust_primitives.mk_i32 (-3859737); Rust_primitives.mk_i32 (-1399561); - Rust_primitives.mk_i32 (-3277672); Rust_primitives.mk_i32 1757237; - Rust_primitives.mk_i32 (-19422); Rust_primitives.mk_i32 4010497; Rust_primitives.mk_i32 280005; - Rust_primitives.mk_i32 2706023; Rust_primitives.mk_i32 95776; Rust_primitives.mk_i32 3077325; - Rust_primitives.mk_i32 3530437; Rust_primitives.mk_i32 (-1661693); - Rust_primitives.mk_i32 (-3592148); Rust_primitives.mk_i32 (-2537516); - Rust_primitives.mk_i32 3915439; Rust_primitives.mk_i32 (-3861115); - Rust_primitives.mk_i32 (-3043716); Rust_primitives.mk_i32 3574422; - Rust_primitives.mk_i32 (-2867647); Rust_primitives.mk_i32 3539968; - Rust_primitives.mk_i32 (-300467); Rust_primitives.mk_i32 2348700; - Rust_primitives.mk_i32 (-539299); Rust_primitives.mk_i32 (-1699267); - Rust_primitives.mk_i32 (-1643818); Rust_primitives.mk_i32 3505694; - Rust_primitives.mk_i32 (-3821735); Rust_primitives.mk_i32 3507263; - Rust_primitives.mk_i32 (-2140649); Rust_primitives.mk_i32 (-1600420); - Rust_primitives.mk_i32 3699596; Rust_primitives.mk_i32 811944; Rust_primitives.mk_i32 531354; - Rust_primitives.mk_i32 954230; Rust_primitives.mk_i32 3881043; Rust_primitives.mk_i32 3900724; - Rust_primitives.mk_i32 (-2556880); Rust_primitives.mk_i32 2071892; - Rust_primitives.mk_i32 (-2797779); Rust_primitives.mk_i32 (-3930395); - Rust_primitives.mk_i32 (-1528703); Rust_primitives.mk_i32 (-3677745); - Rust_primitives.mk_i32 (-3041255); Rust_primitives.mk_i32 (-1452451); - Rust_primitives.mk_i32 3475950; Rust_primitives.mk_i32 2176455; - Rust_primitives.mk_i32 (-1585221); Rust_primitives.mk_i32 (-1257611); - Rust_primitives.mk_i32 1939314; Rust_primitives.mk_i32 (-4083598); - Rust_primitives.mk_i32 (-1000202); Rust_primitives.mk_i32 (-3190144); - Rust_primitives.mk_i32 (-3157330); Rust_primitives.mk_i32 (-3632928); - Rust_primitives.mk_i32 126922; Rust_primitives.mk_i32 3412210; - Rust_primitives.mk_i32 (-983419); Rust_primitives.mk_i32 2147896; - Rust_primitives.mk_i32 2715295; Rust_primitives.mk_i32 (-2967645); - Rust_primitives.mk_i32 (-3693493); Rust_primitives.mk_i32 (-411027); - Rust_primitives.mk_i32 (-2477047); Rust_primitives.mk_i32 (-671102); - Rust_primitives.mk_i32 (-1228525); Rust_primitives.mk_i32 (-22981); - Rust_primitives.mk_i32 (-1308169); Rust_primitives.mk_i32 (-381987); - Rust_primitives.mk_i32 1349076; Rust_primitives.mk_i32 1852771; - Rust_primitives.mk_i32 (-1430430); Rust_primitives.mk_i32 (-3343383); - Rust_primitives.mk_i32 264944; Rust_primitives.mk_i32 508951; Rust_primitives.mk_i32 3097992; - Rust_primitives.mk_i32 44288; Rust_primitives.mk_i32 (-1100098); Rust_primitives.mk_i32 904516; - Rust_primitives.mk_i32 3958618; Rust_primitives.mk_i32 (-3724342); - Rust_primitives.mk_i32 (-8578); Rust_primitives.mk_i32 1653064; - Rust_primitives.mk_i32 (-3249728); Rust_primitives.mk_i32 2389356; - Rust_primitives.mk_i32 (-210977); Rust_primitives.mk_i32 759969; - Rust_primitives.mk_i32 (-1316856); Rust_primitives.mk_i32 189548; - Rust_primitives.mk_i32 (-3553272); Rust_primitives.mk_i32 3159746; - Rust_primitives.mk_i32 (-1851402); Rust_primitives.mk_i32 (-2409325); - Rust_primitives.mk_i32 (-177440); Rust_primitives.mk_i32 1315589; - Rust_primitives.mk_i32 1341330; Rust_primitives.mk_i32 1285669; - Rust_primitives.mk_i32 (-1584928); Rust_primitives.mk_i32 (-812732); - Rust_primitives.mk_i32 (-1439742); Rust_primitives.mk_i32 (-3019102); - Rust_primitives.mk_i32 (-3881060); Rust_primitives.mk_i32 (-3628969); - Rust_primitives.mk_i32 3839961; Rust_primitives.mk_i32 2091667; Rust_primitives.mk_i32 3407706; - Rust_primitives.mk_i32 2316500; Rust_primitives.mk_i32 3817976; - Rust_primitives.mk_i32 (-3342478); Rust_primitives.mk_i32 2244091; - Rust_primitives.mk_i32 (-2446433); Rust_primitives.mk_i32 (-3562462); - Rust_primitives.mk_i32 266997; Rust_primitives.mk_i32 2434439; - Rust_primitives.mk_i32 (-1235728); Rust_primitives.mk_i32 3513181; - Rust_primitives.mk_i32 (-3520352); Rust_primitives.mk_i32 (-3759364); - Rust_primitives.mk_i32 (-1197226); Rust_primitives.mk_i32 (-3193378); - Rust_primitives.mk_i32 900702; Rust_primitives.mk_i32 1859098; Rust_primitives.mk_i32 909542; - Rust_primitives.mk_i32 819034; Rust_primitives.mk_i32 495491; - Rust_primitives.mk_i32 (-1613174); Rust_primitives.mk_i32 (-43260); - Rust_primitives.mk_i32 (-522500); Rust_primitives.mk_i32 (-655327); - Rust_primitives.mk_i32 (-3122442); Rust_primitives.mk_i32 2031748; - Rust_primitives.mk_i32 3207046; Rust_primitives.mk_i32 (-3556995); - Rust_primitives.mk_i32 (-525098); Rust_primitives.mk_i32 (-768622); - Rust_primitives.mk_i32 (-3595838); Rust_primitives.mk_i32 342297; - Rust_primitives.mk_i32 286988; Rust_primitives.mk_i32 (-2437823); - Rust_primitives.mk_i32 4108315; Rust_primitives.mk_i32 3437287; - Rust_primitives.mk_i32 (-3342277); Rust_primitives.mk_i32 1735879; - Rust_primitives.mk_i32 203044; Rust_primitives.mk_i32 2842341; Rust_primitives.mk_i32 2691481; - Rust_primitives.mk_i32 (-2590150); Rust_primitives.mk_i32 1265009; - Rust_primitives.mk_i32 4055324; Rust_primitives.mk_i32 1247620; Rust_primitives.mk_i32 2486353; - Rust_primitives.mk_i32 1595974; Rust_primitives.mk_i32 (-3767016); - Rust_primitives.mk_i32 1250494; Rust_primitives.mk_i32 2635921; - Rust_primitives.mk_i32 (-3548272); Rust_primitives.mk_i32 (-2994039); - Rust_primitives.mk_i32 1869119; Rust_primitives.mk_i32 1903435; - Rust_primitives.mk_i32 (-1050970); Rust_primitives.mk_i32 (-1333058); - Rust_primitives.mk_i32 1237275; Rust_primitives.mk_i32 (-3318210); - Rust_primitives.mk_i32 (-1430225); Rust_primitives.mk_i32 (-451100); - Rust_primitives.mk_i32 1312455; Rust_primitives.mk_i32 3306115; - Rust_primitives.mk_i32 (-1962642); Rust_primitives.mk_i32 (-1279661); - Rust_primitives.mk_i32 1917081; Rust_primitives.mk_i32 (-2546312); - Rust_primitives.mk_i32 (-1374803); Rust_primitives.mk_i32 1500165; - Rust_primitives.mk_i32 777191; Rust_primitives.mk_i32 2235880; Rust_primitives.mk_i32 3406031; - Rust_primitives.mk_i32 (-542412); Rust_primitives.mk_i32 (-2831860); - Rust_primitives.mk_i32 (-1671176); Rust_primitives.mk_i32 (-1846953); - Rust_primitives.mk_i32 (-2584293); Rust_primitives.mk_i32 (-3724270); - Rust_primitives.mk_i32 594136; Rust_primitives.mk_i32 (-3776993); - Rust_primitives.mk_i32 (-2013608); Rust_primitives.mk_i32 2432395; - Rust_primitives.mk_i32 2454455; Rust_primitives.mk_i32 (-164721); - Rust_primitives.mk_i32 1957272; Rust_primitives.mk_i32 3369112; Rust_primitives.mk_i32 185531; - Rust_primitives.mk_i32 (-1207385); Rust_primitives.mk_i32 (-3183426); - Rust_primitives.mk_i32 162844; Rust_primitives.mk_i32 1616392; Rust_primitives.mk_i32 3014001; - Rust_primitives.mk_i32 810149; Rust_primitives.mk_i32 1652634; - Rust_primitives.mk_i32 (-3694233); Rust_primitives.mk_i32 (-1799107); - Rust_primitives.mk_i32 (-3038916); Rust_primitives.mk_i32 3523897; - Rust_primitives.mk_i32 3866901; Rust_primitives.mk_i32 269760; Rust_primitives.mk_i32 2213111; - Rust_primitives.mk_i32 (-975884); Rust_primitives.mk_i32 1717735; - Rust_primitives.mk_i32 472078; Rust_primitives.mk_i32 (-426683); - Rust_primitives.mk_i32 1723600; Rust_primitives.mk_i32 (-1803090); - Rust_primitives.mk_i32 1910376; Rust_primitives.mk_i32 (-1667432); - Rust_primitives.mk_i32 (-1104333); Rust_primitives.mk_i32 (-260646); - Rust_primitives.mk_i32 (-3833893); Rust_primitives.mk_i32 (-2939036); - Rust_primitives.mk_i32 (-2235985); Rust_primitives.mk_i32 (-420899); - Rust_primitives.mk_i32 (-2286327); Rust_primitives.mk_i32 183443; - Rust_primitives.mk_i32 (-976891); Rust_primitives.mk_i32 1612842; - Rust_primitives.mk_i32 (-3545687); Rust_primitives.mk_i32 (-554416); - Rust_primitives.mk_i32 3919660; Rust_primitives.mk_i32 (-48306); - Rust_primitives.mk_i32 (-1362209); Rust_primitives.mk_i32 3937738; - Rust_primitives.mk_i32 1400424; Rust_primitives.mk_i32 (-846154); - Rust_primitives.mk_i32 1976782 + 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; + 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; + 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); + (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; + 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); + (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); + (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; + 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); + (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); + (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); + 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); + (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; + (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; + (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); + 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; + 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); + 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); + (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); + (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); + (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); + 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; + 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; + 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; + (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; + (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); + (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); + 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; + 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; + 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); + 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); + (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; + (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); Rust_primitives.Hax.array_of_list 256 list -val invert_ntt_at_layer_0_ +val ntt (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) @@ -174,15 +85,16 @@ val invert_ntt_at_layer_3_plus Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_montgomery +val invert_ntt_at_layer_0_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val ntt +val invert_ntt_montgomery (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index 48a4df562..029ce893b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -9,6 +9,38 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Array v_SIMDUnit + (sz 32)) + #FStar.Tactics.Typeclasses.solve + self.f_simd_units + <: + Core.Array.Iter.t_IntoIter v_SIMDUnit (sz 32)) + exceeds + (fun exceeds simd_unit -> + let exceeds:bool = exceeds in + let simd_unit:v_SIMDUnit = simd_unit in + exceeds |. + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + bound + <: + bool) + <: + bool) + in + exceeds + let impl__ZERO (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -24,50 +56,11 @@ let impl__ZERO () <: v_SIMDUnit) - (Rust_primitives.mk_usize 32) + (sz 32) } <: t_PolynomialRingElement v_SIMDUnit -let impl__add - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self rhs: t_PolynomialRingElement v_SIMDUnit) - = - let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in - let sum:t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #v_SIMDUnit (sum.f_simd_units <: t_Slice v_SIMDUnit) <: usize) - (fun sum temp_1_ -> - let sum:t_PolynomialRingElement v_SIMDUnit = sum in - let _:usize = temp_1_ in - true) - sum - (fun sum i -> - let sum:t_PolynomialRingElement v_SIMDUnit = sum in - let i:usize = i in - { - sum with - f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum.f_simd_units - i - (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (self.f_simd_units.[ i ] <: v_SIMDUnit) - (rhs.f_simd_units.[ i ] <: v_SIMDUnit) - <: - v_SIMDUnit) - <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) - } - <: - t_PolynomialRingElement v_SIMDUnit) - in - sum - let impl__from_i32_array (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -79,10 +72,7 @@ let impl__from_i32_array if true then let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #i32 array <: usize) >=. - Rust_primitives.mk_usize 256 - <: - bool) + Hax_lib.v_assert ((Core.Slice.impl__len #i32 array <: usize) >=. sz 256 <: bool) in () in @@ -91,7 +81,7 @@ let impl__from_i32_array in let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT (fun temp_0_ temp_1_ -> let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & @@ -133,37 +123,44 @@ let impl__from_i32_array in result -let impl__infinity_norm_exceeds +let impl__add (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (self: t_PolynomialRingElement v_SIMDUnit) - (bound: i32) + (self rhs: t_PolynomialRingElement v_SIMDUnit) = - let exceeds:bool = false in - let exceeds:bool = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Array v_SIMDUnit - (Rust_primitives.mk_usize 32)) - #FStar.Tactics.Typeclasses.solve - self.f_simd_units - <: - Core.Array.Iter.t_IntoIter v_SIMDUnit (Rust_primitives.mk_usize 32)) - exceeds - (fun exceeds simd_unit -> - let exceeds:bool = exceeds in - let simd_unit:v_SIMDUnit = simd_unit in - exceeds |. - (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - simd_unit - bound + let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let sum:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (sum.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun sum temp_1_ -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let i:usize = i in + { + sum with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) <: - bool) + t_Array v_SIMDUnit (sz 32) + } <: - bool) + t_PolynomialRingElement v_SIMDUnit) in - exceeds + sum let impl__subtract (#v_SIMDUnit: Type0) @@ -174,7 +171,7 @@ let impl__subtract = let difference:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in let difference:t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit (difference.f_simd_units <: t_Slice v_SIMDUnit) <: usize) (fun difference temp_1_ -> let difference:t_PolynomialRingElement v_SIMDUnit = difference in @@ -197,7 +194,7 @@ let impl__subtract <: v_SIMDUnit) <: - t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) + t_Array v_SIMDUnit (sz 32) } <: t_PolynomialRingElement v_SIMDUnit) @@ -211,18 +208,16 @@ let impl__to_i32_array Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (self: t_PolynomialRingElement v_SIMDUnit) = - let result:t_Array i32 (Rust_primitives.mk_usize 256) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 256) - in - let result:t_Array i32 (Rust_primitives.mk_usize 256) = + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) (fun result temp_1_ -> - let result:t_Array i32 (Rust_primitives.mk_usize 256) = result in + let result:t_Array i32 (sz 256) = result in let _:usize = temp_1_ in true) result (fun result temp_1_ -> - let result:t_Array i32 (Rust_primitives.mk_usize 256) = result in + let result:t_Array i32 (sz 256) = result in let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in Rust_primitives.Hax.Monomorphized_update_at.update_at_range result ({ @@ -231,8 +226,7 @@ let impl__to_i32_array i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize } @@ -245,8 +239,7 @@ let impl__to_i32_array i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; Core.Ops.Range.f_end = - (i +! Rust_primitives.mk_usize 1 <: usize) *! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize } @@ -262,6 +255,6 @@ let impl__to_i32_array <: t_Slice i32) <: - t_Array i32 (Rust_primitives.mk_usize 256)) + t_Array i32 (sz 256)) in result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti index dbc9a476d..918eb2620 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -11,7 +11,14 @@ let _ = type t_PolynomialRingElement (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - = { f_simd_units:t_Array v_SIMDUnit (Rust_primitives.mk_usize 32) } + = { f_simd_units:t_Array v_SIMDUnit (sz 32) } + +val impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val impl__ZERO: #v_SIMDUnit: Type0 -> @@ -19,24 +26,17 @@ val impl__ZERO: Prims.unit -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val impl__add - (#v_SIMDUnit: Type0) - {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self rhs: t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) - val impl__from_i32_array (#v_SIMDUnit: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (array: t_Slice i32) : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val impl__infinity_norm_exceeds +val impl__add (#v_SIMDUnit: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (self: t_PolynomialRingElement v_SIMDUnit) - (bound: i32) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val impl__subtract (#v_SIMDUnit: Type0) @@ -48,4 +48,4 @@ val impl__to_i32_array (#v_SIMDUnit: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (self: t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 256)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst index 2f05fdbf1..c8f3084d4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -10,15 +10,11 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in () -let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = - match x with | DomainSeparationError_ContextTooLongError -> Rust_primitives.mk_isize 0 - let impl_1__context (self: t_DomainSeparationContext) = self.f_context -let impl_1__new - (context: t_Slice u8) - (pre_hash_oid: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) - = +let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid + +let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN then Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) @@ -30,4 +26,5 @@ let impl_1__new <: Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError -let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid +let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = + match x with | DomainSeparationError_ContextTooLongError -> isz 0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti index 07397201f..2e097f642 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -10,25 +10,48 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake128 in () +/// Binds the context string to an optional pre-hash OID identifying +/// the hash function or XOF used for pre-hashing. +type t_DomainSeparationContext = { + f_context:t_Slice u8; + f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11)) +} + +/// Returns the context, guaranteed to be at most 255 bytes long. +val impl_1__context (self: t_DomainSeparationContext) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Returns the pre-hash OID, if any. +val impl_1__pre_hash_oid (self: t_DomainSeparationContext) + : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True) + type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError +/// `context` must be at most 255 bytes long. +val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) + : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) + Prims.l_True + (fun _ -> Prims.l_True) + val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { f_oid_pre:Prims.unit -> Type0; - f_oid_post:Prims.unit -> t_Array u8 (Rust_primitives.mk_usize 11) -> Type0; + f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0; f_oid:x0: Prims.unit - -> Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 11)) - (f_oid_pre x0) - (fun result -> f_oid_post x0 result); + -> Prims.Pure (t_Array u8 (sz 11)) (f_oid_pre x0) (fun result -> f_oid_post x0 result); f_hash_pre:t_Slice u8 -> Type0; f_hash_post:t_Slice u8 -> t_Array u8 v_DIGEST_LEN -> Type0; f_hash:x0: t_Slice u8 -> Prims.Pure (t_Array u8 v_DIGEST_LEN) (f_hash_pre x0) (fun result -> f_hash_post x0 result) } -let v_PRE_HASH_OID_LEN: usize = Rust_primitives.mk_usize 11 +/// An implementation of the pre-hash trait for the SHAKE-128 XOF with +/// digest length 256 bytes. +type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH + +let v_PRE_HASH_OID_LEN: usize = sz 11 [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = @@ -62,67 +85,27 @@ let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_Domai Libcrux_ml_dsa.Types.t_VerificationError } -/// Binds the context string to an optional pre-hash OID identifying -/// the hash function or XOF used for pre-hashing. -type t_DomainSeparationContext = { - f_context:t_Slice u8; - f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11)) -} - -/// Returns the context, guaranteed to be at most 255 bytes long. -val impl_1__context (self: t_DomainSeparationContext) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - -/// `context` must be at most 255 bytes long. -val impl_1__new - (context: t_Slice u8) - (pre_hash_oid: Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) - : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Returns the pre-hash OID, if any. -val impl_1__pre_hash_oid (self: t_DomainSeparationContext) - : Prims.Pure (Core.Option.t_Option (t_Array u8 (Rust_primitives.mk_usize 11))) - Prims.l_True - (fun _ -> Prims.l_True) - -/// An implementation of the pre-hash trait for the SHAKE-128 XOF with -/// digest length 256 bytes. -type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: t_PreHash t_SHAKE128_PH (Rust_primitives.mk_usize 256) = +let impl: t_PreHash t_SHAKE128_PH (sz 256) = { f_oid_pre = (fun (_: Prims.unit) -> true); - f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (Rust_primitives.mk_usize 11)) -> true); + f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true); f_oid = (fun (_: Prims.unit) -> - let list = - [ - Rust_primitives.mk_u8 6; Rust_primitives.mk_u8 9; Rust_primitives.mk_u8 96; - Rust_primitives.mk_u8 134; Rust_primitives.mk_u8 72; Rust_primitives.mk_u8 1; - Rust_primitives.mk_u8 101; Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 4; - Rust_primitives.mk_u8 2; Rust_primitives.mk_u8 11 - ] - in + let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); Rust_primitives.Hax.array_of_list 11 list); f_hash_pre = (fun (message: t_Slice u8) -> true); - f_hash_post - = - (fun (message: t_Slice u8) (out: t_Array u8 (Rust_primitives.mk_usize 256)) -> true); + f_hash_post = (fun (message: t_Slice u8) (out: t_Array u8 (sz 256)) -> true); f_hash = fun (message: t_Slice u8) -> - let output:t_Array u8 (Rust_primitives.mk_usize 256) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 256) - in - let output:t_Array u8 (Rust_primitives.mk_usize 256) = + let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let output:t_Array u8 (sz 256) = Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 256) + (sz 256) message output in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index ef691b0e2..bd75bc9c7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -11,20 +11,20 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let update_seed (seed: t_Array u8 (Rust_primitives.mk_usize 66)) (domain_separator: u16) = - let seed:t_Array u8 (Rust_primitives.mk_usize 66) = +let update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) = + let seed:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed - (Rust_primitives.mk_usize 64) + (sz 64) (cast (domain_separator <: u16) <: u8) in - let seed:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed - (Rust_primitives.mk_usize 65) - (cast (domain_separator >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) in - let domain_separator:u16 = domain_separator +! Rust_primitives.mk_u16 1 in - let hax_temp_output:t_Array u8 (Rust_primitives.mk_usize 66) = seed in - domain_separator, hax_temp_output <: (u16 & t_Array u8 (Rust_primitives.mk_usize 66)) + let domain_separator:u16 = domain_separator +! 1us in + let hax_temp_output:t_Array u8 (sz 66) = seed in + domain_separator, hax_temp_output <: (u16 & t_Array u8 (sz 66)) let rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) @@ -33,26 +33,19 @@ let rejection_sample_less_than_eta_equals_2_ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (randomness: t_Slice u8) (sampled_coefficients: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) + (out: t_Array i32 (sz 263)) = let done:bool = false in - let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (Rust_primitives.mk_usize 4) - <: - Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) <: Core.Slice.Iter.t_Chunks u8) - (done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize)) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) (fun temp_0_ random_bytes -> - let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & - usize) = - temp_0_ - in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in let random_bytes:t_Slice u8 = random_bytes in if ~.done <: bool then @@ -66,7 +59,7 @@ let rejection_sample_less_than_eta_equals_2_ <: t_Slice i32) in - let out:t_Array i32 (Rust_primitives.mk_usize 263) = + let out:t_Array i32 (sz 263) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out ({ Core.Ops.Range.f_start = sampled_coefficients } <: @@ -78,22 +71,12 @@ let rejection_sample_less_than_eta_equals_2_ if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT then let done:bool = true in - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize)) + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) in let hax_temp_output:bool = done in - sampled_coefficients, out, hax_temp_output - <: - (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) let rejection_sample_less_than_eta_equals_4_ (#v_SIMDUnit: Type0) @@ -102,26 +85,19 @@ let rejection_sample_less_than_eta_equals_4_ Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (randomness: t_Slice u8) (sampled_coefficients: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) + (out: t_Array i32 (sz 263)) = let done:bool = false in - let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (Rust_primitives.mk_usize 4) - <: - Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) <: Core.Slice.Iter.t_Chunks u8) - (done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize)) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) (fun temp_0_ random_bytes -> - let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & - usize) = - temp_0_ - in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in let random_bytes:t_Slice u8 = random_bytes in if ~.done <: bool then @@ -135,7 +111,7 @@ let rejection_sample_less_than_eta_equals_4_ <: t_Slice i32) in - let out:t_Array i32 (Rust_primitives.mk_usize 263) = + let out:t_Array i32 (sz 263) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out ({ Core.Ops.Range.f_start = sampled_coefficients } <: @@ -147,22 +123,12 @@ let rejection_sample_less_than_eta_equals_4_ if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT then let done:bool = true in - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize)) + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) in let hax_temp_output:bool = done in - sampled_coefficients, out, hax_temp_output - <: - (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) let rejection_sample_less_than_eta (#v_SIMDUnit: Type0) @@ -172,39 +138,38 @@ let rejection_sample_less_than_eta Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (randomness: t_Slice u8) (sampled: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) + (out: t_Array i32 (sz 263)) = - let (out, sampled), hax_temp_output:((t_Array i32 (Rust_primitives.mk_usize 263) & usize) & bool) - = + let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = match cast (v_ETA <: usize) <: u8 with - | 2 -> - let tmp0, tmp1, out1:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + | 2uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out in let sampled:usize = tmp0 in - let out:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in - (out, sampled <: (t_Array i32 (Rust_primitives.mk_usize 263) & usize)), out1 + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 <: - ((t_Array i32 (Rust_primitives.mk_usize 263) & usize) & bool) - | 4 -> - let tmp0, tmp1, out1:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + ((t_Array i32 (sz 263) & usize) & bool) + | 4uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out in let sampled:usize = tmp0 in - let out:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in - (out, sampled <: (t_Array i32 (Rust_primitives.mk_usize 263) & usize)), out1 + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 <: - ((t_Array i32 (Rust_primitives.mk_usize 263) & usize) & bool) + ((t_Array i32 (sz 263) & usize) & bool) | _ -> - (out, sampled <: (t_Array i32 (Rust_primitives.mk_usize 263) & usize)), + (out, sampled <: (t_Array i32 (sz 263) & usize)), Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) <: - ((t_Array i32 (Rust_primitives.mk_usize 263) & usize) & bool) + ((t_Array i32 (sz 263) & usize) & bool) in - sampled, out, hax_temp_output <: (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) + sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) let rejection_sample_less_than_field_modulus (#v_SIMDUnit: Type0) @@ -213,26 +178,19 @@ let rejection_sample_less_than_field_modulus Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (randomness: t_Slice u8) (sampled_coefficients: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) + (out: t_Array i32 (sz 263)) = let done:bool = false in - let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (Rust_primitives.mk_usize 24) - <: - Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks #u8 randomness (sz 24) <: Core.Slice.Iter.t_Chunks u8) <: Core.Slice.Iter.t_Chunks u8) - (done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize)) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) (fun temp_0_ random_bytes -> - let done, out, sampled_coefficients:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & - usize) = - temp_0_ - in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in let random_bytes:t_Slice u8 = random_bytes in if ~.done <: bool then @@ -246,7 +204,7 @@ let rejection_sample_less_than_field_modulus <: t_Slice i32) in - let out:t_Array i32 (Rust_primitives.mk_usize 263) = + let out:t_Array i32 (sz 263) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out ({ Core.Ops.Range.f_start = sampled_coefficients } <: @@ -258,95 +216,61 @@ let rejection_sample_less_than_field_modulus if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT then let done:bool = true in - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done, out, sampled_coefficients - <: - (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize)) + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) in let hax_temp_output:bool = done in - sampled_coefficients, out, hax_temp_output - <: - (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) let inside_out_shuffle (randomness: t_Slice u8) (out_index: usize) (signs: u64) - (result: t_Array i32 (Rust_primitives.mk_usize 256)) + (result: t_Array i32 (sz 256)) = let done:bool = false in - let done, out_index, result, signs:(bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & - u64) = + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) #FStar.Tactics.Typeclasses.solve randomness <: Core.Slice.Iter.t_Iter u8) - (done, out_index, result, signs - <: - (bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64)) + (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) (fun temp_0_ byte -> - let done, out_index, result, signs:(bool & usize & - t_Array i32 (Rust_primitives.mk_usize 256) & - u64) = + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = temp_0_ in let byte:u8 = byte in if ~.done <: bool then let sample_at:usize = cast (byte <: u8) <: usize in - let out_index, result, signs:(usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64) - = + let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = if sample_at <=. out_index then - let result:t_Array i32 (Rust_primitives.mk_usize 256) = + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result out_index (result.[ sample_at ] <: i32) in - let out_index:usize = out_index +! Rust_primitives.mk_usize 1 in - let result:t_Array i32 (Rust_primitives.mk_usize 256) = + let out_index:usize = out_index +! sz 1 in + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result sample_at - (Rust_primitives.mk_i32 1 -! - (Rust_primitives.mk_i32 2 *! - (cast (signs &. Rust_primitives.mk_u64 1 <: u64) <: i32) - <: - i32) - <: - i32) + (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) in - let signs:u64 = signs >>! Rust_primitives.mk_i32 1 in - out_index, result, signs - <: - (usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64) - else - out_index, result, signs - <: - (usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64) + let signs:u64 = signs >>! 1l in + out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) in let done:bool = out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) in - done, out_index, result, signs - <: - (bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64) - else - done, out_index, result, signs - <: - (bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64)) + done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) + else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) in let hax_temp_output:bool = done in - out_index, signs, result, hax_temp_output - <: - (usize & u64 & t_Array i32 (Rust_primitives.mk_usize 256) & bool) + out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) let sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) @@ -364,42 +288,35 @@ let sample_challenge_ring_element #FStar.Tactics.Typeclasses.solve (seed <: t_Slice u8) in - let tmp0, out:(v_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136)) = + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 #FStar.Tactics.Typeclasses.solve state in let state:v_Shake256 = tmp0 in - let randomness:t_Array u8 (Rust_primitives.mk_usize 136) = out in + let randomness:t_Array u8 (sz 136) = out in let signs:u64 = - Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 - (Rust_primitives.mk_usize 8)) + Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 8)) + #(t_Array u8 (sz 8)) #FStar.Tactics.Typeclasses.solve - (randomness.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 8 - } + (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 8)) - Core.Array.t_TryFromSliceError) + Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) <: - t_Array u8 (Rust_primitives.mk_usize 8)) - in - let result:t_Array i32 (Rust_primitives.mk_usize 256) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 256) + t_Array u8 (sz 8)) in + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in let out_index:usize = (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! v_NUMBER_OF_ONES in - let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (Rust_primitives.mk_usize 256) & bool) = - inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = Rust_primitives.mk_usize 8 } + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } <: Core.Ops.Range.t_RangeFrom usize ] <: @@ -410,48 +327,41 @@ let sample_challenge_ring_element in let out_index:usize = tmp0 in let signs:u64 = tmp1 in - let result:t_Array i32 (Rust_primitives.mk_usize 256) = tmp2 in + let result:t_Array i32 (sz 256) = tmp2 in let done:bool = out in - let done, out_index, result, signs, state:(bool & usize & - t_Array i32 (Rust_primitives.mk_usize 256) & - u64 & - v_Shake256) = + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) + = Rust_primitives.f_while_loop (fun temp_0_ -> - let done, out_index, result, signs, state:(bool & usize & - t_Array i32 (Rust_primitives.mk_usize 256) & - u64 & + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) = temp_0_ in ~.done <: bool) (done, out_index, result, signs, state <: - (bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64 & v_Shake256)) + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) (fun temp_0_ -> - let done, out_index, result, signs, state:(bool & usize & - t_Array i32 (Rust_primitives.mk_usize 256) & - u64 & + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) = temp_0_ in - let tmp0, out:(v_Shake256 & t_Array u8 (Rust_primitives.mk_usize 136)) = + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 #FStar.Tactics.Typeclasses.solve state in let state:v_Shake256 = tmp0 in - let randomness:t_Array u8 (Rust_primitives.mk_usize 136) = out in - let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (Rust_primitives.mk_usize 256) & bool - ) = + let randomness:t_Array u8 (sz 136) = out in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = inside_out_shuffle (randomness <: t_Slice u8) out_index signs result in let out_index:usize = tmp0 in let signs:u64 = tmp1 in - let result:t_Array i32 (Rust_primitives.mk_usize 256) = tmp2 in + let result:t_Array i32 (sz 256) = tmp2 in let done:bool = out in done, out_index, result, signs, state <: - (bool & usize & t_Array i32 (Rust_primitives.mk_usize 256) & u64 & v_Shake256)) + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) in Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) @@ -464,52 +374,52 @@ let sample_four_error_ring_elements (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) = - let seed0:t_Array u8 (Rust_primitives.mk_usize 66) = seed_base in - let seed0:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed0:t_Array u8 (sz 66) = seed_base in + let seed0:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (Rust_primitives.mk_usize 64) + (sz 64) (cast (domain_separator0 <: u16) <: u8) in - let seed0:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed0:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (Rust_primitives.mk_usize 65) - (cast (domain_separator0 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 65) + (cast (domain_separator0 >>! 8l <: u16) <: u8) in - let seed1:t_Array u8 (Rust_primitives.mk_usize 66) = seed0 in - let seed1:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed1:t_Array u8 (sz 66) = seed0 in + let seed1:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (Rust_primitives.mk_usize 64) + (sz 64) (cast (domain_separator1 <: u16) <: u8) in - let seed1:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed1:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (Rust_primitives.mk_usize 65) - (cast (domain_separator1 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 65) + (cast (domain_separator1 >>! 8l <: u16) <: u8) in - let seed2:t_Array u8 (Rust_primitives.mk_usize 66) = seed0 in - let seed2:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed2:t_Array u8 (sz 66) = seed0 in + let seed2:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (Rust_primitives.mk_usize 64) + (sz 64) (cast (domain_seperator2 <: u16) <: u8) in - let seed2:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed2:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (Rust_primitives.mk_usize 65) - (cast (domain_seperator2 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 65) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) in - let seed3:t_Array u8 (Rust_primitives.mk_usize 66) = seed0 in - let seed3:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed3:t_Array u8 (sz 66) = seed0 in + let seed3:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (Rust_primitives.mk_usize 64) + (sz 64) (cast (domain_separator3 <: u16) <: u8) in - let seed3:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed3:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (Rust_primitives.mk_usize 65) - (cast (domain_separator3 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 65) + (cast (domain_separator3 >>! 8l <: u16) <: u8) in let state:v_Shake256 = Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 @@ -520,66 +430,52 @@ let sample_four_error_ring_elements (seed3 <: t_Slice u8) in let tmp0, out4:(v_Shake256 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) = + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 #FStar.Tactics.Typeclasses.solve state in let state:v_Shake256 = tmp0 in - let randomnesses:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out4 in - let out0:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let out1:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let out2:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let out3:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let sampled0:usize = Rust_primitives.mk_usize 0 in - let sampled1:usize = Rust_primitives.mk_usize 0 in - let sampled2:usize = Rust_primitives.mk_usize 0 in - let sampled3:usize = Rust_primitives.mk_usize 0 in - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let out0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._1 <: t_Slice u8) sampled0 out0 in let sampled0:usize = tmp0 in - let out0:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out0:t_Array i32 (sz 263) = tmp1 in let done0:bool = out4 in - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._2 <: t_Slice u8) sampled1 out1 in let sampled1:usize = tmp0 in - let out1:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out1:t_Array i32 (sz 263) = tmp1 in let done1:bool = out4 in - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._3 <: t_Slice u8) sampled2 out2 in let sampled2:usize = tmp0 in - let out2:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out2:t_Array i32 (sz 263) = tmp1 in let done2:bool = out4 in - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._4 <: t_Slice u8) sampled3 out3 in let sampled3:usize = tmp0 in - let out3:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out3:t_Array i32 (sz 263) = tmp1 in let done3:bool = out4 in let done0, done1, done2, done3, out0, out1, out2, out3, sampled0, sampled1, sampled2, sampled3, state:( - bool & bool & bool & bool & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & usize & usize & usize & @@ -599,10 +495,9 @@ let sample_four_error_ring_elements sampled1, sampled2, sampled3, - state:(bool & bool & bool & bool & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & usize & usize & usize & @@ -625,10 +520,9 @@ let sample_four_error_ring_elements sampled3, state <: - (bool & bool & bool & bool & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & usize & usize & usize & @@ -648,10 +542,9 @@ let sample_four_error_ring_elements sampled1, sampled2, sampled3, - state:(bool & bool & bool & bool & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & usize & usize & usize & @@ -660,24 +553,21 @@ let sample_four_error_ring_elements temp_0_ in let tmp0, out4:(v_Shake256 & - (t_Array u8 (Rust_primitives.mk_usize 136) & t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136))) = + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + = Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 #FStar.Tactics.Typeclasses.solve state in let state:v_Shake256 = tmp0 in - let randomnesses:(t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136) & - t_Array u8 (Rust_primitives.mk_usize 136)) = + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = out4 in - let done0, out0, sampled0:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = + let done0, out0, sampled0:(bool & t_Array i32 (sz 263) & usize) = if ~.done0 then - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._1 <: t_Slice u8) @@ -685,16 +575,15 @@ let sample_four_error_ring_elements out0 in let sampled0:usize = tmp0 in - let out0:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out0:t_Array i32 (sz 263) = tmp1 in let done0:bool = out4 in - done0, out0, sampled0 <: (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done0, out0, sampled0 <: (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) + done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + else done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) in - let done1, out1, sampled1:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = + let done1, out1, sampled1:(bool & t_Array i32 (sz 263) & usize) = if ~.done1 then - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._2 <: t_Slice u8) @@ -702,16 +591,15 @@ let sample_four_error_ring_elements out1 in let sampled1:usize = tmp0 in - let out1:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out1:t_Array i32 (sz 263) = tmp1 in let done1:bool = out4 in - done1, out1, sampled1 <: (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done1, out1, sampled1 <: (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) + done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + else done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) in - let done2, out2, sampled2:(bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) = + let done2, out2, sampled2:(bool & t_Array i32 (sz 263) & usize) = if ~.done2 then - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._3 <: t_Slice u8) @@ -719,15 +607,14 @@ let sample_four_error_ring_elements out2 in let sampled2:usize = tmp0 in - let out2:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out2:t_Array i32 (sz 263) = tmp1 in let done2:bool = out4 in - done2, out2, sampled2 <: (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) - else - done2, out2, sampled2 <: (bool & t_Array i32 (Rust_primitives.mk_usize 263) & usize) + done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + else done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) in if ~.done3 then - let tmp0, tmp1, out4:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._4 <: t_Slice u8) @@ -735,7 +622,7 @@ let sample_four_error_ring_elements out3 in let sampled3:usize = tmp0 in - let out3:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let out3:t_Array i32 (sz 263) = tmp1 in let done3:bool = out4 in done0, done1, @@ -751,10 +638,9 @@ let sample_four_error_ring_elements sampled3, state <: - (bool & bool & bool & bool & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & usize & usize & usize & @@ -775,10 +661,9 @@ let sample_four_error_ring_elements sampled3, state <: - (bool & bool & bool & bool & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & usize & usize & usize & @@ -803,51 +688,51 @@ let sample_four_ring_elements (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) - (seed0: t_Array u8 (Rust_primitives.mk_usize 34)) + (seed0: t_Array u8 (sz 34)) (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) = - let seed0:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed0:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (Rust_primitives.mk_usize 32) + (sz 32) (cast (domain_separator0 <: u16) <: u8) in - let seed0:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed0:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 - (Rust_primitives.mk_usize 33) - (cast (domain_separator0 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 33) + (cast (domain_separator0 >>! 8l <: u16) <: u8) in - let seed1:t_Array u8 (Rust_primitives.mk_usize 34) = seed0 in - let seed1:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed1:t_Array u8 (sz 34) = seed0 in + let seed1:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (Rust_primitives.mk_usize 32) + (sz 32) (cast (domain_separator1 <: u16) <: u8) in - let seed1:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed1:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 - (Rust_primitives.mk_usize 33) - (cast (domain_separator1 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 33) + (cast (domain_separator1 >>! 8l <: u16) <: u8) in - let seed2:t_Array u8 (Rust_primitives.mk_usize 34) = seed0 in - let seed2:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed2:t_Array u8 (sz 34) = seed0 in + let seed2:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (Rust_primitives.mk_usize 32) + (sz 32) (cast (domain_seperator2 <: u16) <: u8) in - let seed2:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed2:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 - (Rust_primitives.mk_usize 33) - (cast (domain_seperator2 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 33) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) in - let seed3:t_Array u8 (Rust_primitives.mk_usize 34) = seed0 in - let seed3:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed3:t_Array u8 (sz 34) = seed0 in + let seed3:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (Rust_primitives.mk_usize 32) + (sz 32) (cast (domain_separator3 <: u16) <: u8) in - let seed3:t_Array u8 (Rust_primitives.mk_usize 34) = + let seed3:t_Array u8 (sz 34) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 - (Rust_primitives.mk_usize 33) - (cast (domain_separator3 >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 33) + (cast (domain_separator3 >>! 8l <: u16) <: u8) in let state:v_Shake128 = Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 @@ -857,22 +742,13 @@ let sample_four_ring_elements (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) in - let randomness0:t_Array u8 (Rust_primitives.mk_usize 840) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 840) - in - let randomness1:t_Array u8 (Rust_primitives.mk_usize 840) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 840) - in - let randomness2:t_Array u8 (Rust_primitives.mk_usize 840) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 840) - in - let randomness3:t_Array u8 (Rust_primitives.mk_usize 840) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 840) - in - let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840) & - t_Array u8 (Rust_primitives.mk_usize 840)) = + let randomness0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 #FStar.Tactics.Typeclasses.solve state @@ -882,62 +758,54 @@ let sample_four_ring_elements randomness3 in let state:v_Shake128 = tmp0 in - let randomness0:t_Array u8 (Rust_primitives.mk_usize 840) = tmp1 in - let randomness1:t_Array u8 (Rust_primitives.mk_usize 840) = tmp2 in - let randomness2:t_Array u8 (Rust_primitives.mk_usize 840) = tmp3 in - let randomness3:t_Array u8 (Rust_primitives.mk_usize 840) = tmp4 in + let randomness0:t_Array u8 (sz 840) = tmp1 in + let randomness1:t_Array u8 (sz 840) = tmp2 in + let randomness2:t_Array u8 (sz 840) = tmp3 in + let randomness3:t_Array u8 (sz 840) = tmp4 in let _:Prims.unit = () in - let coefficients0:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let coefficients1:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let coefficients2:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let coefficients3:t_Array i32 (Rust_primitives.mk_usize 263) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 263) - in - let sampled0:usize = Rust_primitives.mk_usize 0 in - let sampled1:usize = Rust_primitives.mk_usize 0 in - let sampled2:usize = Rust_primitives.mk_usize 0 in - let sampled3:usize = Rust_primitives.mk_usize 0 in - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let coefficients0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomness0 <: t_Slice u8) sampled0 coefficients0 in let sampled0:usize = tmp0 in - let coefficients0:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in let done0:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomness1 <: t_Slice u8) sampled1 coefficients1 in let sampled1:usize = tmp0 in - let coefficients1:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in let done1:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomness2 <: t_Slice u8) sampled2 coefficients2 in let sampled2:usize = tmp0 in - let coefficients2:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in let done2:bool = out in - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomness3 <: t_Slice u8) sampled3 coefficients3 in let sampled3:usize = tmp0 in - let coefficients3:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in let done3:bool = out in let coefficients0, @@ -952,9 +820,7 @@ let sample_four_ring_elements sampled1, sampled2, sampled3, - state:(t_Array i32 (Rust_primitives.mk_usize 263) & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & bool & bool & bool & @@ -978,10 +844,8 @@ let sample_four_ring_elements sampled1, sampled2, sampled3, - state:(t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & bool & bool & bool & @@ -1008,9 +872,7 @@ let sample_four_ring_elements sampled3, state <: - (t_Array i32 (Rust_primitives.mk_usize 263) & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & bool & bool & bool & @@ -1034,10 +896,8 @@ let sample_four_ring_elements sampled1, sampled2, sampled3, - state:(t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & bool & bool & bool & @@ -1050,93 +910,72 @@ let sample_four_ring_elements temp_0_ in let tmp0, out:(v_Shake128 & - (t_Array u8 (Rust_primitives.mk_usize 168) & t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168))) = + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + = Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 #FStar.Tactics.Typeclasses.solve state in let state:v_Shake128 = tmp0 in - let randomnesses:(t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168) & - t_Array u8 (Rust_primitives.mk_usize 168)) = + let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = out in - let coefficients0, done0, sampled0:(t_Array i32 (Rust_primitives.mk_usize 263) & bool & - usize) = + let coefficients0, done0, sampled0:(t_Array i32 (sz 263) & bool & usize) = if ~.done0 then - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._1 <: t_Slice u8) sampled0 coefficients0 in let sampled0:usize = tmp0 in - let coefficients0:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in let done0:bool = out in - coefficients0, done0, sampled0 - <: - (t_Array i32 (Rust_primitives.mk_usize 263) & bool & usize) - else - coefficients0, done0, sampled0 - <: - (t_Array i32 (Rust_primitives.mk_usize 263) & bool & usize) + coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) in - let coefficients1, done1, sampled1:(t_Array i32 (Rust_primitives.mk_usize 263) & bool & - usize) = + let coefficients1, done1, sampled1:(t_Array i32 (sz 263) & bool & usize) = if ~.done1 then - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._2 <: t_Slice u8) sampled1 coefficients1 in let sampled1:usize = tmp0 in - let coefficients1:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in let done1:bool = out in - coefficients1, done1, sampled1 - <: - (t_Array i32 (Rust_primitives.mk_usize 263) & bool & usize) - else - coefficients1, done1, sampled1 - <: - (t_Array i32 (Rust_primitives.mk_usize 263) & bool & usize) + coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) in - let coefficients2, done2, sampled2:(t_Array i32 (Rust_primitives.mk_usize 263) & bool & - usize) = + let coefficients2, done2, sampled2:(t_Array i32 (sz 263) & bool & usize) = if ~.done2 then - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._3 <: t_Slice u8) sampled2 coefficients2 in let sampled2:usize = tmp0 in - let coefficients2:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in let done2:bool = out in - coefficients2, done2, sampled2 - <: - (t_Array i32 (Rust_primitives.mk_usize 263) & bool & usize) - else - coefficients2, done2, sampled2 - <: - (t_Array i32 (Rust_primitives.mk_usize 263) & bool & usize) + coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) in if ~.done3 then - let tmp0, tmp1, out:(usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) = + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = rejection_sample_less_than_field_modulus #v_SIMDUnit (randomnesses._4 <: t_Slice u8) sampled3 coefficients3 in let sampled3:usize = tmp0 in - let coefficients3:t_Array i32 (Rust_primitives.mk_usize 263) = tmp1 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in let done3:bool = out in coefficients0, coefficients1, @@ -1152,9 +991,8 @@ let sample_four_ring_elements sampled3, state <: - (t_Array i32 (Rust_primitives.mk_usize 263) & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & bool & bool & bool & @@ -1179,9 +1017,8 @@ let sample_four_ring_elements sampled3, state <: - (t_Array i32 (Rust_primitives.mk_usize 263) & t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & - t_Array i32 (Rust_primitives.mk_usize 263) & + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & bool & bool & bool & @@ -1211,29 +1048,25 @@ let sample_mask_ring_element (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) - (seed: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed: t_Array u8 (sz 66)) = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17 -> - let out:t_Array u8 (Rust_primitives.mk_usize 576) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 576) - in - let out:t_Array u8 (Rust_primitives.mk_usize 576) = + | 17uy -> + let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out:t_Array u8 (sz 576) = Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 576) + (sz 576) (seed <: t_Slice u8) out in Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) - | 19 -> - let out:t_Array u8 (Rust_primitives.mk_usize 640) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 640) - in - let out:t_Array u8 (Rust_primitives.mk_usize 640) = + | 19uy -> + let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out:t_Array u8 (sz 640) = Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 #FStar.Tactics.Typeclasses.solve - (Rust_primitives.mk_usize 640) + (sz 640) (seed <: t_Slice u8) out in @@ -1256,7 +1089,7 @@ let sample_mask_vector (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed: t_Array u8 (sz 66)) (domain_separator: u16) = let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = @@ -1269,63 +1102,44 @@ let sample_mask_vector if true then let _:Prims.unit = - Hax_lib.v_assert ((v_DIMENSION =. Rust_primitives.mk_usize 4 <: bool) || - (v_DIMENSION =. Rust_primitives.mk_usize 5 <: bool) || - (v_DIMENSION =. Rust_primitives.mk_usize 7 <: bool)) + Hax_lib.v_assert ((v_DIMENSION =. sz 4 <: bool) || (v_DIMENSION =. sz 5 <: bool) || + (v_DIMENSION =. sz 7 <: bool)) in () in - let tmp0, out4:(u16 & t_Array u8 (Rust_primitives.mk_usize 66)) = - update_seed seed domain_separator - in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in let domain_separator:u16 = tmp0 in - let seed0:t_Array u8 (Rust_primitives.mk_usize 66) = out4 in - let tmp0, out4:(u16 & t_Array u8 (Rust_primitives.mk_usize 66)) = - update_seed seed domain_separator - in + let seed0:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in let domain_separator:u16 = tmp0 in - let seed1:t_Array u8 (Rust_primitives.mk_usize 66) = out4 in - let tmp0, out4:(u16 & t_Array u8 (Rust_primitives.mk_usize 66)) = - update_seed seed domain_separator - in + let seed1:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in let domain_separator:u16 = tmp0 in - let seed2:t_Array u8 (Rust_primitives.mk_usize 66) = out4 in - let tmp0, out4:(u16 & t_Array u8 (Rust_primitives.mk_usize 66)) = - update_seed seed domain_separator - in + let seed2:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in let domain_separator:u16 = tmp0 in - let seed3:t_Array u8 (Rust_primitives.mk_usize 66) = out4 in + let seed3:t_Array u8 (sz 66) = out4 in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17 -> - let out0:t_Array u8 (Rust_primitives.mk_usize 576) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 576) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 576) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 576) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 576) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 576) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 576) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 576) - in - let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (Rust_primitives.mk_usize 576) & - t_Array u8 (Rust_primitives.mk_usize 576) & - t_Array u8 (Rust_primitives.mk_usize 576) & - t_Array u8 (Rust_primitives.mk_usize 576)) = + | 17uy -> + let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out2:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) & + t_Array u8 (sz 576)) = Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256X4 - #FStar.Tactics.Typeclasses.solve (Rust_primitives.mk_usize 576) (seed0 <: t_Slice u8) - (seed1 <: t_Slice u8) (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 in - let out0:t_Array u8 (Rust_primitives.mk_usize 576) = tmp0 in - let out1:t_Array u8 (Rust_primitives.mk_usize 576) = tmp1 in - let out2:t_Array u8 (Rust_primitives.mk_usize 576) = tmp2 in - let out3:t_Array u8 (Rust_primitives.mk_usize 576) = tmp3 in + let out0:t_Array u8 (sz 576) = tmp0 in + let out1:t_Array u8 (sz 576) = tmp1 in + let out2:t_Array u8 (sz 576) = tmp2 in + let out3:t_Array u8 (sz 576) = tmp3 in let _:Prims.unit = () in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 0) + (sz 0) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out0 <: t_Slice u8) @@ -1334,7 +1148,7 @@ let sample_mask_vector in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 1) + (sz 1) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out1 <: t_Slice u8) @@ -1343,7 +1157,7 @@ let sample_mask_vector in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 2) + (sz 2) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out2 <: t_Slice u8) @@ -1352,7 +1166,7 @@ let sample_mask_vector in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 3) + (sz 3) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out3 <: t_Slice u8) @@ -1360,35 +1174,25 @@ let sample_mask_vector Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) in mask - | 19 -> - let out0:t_Array u8 (Rust_primitives.mk_usize 640) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 640) - in - let out1:t_Array u8 (Rust_primitives.mk_usize 640) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 640) - in - let out2:t_Array u8 (Rust_primitives.mk_usize 640) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 640) - in - let out3:t_Array u8 (Rust_primitives.mk_usize 640) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 640) - in - let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (Rust_primitives.mk_usize 640) & - t_Array u8 (Rust_primitives.mk_usize 640) & - t_Array u8 (Rust_primitives.mk_usize 640) & - t_Array u8 (Rust_primitives.mk_usize 640)) = + | 19uy -> + let out0:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out1:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out2:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out3:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 640) & t_Array u8 (sz 640) & t_Array u8 (sz 640) & + t_Array u8 (sz 640)) = Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256X4 - #FStar.Tactics.Typeclasses.solve (Rust_primitives.mk_usize 640) (seed0 <: t_Slice u8) - (seed1 <: t_Slice u8) (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + #FStar.Tactics.Typeclasses.solve (sz 640) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 in - let out0:t_Array u8 (Rust_primitives.mk_usize 640) = tmp0 in - let out1:t_Array u8 (Rust_primitives.mk_usize 640) = tmp1 in - let out2:t_Array u8 (Rust_primitives.mk_usize 640) = tmp2 in - let out3:t_Array u8 (Rust_primitives.mk_usize 640) = tmp3 in + let out0:t_Array u8 (sz 640) = tmp0 in + let out1:t_Array u8 (sz 640) = tmp1 in + let out2:t_Array u8 (sz 640) = tmp2 in + let out3:t_Array u8 (sz 640) = tmp3 in let _:Prims.unit = () in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 0) + (sz 0) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out0 <: t_Slice u8) @@ -1397,7 +1201,7 @@ let sample_mask_vector in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 1) + (sz 1) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out1 <: t_Slice u8) @@ -1406,7 +1210,7 @@ let sample_mask_vector in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 2) + (sz 2) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out2 <: t_Slice u8) @@ -1415,7 +1219,7 @@ let sample_mask_vector in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask - (Rust_primitives.mk_usize 3) + (sz 3) (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out3 <: t_Slice u8) @@ -1427,13 +1231,13 @@ let sample_mask_vector in let domain_separator, mask, seed:(u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (Rust_primitives.mk_usize 66)) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 4) + t_Array u8 (sz 66)) = + Rust_primitives.Hax.Folds.fold_range (sz 4) v_DIMENSION (fun temp_0_ temp_1_ -> let domain_separator, mask, seed:(u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (Rust_primitives.mk_usize 66)) = + t_Array u8 (sz 66)) = temp_0_ in let _:usize = temp_1_ in @@ -1441,25 +1245,25 @@ let sample_mask_vector (domain_separator, mask, seed <: (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (Rust_primitives.mk_usize 66))) + t_Array u8 (sz 66))) (fun temp_0_ i -> let domain_separator, mask, seed:(u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (Rust_primitives.mk_usize 66)) = + t_Array u8 (sz 66)) = temp_0_ in let i:usize = i in - let seed:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed - (Rust_primitives.mk_usize 64) + (sz 64) (cast (domain_separator <: u16) <: u8) in - let seed:t_Array u8 (Rust_primitives.mk_usize 66) = + let seed:t_Array u8 (sz 66) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed - (Rust_primitives.mk_usize 65) - (cast (domain_separator >>! Rust_primitives.mk_i32 8 <: u16) <: u8) + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) in - let domain_separator:u16 = domain_separator +! Rust_primitives.mk_u16 1 in + let domain_separator:u16 = domain_separator +! 1us in let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask @@ -1471,7 +1275,7 @@ let sample_mask_vector domain_separator, mask, seed <: (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & - t_Array u8 (Rust_primitives.mk_usize 66))) + t_Array u8 (sz 66))) in let hax_temp_output:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti index 2b9b97952..a742ab51f 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -11,30 +11,24 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -val update_seed (seed: t_Array u8 (Rust_primitives.mk_usize 66)) (domain_separator: u16) - : Prims.Pure (u16 & t_Array u8 (Rust_primitives.mk_usize 66)) - Prims.l_True - (fun _ -> Prims.l_True) +val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) + : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) val rejection_sample_less_than_eta_equals_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (randomness: t_Slice u8) (sampled_coefficients: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : Prims.Pure (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) - Prims.l_True - (fun _ -> Prims.l_True) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) val rejection_sample_less_than_eta_equals_4_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (randomness: t_Slice u8) (sampled_coefficients: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : Prims.Pure (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) - Prims.l_True - (fun _ -> Prims.l_True) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) val rejection_sample_less_than_eta (#v_SIMDUnit: Type0) @@ -42,29 +36,23 @@ val rejection_sample_less_than_eta {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (randomness: t_Slice u8) (sampled: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : Prims.Pure (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) - Prims.l_True - (fun _ -> Prims.l_True) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) val rejection_sample_less_than_field_modulus (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (randomness: t_Slice u8) (sampled_coefficients: usize) - (out: t_Array i32 (Rust_primitives.mk_usize 263)) - : Prims.Pure (usize & t_Array i32 (Rust_primitives.mk_usize 263) & bool) - Prims.l_True - (fun _ -> Prims.l_True) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) val inside_out_shuffle (randomness: t_Slice u8) (out_index: usize) (signs: u64) - (result: t_Array i32 (Rust_primitives.mk_usize 256)) - : Prims.Pure (usize & u64 & t_Array i32 (Rust_primitives.mk_usize 256) & bool) - Prims.l_True - (fun _ -> Prims.l_True) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) val sample_challenge_ring_element (#v_SIMDUnit #v_Shake256: Type0) @@ -81,7 +69,7 @@ val sample_four_error_ring_elements (v_ETA: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256 |} - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -95,7 +83,7 @@ val sample_four_ring_elements (#v_SIMDUnit #v_Shake128: Type0) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} - (seed0: t_Array u8 (Rust_primitives.mk_usize 34)) + (seed0: t_Array u8 (sz 34)) (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -110,7 +98,7 @@ val sample_mask_ring_element (v_GAMMA1_EXPONENT: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed: t_Array u8 (sz 66)) : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) @@ -121,7 +109,7 @@ val sample_mask_vector {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed: t_Array u8 (sz 66)) (domain_separator: u16) : Prims.Pure (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst index f70701b34..c6103d0bf 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -12,7 +12,7 @@ let _ = () let generate_domain_separator (row column: u8) = - (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed - | 6, 5 -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed - | 8, 7 -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 4uy, 4uy -> matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -1861,7 +1759,7 @@ let sample_s1_and_s2_4_by_4_ (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) = let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () @@ -1883,30 +1781,22 @@ let sample_s1_and_s2_4_by_4_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 0) - (Rust_primitives.mk_u16 1) - (Rust_primitives.mk_u16 2) - (Rust_primitives.mk_u16 3) + 0us + 1us + 2us + 3us in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 0) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 1) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 2) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 3) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 in let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -1916,30 +1806,22 @@ let sample_s1_and_s2_4_by_4_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 4) - (Rust_primitives.mk_u16 5) - (Rust_primitives.mk_u16 6) - (Rust_primitives.mk_u16 7) + 4us + 5us + 6us + 7us in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 0) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._1 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 1) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._2 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 2) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._3 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 3) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._4 in s1, s2 <: @@ -1955,7 +1837,7 @@ let sample_s1_and_s2_5_by_6_ (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) = let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () @@ -1977,30 +1859,22 @@ let sample_s1_and_s2_5_by_6_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 0) - (Rust_primitives.mk_u16 1) - (Rust_primitives.mk_u16 2) - (Rust_primitives.mk_u16 3) + 0us + 1us + 2us + 3us in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 0) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 1) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 2) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 3) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 in let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -2010,30 +1884,22 @@ let sample_s1_and_s2_5_by_6_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 4) - (Rust_primitives.mk_u16 5) - (Rust_primitives.mk_u16 6) - (Rust_primitives.mk_u16 7) + 4us + 5us + 6us + 7us in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 4) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 0) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._2 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 1) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._3 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 2) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._4 in let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -2043,25 +1909,19 @@ let sample_s1_and_s2_5_by_6_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 8) - (Rust_primitives.mk_u16 9) - (Rust_primitives.mk_u16 10) - (Rust_primitives.mk_u16 11) + 8us + 9us + 10us + 11us in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 3) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._1 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 4) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._2 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 5) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._3 in s1, s2 <: @@ -2077,7 +1937,7 @@ let sample_s1_and_s2_7_by_8_ (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) = let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () @@ -2099,30 +1959,22 @@ let sample_s1_and_s2_7_by_8_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 0) - (Rust_primitives.mk_u16 1) - (Rust_primitives.mk_u16 2) - (Rust_primitives.mk_u16 3) + 0us + 1us + 2us + 3us in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 0) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 1) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 2) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 3) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 in let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -2132,30 +1984,22 @@ let sample_s1_and_s2_7_by_8_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 4) - (Rust_primitives.mk_u16 5) - (Rust_primitives.mk_u16 6) - (Rust_primitives.mk_u16 7) + 4us + 5us + 6us + 7us in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 4) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 5) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 5) four._2 in let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 - (Rust_primitives.mk_usize 6) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 6) four._3 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 0) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._4 in let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -2165,30 +2009,22 @@ let sample_s1_and_s2_7_by_8_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 8) - (Rust_primitives.mk_u16 9) - (Rust_primitives.mk_u16 10) - (Rust_primitives.mk_u16 11) + 8us + 9us + 10us + 11us in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 1) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._1 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 2) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._2 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 3) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._3 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 4) - four._4 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._4 in let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & @@ -2198,25 +2034,19 @@ let sample_s1_and_s2_7_by_8_ #v_Shake256X4 v_ETA seed_base - (Rust_primitives.mk_u16 12) - (Rust_primitives.mk_u16 13) - (Rust_primitives.mk_u16 14) - (Rust_primitives.mk_u16 15) + 12us + 13us + 14us + 15us in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 5) - four._1 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._1 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 6) - four._2 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 6) four._2 in let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 - (Rust_primitives.mk_usize 7) - four._3 + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 7) four._3 in s1, s2 <: @@ -2232,16 +2062,16 @@ let sample_s1_and_s2 (#[FStar.Tactics.Typeclasses.tcresolve ()] i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) - (seed: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed: t_Array u8 (sz 66)) = match (cast (v_S1_DIMENSION <: usize) <: u8), (cast (v_S2_DIMENSION <: usize) <: u8) <: (u8 & u8) with - | 4, 4 -> + | 4uy, 4uy -> sample_s1_and_s2_4_by_4_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed - | 5, 6 -> + | 5uy, 6uy -> sample_s1_and_s2_5_by_6_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed - | 7, 8 -> + | 7uy, 8uy -> sample_s1_and_s2_7_by_8_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti index 37678aa88..d6a4fdf92 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti @@ -18,7 +18,7 @@ val matrix_A_4_by_4_ (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 34)) + (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) @@ -29,7 +29,7 @@ val matrix_A_6_by_5_ (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 34)) + (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) @@ -40,7 +40,7 @@ val matrix_A_8_by_7_ (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 34)) + (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) @@ -51,7 +51,7 @@ val matrix_A (v_ROWS_IN_A v_COLUMNS_IN_A: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 34)) + (seed: t_Array u8 (sz 34)) : Prims.Pure (t_Array (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) @@ -62,7 +62,7 @@ val sample_s1_and_s2_4_by_4_ (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) : Prims.Pure (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) @@ -74,7 +74,7 @@ val sample_s1_and_s2_5_by_6_ (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) : Prims.Pure (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) @@ -86,7 +86,7 @@ val sample_s1_and_s2_7_by_8_ (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed_base: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed_base: t_Array u8 (sz 66)) : Prims.Pure (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) @@ -98,7 +98,7 @@ val sample_s1_and_s2 (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} - (seed: t_Array u8 (Rust_primitives.mk_usize 66)) + (seed: t_Array u8 (sz 66)) : Prims.Pure (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index 17ce1b1c3..3dd67c65e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -38,9 +38,8 @@ let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Ve in (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize), Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 1) - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: Libcrux_intrinsics.Avx2_extract.t_Vec256 + ) <: (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -49,7 +48,7 @@ let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit in let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! Rust_primitives.mk_i32 1 <: i32) + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) in let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound @@ -57,7 +56,7 @@ let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) let result:i32 = Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound in - if result =. Rust_primitives.mk_i32 1 then false else true + if result =. 1l then false else true let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs @@ -68,15 +67,12 @@ let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2 in let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 1 < + | 190464l -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 11275) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 1 < + | 523776l -> let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 1025) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 1 < @@ -320,7 +308,7 @@ let decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 in let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 (Rust_primitives.mk_i32 31) mask + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask in let field_modulus_and_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 mask @@ -344,7 +332,7 @@ let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 in let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 (Rust_primitives.mk_i32 1) negate_hints + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints in let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints @@ -353,9 +341,9 @@ let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints in match v_GAMMA2 with - | 95232 -> + | 95232l -> let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 43) + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l in let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints @@ -366,9 +354,9 @@ let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints all_zeros greater_than_or_equal_to_max - | 261888 -> + | 261888l -> Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 15) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) | _ -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst index c448e391f..5f1406970 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst @@ -4,38 +4,21 @@ open Core open FStar.Mul let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 19) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 19) - in + let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 4 -> + | 4uy -> let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 28) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 28) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 28) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 28) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 28) - adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -44,26 +27,19 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (Rust_primitives.mk_u8 240) - (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) - (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) - (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) - (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 240) (Rust_primitives.mk_u8 12) - (Rust_primitives.mk_u8 4) (Rust_primitives.mk_u8 8) (Rust_primitives.mk_u8 0) + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy + 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy <: Libcrux_intrinsics.Avx2_extract.t_Vec128) in - let serialized:t_Array u8 (Rust_primitives.mk_usize 19) = + let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize ] @@ -78,91 +54,55 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 v_OUTPUT_SIZE) #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 4 - } + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) <: Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) - | 6 -> + | 6uy -> let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 26) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 26) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 26) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 26) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 26) - adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined in let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 9) - (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 1) (Rust_primitives.mk_i8 0) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Rust_primitives.mk_i16 1) - (Rust_primitives.mk_i16 1) (Rust_primitives.mk_i16 1) (Rust_primitives.mk_i16 1) - (Rust_primitives.mk_i16 1) (Rust_primitives.mk_i16 1) (Rust_primitives.mk_i16 1) - (Rust_primitives.mk_i16 1 < deserialize_to_unsigned_when_eta_is_2_ serialized - | 4 -> deserialize_to_unsigned_when_eta_is_4_ serialized + | 2uy -> deserialize_to_unsigned_when_eta_is_2_ serialized + | 4uy -> deserialize_to_unsigned_when_eta_is_4_ serialized | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -125,9 +93,7 @@ let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 16) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 16) - in + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 serialize_when_eta_is_2___ETA @@ -137,59 +103,31 @@ let serialize_when_eta_is_2_ in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 29) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 29) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 29) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 29) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 29l 0l 29l 0l 29l 0l 29l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 29) adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 29l adjacent_2_combined in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 0) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Rust_primitives.mk_i16 0) - (Rust_primitives.mk_i16 0) (Rust_primitives.mk_i16 0) (Rust_primitives.mk_i16 0) - (Rust_primitives.mk_i16 0) (Rust_primitives.mk_i16 0) - (Rust_primitives.mk_i16 1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit - | 4 -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | 3uy -> serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti index 97ea7604e..11a0e04cf 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -3,15 +3,13 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error open Core open FStar.Mul -let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = - (Rust_primitives.mk_i32 1 < Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst index 2cee1d1f5..c7012e6cb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -8,17 +8,14 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = if true then let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 18 - <: - bool) + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) in () in let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize ] @@ -27,8 +24,8 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = in let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 2; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 18 + Core.Ops.Range.f_start = sz 2; + Core.Ops.Range.f_end = sz 18 } <: Core.Ops.Range.t_Range usize ] @@ -40,31 +37,14 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 15) (Rust_primitives.mk_i8 14) (Rust_primitives.mk_i8 13) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 13) (Rust_primitives.mk_i8 12) - (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 11) - (Rust_primitives.mk_i8 10) (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 7) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 7) - (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 6) - (Rust_primitives.mk_i8 5) (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 2) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y + 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -86,17 +66,14 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = if true then let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 20 - <: - bool) + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool) in () in let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize ] @@ -105,8 +82,8 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = in let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 4; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 20 + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 20 } <: Core.Ops.Range.t_Range usize ] @@ -118,31 +95,14 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 15) (Rust_primitives.mk_i8 14) (Rust_primitives.mk_i8 13) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 13) (Rust_primitives.mk_i8 12) - (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 10) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 7) (Rust_primitives.mk_i8 6) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) - (Rust_primitives.mk_i8 7) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 7) - (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 5) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 2) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y + 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -161,8 +121,8 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with - | 17 -> deserialize_when_gamma1_is_2_pow_17_ serialized - | 19 -> deserialize_when_gamma1_is_2_pow_19_ serialized + | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -173,9 +133,7 @@ let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 32) - in + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 serialize_when_gamma1_is_2_pow_17___GAMMA1 @@ -185,54 +143,39 @@ let serialize_when_gamma1_is_2_pow_17_ in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 14) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 14) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 14) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 14) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 14) adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 14l adjacent_2_combined in let every_second_element:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 (Rust_primitives.mk_i32 8) - adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_2_combined in let every_second_element_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 (Rust_primitives.mk_i32 36) - every_second_element + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 36l every_second_element in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_2_combined every_second_element_shifted in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x (Rust_primitives.mk_i64 28) - (Rust_primitives.mk_i64 0) - (Rust_primitives.mk_i64 28) - (Rust_primitives.mk_i64 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in - let serialized:t_Array u8 (Rust_primitives.mk_usize 32) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize ] @@ -243,20 +186,16 @@ let serialize_when_gamma1_is_2_pow_17_ t_Slice u8) in let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 (Rust_primitives.mk_i32 1) - adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined in - let serialized:t_Array u8 (Rust_primitives.mk_usize 32) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 9; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 25 - } + ({ Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 25 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 9; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 25 + Core.Ops.Range.f_start = sz 9; + Core.Ops.Range.f_end = sz 25 } <: Core.Ops.Range.t_Range usize ] @@ -271,10 +210,7 @@ let serialize_when_gamma1_is_2_pow_17_ (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 v_OUTPUT_SIZE) #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 18 - } + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 } <: Core.Ops.Range.t_Range usize ] <: @@ -286,9 +222,7 @@ let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 32) - in + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 serialize_when_gamma1_is_2_pow_19___GAMMA1 @@ -298,51 +232,32 @@ let serialize_when_gamma1_is_2_pow_19_ in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 12) adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_2_combined in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 12) - (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 10) (Rust_primitives.mk_i8 9) - (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 3) - (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) (Rust_primitives.mk_i8 0) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 12) (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 10) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 4) - (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y + 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y + 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in - let serialized:t_Array u8 (Rust_primitives.mk_usize 32) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize ] @@ -353,20 +268,16 @@ let serialize_when_gamma1_is_2_pow_19_ t_Slice u8) in let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 (Rust_primitives.mk_i32 1) - adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined in - let serialized:t_Array u8 (Rust_primitives.mk_usize 32) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 10; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 26 - } + ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 10; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 26 + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 26 } <: Core.Ops.Range.t_Range usize ] @@ -381,10 +292,7 @@ let serialize_when_gamma1_is_2_pow_19_ (Core.Convert.f_try_into #(t_Slice u8) #(t_Array u8 v_OUTPUT_SIZE) #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 20 - } + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 } <: Core.Ops.Range.t_Range usize ] <: @@ -394,8 +302,8 @@ let serialize_when_gamma1_is_2_pow_19_ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 18 -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit - | 20 -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti index 6fcf920f7..09917efd7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -3,25 +3,19 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 open Core open FStar.Mul -let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = - Rust_primitives.mk_i32 1 < Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst index 43777cb0b..cf9feff51 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -5,8 +5,8 @@ open FStar.Mul let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let interval_end:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 1 < Hax_lib.v_assert (left_val =. right_val <: bool) in () in - let serialized_extended:t_Array u8 (Rust_primitives.mk_usize 16) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 16) - in - let serialized_extended:t_Array u8 (Rust_primitives.mk_usize 16) = + let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 13 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 - (serialized_extended.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 13 - } + (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } <: Core.Ops.Range.t_Range usize ] <: @@ -56,31 +46,15 @@ let deserialize (serialized: t_Slice u8) = in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 12) (Rust_primitives.mk_i8 11) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 10) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 7) (Rust_primitives.mk_i8 6) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 5) - (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y) + (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y + 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 3) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 7) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 5) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -93,93 +67,62 @@ let deserialize (serialized: t_Slice u8) = change_interval coefficients let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 16) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 16) - in + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in let simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = change_interval simd_unit in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 19) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 19) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 19) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 19) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 19l 0l 19l 0l 19l 0l 19l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 19) adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 19l adjacent_2_combined in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 4l 2l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 6l 0l 6l 0l 6l 0l 6l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 6) adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 6l adjacent_4_combined in let second_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 (Rust_primitives.mk_i32 8) - adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_4_combined in let least_12_bits_shifted_up:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 (Rust_primitives.mk_i32 52) second_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 52l second_4_combined in let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_4_combined least_12_bits_shifted_up in let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 bits_sequential - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x (Rust_primitives.mk_i64 0) - (Rust_primitives.mk_i64 0) - (Rust_primitives.mk_i64 12) - (Rust_primitives.mk_i64 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 0L 0L 12L 0L <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let bits_sequential:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 bits_sequential in - let serialized:t_Array u8 (Rust_primitives.mk_usize 16) = + let serialized:t_Array u8 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized bits_sequential in - Core.Result.impl__unwrap #(t_Array u8 (Rust_primitives.mk_usize 13)) + Core.Result.impl__unwrap #(t_Array u8 (sz 13)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 13)) + #(t_Array u8 (sz 13)) #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 13 - } + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 13)) Core.Array.t_TryFromSliceError - ) + Core.Result.t_Result (t_Array u8 (sz 13)) Core.Array.t_TryFromSliceError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti index 87d7bc400..6ecaf9832 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti @@ -6,11 +6,10 @@ open FStar.Mul val change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) -let deserialize__COEFFICIENT_MASK: i32 = - (Rust_primitives.mk_i32 1 < Prims.l_True) val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 13)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst index 0ca1dcbb1..5c03793af 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst @@ -4,68 +4,42 @@ open Core open FStar.Mul let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 24) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 24) - in + let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 22) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 22) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 22) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 22) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 22) adjacent_2_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_2_combined in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 12) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 (Rust_primitives.mk_i32 12) adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined in let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in - let serialized:t_Array u8 (Rust_primitives.mk_usize 24) = + let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 16 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 } <: Core.Ops.Range.t_Range usize ] @@ -76,20 +50,16 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = t_Slice u8) in let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 (Rust_primitives.mk_i32 1) - adjacent_4_combined + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined in - let serialized:t_Array u8 (Rust_primitives.mk_usize 24) = + let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 5; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 21 - } + ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 5; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 21 + Core.Ops.Range.f_start = sz 5; + Core.Ops.Range.f_end = sz 21 } <: Core.Ops.Range.t_Range usize ] @@ -99,49 +69,37 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - Core.Result.impl__unwrap #(t_Array u8 (Rust_primitives.mk_usize 10)) + Core.Result.impl__unwrap #(t_Array u8 (sz 10)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (Rust_primitives.mk_usize 10)) + #(t_Array u8 (sz 10)) #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 10 - } + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } <: Core.Ops.Range.t_Range usize ] <: t_Slice u8) <: - Core.Result.t_Result (t_Array u8 (Rust_primitives.mk_usize 10)) Core.Array.t_TryFromSliceError - ) + Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) let deserialize (bytes: t_Slice u8) = let _:Prims.unit = if true then let _:Prims.unit = - match Core.Slice.impl__len #u8 bytes, Rust_primitives.mk_usize 10 <: (usize & usize) with + match Core.Slice.impl__len #u8 bytes, sz 10 <: (usize & usize) with | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) in () in - let bytes_extended:t_Array u8 (Rust_primitives.mk_usize 16) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 16) - in - let bytes_extended:t_Array u8 (Rust_primitives.mk_usize 16) = + let bytes_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let bytes_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range bytes_extended - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 10 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 - (bytes_extended.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 10 - } + (bytes_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } <: Core.Ops.Range.t_Range usize ] <: @@ -158,31 +116,15 @@ let deserialize (bytes: t_Slice u8) = in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 bytes_loaded - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 8) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 8) - (Rust_primitives.mk_i8 7) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 7) (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 5) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 4) - (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 9y 8y (-1y) (-1y) 8y 7y (-1y) + (-1y) 7y 6y (-1y) (-1y) 6y 5y (-1y) (-1y) 4y 3y (-1y) (-1y) 3y 2y (-1y) (-1y) 2y 1y (-1y) + (-1y) 1y 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 6) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti index c8bfd08d2..53c46df38 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -3,11 +3,10 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 open Core open FStar.Mul -let deserialize__COEFFICIENT_MASK: i32 = - (Rust_primitives.mk_i32 1 < Prims.l_True) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val deserialize (bytes: t_Slice u8) : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index b5d19c6d7..ecb029df7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -8,10 +8,10 @@ let butterfly_2_ (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) a + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) b + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled @@ -45,12 +45,10 @@ let butterfly_2_ Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) - a_terms_shuffled + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled in let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 216) - b_terms_shuffled + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled in a_out, b_out <: @@ -106,7 +104,7 @@ let butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i Libcrux_intrinsics.Avx2_extract.t_Vec128) in let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 (Rust_primitives.mk_i32 19) b a + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a in let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 @@ -130,9 +128,7 @@ let butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i Libcrux_intrinsics.Avx2_extract.t_Vec128) in let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 (Rust_primitives.mk_i32 19) - sub_terms - add_terms + Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms in a_out, b_out <: @@ -143,27 +139,13 @@ let invert_ntt_at_layer_0_ (zeta0 zeta1 zeta2 zeta3: i32) = let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta3 - (Rust_primitives.mk_i32 0) - zeta2 - (Rust_primitives.mk_i32 0) - zeta1 - (Rust_primitives.mk_i32 0) - zeta0 - (Rust_primitives.mk_i32 0) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta3 0l zeta2 0l zeta1 0l zeta0 0l in let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) 1l (-1l) 1l (-1l) 1l (-1l) 1l in let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 177) simd_unit + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 177l simd_unit in let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs @@ -174,31 +156,17 @@ let invert_ntt_at_layer_0_ let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 (Rust_primitives.mk_i32 170) sums products + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l sums products let invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 - zeta1 - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - zeta0 - zeta0 - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 0l 0l zeta0 zeta0 0l 0l in let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 1) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) 1l 1l (-1l) (-1l) 1l 1l in let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 (Rust_primitives.mk_i32 78) simd_unit + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 78l simd_unit in let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs @@ -209,31 +177,17 @@ let invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 (Rust_primitives.mk_i32 204) sums products + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 204l sums products let invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) = let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta - zeta - zeta - zeta - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 0) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta zeta zeta zeta 0l 0l 0l 0l in let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 (-1)) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 1) + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) (-1l) (-1l) 1l 1l 1l 1l in let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 (Rust_primitives.mk_i32 78) simd_unit + Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 78l simd_unit in let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs @@ -244,58 +198,45 @@ let invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in - Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 (Rust_primitives.mk_i32 240) sums products + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let step:usize = Rust_primitives.mk_usize 1 <>! v_LAYER <: usize) + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 128 >>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let round:usize = round in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let zeta_i:usize = zeta_i +! sz 1 in let offset:usize = - ((round *! step <: usize) *! Rust_primitives.mk_usize 2 <: usize) /! + ((round *! step <: usize) *! sz 2 <: usize) /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Folds.fold_range offset (offset +! step_by <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) = - re - in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) = - re - in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in let j:usize = j in let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +! @@ -306,8 +247,7 @@ let ntt_at_layer_3_plus Libcrux_intrinsics.Avx2_extract.t_Vec256) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! step_by <: usize) (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] @@ -317,8 +257,7 @@ let ntt_at_layer_3_plus <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] @@ -330,307 +269,214 @@ let ntt_at_layer_3_plus in re) in - re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) in - zeta_i, re - <: - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -let ntt_at_layer_0_ - (zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - = - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (Rust_primitives.mk_usize 0) +let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) <: usize) - (Rust_primitives.mk_usize 2) + (sz 2) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let round:usize = round in let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = butterfly_2_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ round +! Rust_primitives.mk_usize 1 <: usize ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ round +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 1 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 2 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 3 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 4 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 4 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 5 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 5 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 6 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 6 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 7 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 7 <: usize ] <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! Rust_primitives.mk_usize 1 <: usize) + (round +! sz 1 <: usize) b in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 8 in - re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + let zeta_i:usize = zeta_i +! sz 8 in + re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -let ntt_at_layer_1_ - (zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - = - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (Rust_primitives.mk_usize 0) +let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) <: usize) - (Rust_primitives.mk_usize 2) + (sz 2) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let round:usize = round in let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = butterfly_4_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ round +! Rust_primitives.mk_usize 1 <: usize ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ round +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 1 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 2 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 3 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! Rust_primitives.mk_usize 1 <: usize) + (round +! sz 1 <: usize) b in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 4 in - re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + let zeta_i:usize = zeta_i +! sz 4 in + re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -let ntt_at_layer_2_ - (zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - = - let (re, zeta_i), hax_temp_output:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & +let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + let (re, zeta_i), hax_temp_output:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (Rust_primitives.mk_usize 0) + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) <: usize) - (Rust_primitives.mk_usize 2) + (sz 2) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) & - usize) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = temp_0_ in let round:usize = round in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in + let zeta_i:usize = zeta_i +! sz 1 in let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = butterfly_8_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ round +! Rust_primitives.mk_usize 1 <: usize ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (re.[ round +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 1 - <: - usize ] + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! Rust_primitives.mk_usize 1 <: usize) + (round +! sz 1 <: usize) b in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - re, zeta_i - <: - (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) & usize)) + let zeta_i:usize = zeta_i +! sz 1 in + re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) in - zeta_i, re - <: - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) -let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - let zeta_i:usize = Rust_primitives.mk_usize 0 in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 7) zeta_i re +let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + let zeta_i:usize = sz 0 in + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + ntt_at_layer_3_plus (sz 7) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 6) zeta_i re + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + ntt_at_layer_3_plus (sz 6) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 5) zeta_i re + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + ntt_at_layer_3_plus (sz 5) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 4) zeta_i re + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + ntt_at_layer_3_plus (sz 4) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 3) zeta_i re + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = + ntt_at_layer_3_plus (sz 3) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = ntt_at_layer_2_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = ntt_at_layer_1_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) = + let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = ntt_at_layer_0_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = tmp1 in + let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in let _:Prims.unit = () in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index df72e60c3..b258ca10c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -3,7 +3,7 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt open Core open FStar.Mul -let butterfly_2___SHUFFLE: i32 = Rust_primitives.mk_i32 216 +let butterfly_2___SHUFFLE: i32 = 216l val butterfly_2_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -40,37 +40,27 @@ val invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) val ntt_at_layer_3_plus (v_LAYER zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ - (zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) +val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ - (zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) +val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ - (zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) +val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) +val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst index 76c74ce60..67e806244 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst @@ -5,19 +5,19 @@ open FStar.Mul let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) = match cast (v_ETA <: usize) <: u8 with - | 2 -> + | 2uy -> let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 26) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 (Rust_primitives.mk_i32 7) quotient + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient in let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Rust_primitives.mk_i32 5) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -29,7 +29,7 @@ let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract <: Libcrux_intrinsics.Avx2_extract.t_Vec256) coefficients_mod_5_ - | 4 -> + | 4uy -> Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (v_ETA <: usize) <: i32) <: @@ -43,13 +43,12 @@ let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (Rust_primitives.mk_usize 4) - input + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input in let (interval_boundary: i32):i32 = match cast (v_ETA <: usize) <: u8 with - | 2 -> Rust_primitives.mk_i32 15 - | 4 -> Rust_primitives.mk_i32 9 + | 2uy -> 15l + | 4uy -> 9l | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -69,12 +68,12 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = <: u8) in - let good_lower_half:i32 = good &. Rust_primitives.mk_i32 15 in - let good_upper_half:i32 = good >>! Rust_primitives.mk_i32 4 in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = shift_interval v_ETA potential_coefficients in - let lower_shuffles:t_Array u8 (Rust_primitives.mk_usize 16) = + let lower_shuffles:t_Array u8 (sz 16) = Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half <: i32) @@ -92,15 +91,12 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = in let output:t_Slice i32 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range output - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 4 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 4 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 } <: Core.Ops.Range.t_Range usize ] @@ -111,7 +107,7 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = t_Slice i32) in let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in - let upper_shuffles:t_Array u8 (Rust_primitives.mk_usize 16) = + let upper_shuffles:t_Array u8 (sz 16) = Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half <: i32) @@ -122,7 +118,7 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 (Rust_primitives.mk_i32 1) shifted + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted in let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles @@ -131,13 +127,13 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range output ({ Core.Ops.Range.f_start = sampled_count; - Core.Ops.Range.f_end = sampled_count +! Rust_primitives.mk_usize 4 <: usize + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { Core.Ops.Range.f_start = sampled_count; - Core.Ops.Range.f_end = sampled_count +! Rust_primitives.mk_usize 4 <: usize + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize } <: Core.Ops.Range.t_Range usize ] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst index a29265eb0..f3d66cf87 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst @@ -8,23 +8,18 @@ let bytestream_to_potential_coefficients (serialized: t_Slice u8) = if true then let _:Prims.unit = - match - Core.Slice.impl__len #u8 serialized, Rust_primitives.mk_usize 24 <: (usize & usize) - with + match Core.Slice.impl__len #u8 serialized, sz 24 <: (usize & usize) with | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) in () in - let serialized_extended:t_Array u8 (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 32) - in - let serialized_extended:t_Array u8 (Rust_primitives.mk_usize 32) = + let serialized_extended:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized_extended:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_to serialized_extended - ({ Core.Ops.Range.f_end = Rust_primitives.mk_usize 24 } <: Core.Ops.Range.t_RangeTo usize) + ({ Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize) (Core.Slice.impl__copy_from_slice #u8 - (serialized_extended.[ { Core.Ops.Range.f_end = Rust_primitives.mk_usize 24 } - <: - Core.Ops.Range.t_RangeTo usize ] + (serialized_extended.[ { Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize + ] <: t_Slice u8) serialized @@ -36,31 +31,14 @@ let bytestream_to_potential_coefficients (serialized: t_Slice u8) = in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 5) - (Rust_primitives.mk_i32 4) - (Rust_primitives.mk_i32 3) - (Rust_primitives.mk_i32 0) - (Rust_primitives.mk_i32 2) - (Rust_primitives.mk_i32 1) - (Rust_primitives.mk_i32 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 10) (Rust_primitives.mk_i8 9) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 8) (Rust_primitives.mk_i8 7) - (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 5) - (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 3) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) (Rust_primitives.mk_i8 0) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 11) (Rust_primitives.mk_i8 10) - (Rust_primitives.mk_i8 9) (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 8) - (Rust_primitives.mk_i8 7) (Rust_primitives.mk_i8 6) (Rust_primitives.mk_i8 (-1)) - (Rust_primitives.mk_i8 5) (Rust_primitives.mk_i8 4) (Rust_primitives.mk_i8 3) - (Rust_primitives.mk_i8 (-1)) (Rust_primitives.mk_i8 2) (Rust_primitives.mk_i8 1) - (Rust_primitives.mk_i8 0) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y + (-1y) 2y 1y 0y (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y <: Libcrux_intrinsics.Avx2_extract.t_Vec256) in @@ -86,9 +64,9 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = <: u8) in - let good_lower_half:i32 = good &. Rust_primitives.mk_i32 15 in - let good_upper_half:i32 = good >>! Rust_primitives.mk_i32 4 in - let lower_shuffles:t_Array u8 (Rust_primitives.mk_usize 16) = + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let lower_shuffles:t_Array u8 (sz 16) = Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half <: i32) @@ -106,15 +84,12 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = in let output:t_Slice i32 = Rust_primitives.Hax.Monomorphized_update_at.update_at_range output - ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 4 - } + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 4 + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 } <: Core.Ops.Range.t_Range usize ] @@ -125,7 +100,7 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = t_Slice i32) in let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in - let upper_shuffles:t_Array u8 (Rust_primitives.mk_usize 16) = + let upper_shuffles:t_Array u8 (sz 16) = Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half <: i32) @@ -136,8 +111,7 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 (Rust_primitives.mk_i32 1) - potential_coefficients + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients in let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles @@ -146,13 +120,13 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range output ({ Core.Ops.Range.f_start = sampled_count; - Core.Ops.Range.f_end = sampled_count +! Rust_primitives.mk_usize 4 <: usize + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize } <: Core.Ops.Range.t_Range usize) (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { Core.Ops.Range.f_start = sampled_count; - Core.Ops.Range.f_end = sampled_count +! Rust_primitives.mk_usize 4 <: usize + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize } <: Core.Ops.Range.t_Range usize ] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti index d91a75fe7..8d297cab8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti @@ -3,8 +3,7 @@ module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus open Core open FStar.Mul -let bytestream_to_potential_coefficients__COEFFICIENT_MASK: i32 = - (Rust_primitives.mk_i32 1 < Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst index 619cf820b..97a40a5a5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst @@ -4,149 +4,103 @@ open Core open FStar.Mul let is_bit_set (number: usize) (bit_position: u8) = - ((number &. (Rust_primitives.mk_usize 1 <>! bit_position - <: - usize) =. - Rust_primitives.mk_usize 1 + ((number &. (sz 1 <>! bit_position <: usize) =. sz 1 let generate_shuffle_table (_: Prims.unit) = - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) (Rust_primitives.mk_usize 16) - = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 255) - (Rust_primitives.mk_usize 16) - <: - t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 255uy (sz 16) <: t_Array u8 (sz 16)) + (sz 16) in - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) (Rust_primitives.mk_usize 16) - = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Rust_primitives.mk_usize 1 < - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = - byte_shuffles - in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in let _:usize = temp_1_ in true) byte_shuffles (fun byte_shuffles bit_pattern -> - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = - byte_shuffles - in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in let bit_pattern:usize = bit_pattern in - let byte_shuffles_index:usize = Rust_primitives.mk_usize 0 in - let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) & - usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_u8 0) - (Rust_primitives.mk_u8 4) + let byte_shuffles_index:usize = sz 0 in + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & usize) = + Rust_primitives.Hax.Folds.fold_range 0uy + 4uy (fun temp_0_ temp_1_ -> - let byte_shuffles, byte_shuffles_index:(t_Array - (t_Array u8 (Rust_primitives.mk_usize 16)) (Rust_primitives.mk_usize 16) & + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & usize) = temp_0_ in let _:u8 = temp_1_ in true) - (byte_shuffles, byte_shuffles_index - <: - (t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) (Rust_primitives.mk_usize 16) & - usize)) + (byte_shuffles, byte_shuffles_index <: (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) (fun temp_0_ bit_position -> - let byte_shuffles, byte_shuffles_index:(t_Array - (t_Array u8 (Rust_primitives.mk_usize 16)) (Rust_primitives.mk_usize 16) & + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & usize) = temp_0_ in let bit_position:u8 = bit_position in if is_bit_set bit_pattern bit_position <: bool then - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles bit_pattern (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ bit_pattern ] <: - t_Array u8 (Rust_primitives.mk_usize 16)) + t_Array u8 (sz 16)) byte_shuffles_index - (bit_position *! Rust_primitives.mk_u8 4 <: u8) + (bit_position *! 4uy <: u8) <: - t_Array u8 (Rust_primitives.mk_usize 16)) - in - let byte_shuffles_index:usize = - byte_shuffles_index +! Rust_primitives.mk_usize 1 + t_Array u8 (sz 16)) in - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles bit_pattern (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ bit_pattern ] <: - t_Array u8 (Rust_primitives.mk_usize 16)) + t_Array u8 (sz 16)) byte_shuffles_index - ((bit_position *! Rust_primitives.mk_u8 4 <: u8) +! - Rust_primitives.mk_u8 1 - <: - u8) + ((bit_position *! 4uy <: u8) +! 1uy <: u8) <: - t_Array u8 (Rust_primitives.mk_usize 16)) - in - let byte_shuffles_index:usize = - byte_shuffles_index +! Rust_primitives.mk_usize 1 + t_Array u8 (sz 16)) in - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles bit_pattern (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ bit_pattern ] <: - t_Array u8 (Rust_primitives.mk_usize 16)) + t_Array u8 (sz 16)) byte_shuffles_index - ((bit_position *! Rust_primitives.mk_u8 4 <: u8) +! - Rust_primitives.mk_u8 2 - <: - u8) + ((bit_position *! 4uy <: u8) +! 2uy <: u8) <: - t_Array u8 (Rust_primitives.mk_usize 16)) - in - let byte_shuffles_index:usize = - byte_shuffles_index +! Rust_primitives.mk_usize 1 + t_Array u8 (sz 16)) in - let byte_shuffles:t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles bit_pattern (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ bit_pattern ] <: - t_Array u8 (Rust_primitives.mk_usize 16)) + t_Array u8 (sz 16)) byte_shuffles_index - ((bit_position *! Rust_primitives.mk_u8 4 <: u8) +! - Rust_primitives.mk_u8 3 - <: - u8) + ((bit_position *! 4uy <: u8) +! 3uy <: u8) <: - t_Array u8 (Rust_primitives.mk_usize 16)) - in - let byte_shuffles_index:usize = - byte_shuffles_index +! Rust_primitives.mk_usize 1 + t_Array u8 (sz 16)) in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in byte_shuffles, byte_shuffles_index <: - (t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) & - usize) + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize) else byte_shuffles, byte_shuffles_index <: - (t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) & - usize)) + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) in byte_shuffles) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti index ec81e4140..9586d3a7b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti @@ -3,199 +3,128 @@ module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table open Core open FStar.Mul -let v_SHUFFLE_TABLE: t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) - (Rust_primitives.mk_usize 16) = +let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) = let list = [ (let list = [ - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 0uy; 1uy; 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; Rust_primitives.mk_u8 6; - Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; - Rust_primitives.mk_u8 6; Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 8; Rust_primitives.mk_u8 9; Rust_primitives.mk_u8 10; - Rust_primitives.mk_u8 11; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 8; Rust_primitives.mk_u8 9; - Rust_primitives.mk_u8 10; Rust_primitives.mk_u8 11; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; Rust_primitives.mk_u8 6; - Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 8; Rust_primitives.mk_u8 9; - Rust_primitives.mk_u8 10; Rust_primitives.mk_u8 11; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = - [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; - Rust_primitives.mk_u8 6; Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 8; - Rust_primitives.mk_u8 9; Rust_primitives.mk_u8 10; Rust_primitives.mk_u8 11; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 - ] + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 12; Rust_primitives.mk_u8 13; Rust_primitives.mk_u8 14; - Rust_primitives.mk_u8 15; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 12; Rust_primitives.mk_u8 13; - Rust_primitives.mk_u8 14; Rust_primitives.mk_u8 15; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; Rust_primitives.mk_u8 6; - Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 12; Rust_primitives.mk_u8 13; - Rust_primitives.mk_u8 14; Rust_primitives.mk_u8 15; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; - Rust_primitives.mk_u8 6; Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 12; - Rust_primitives.mk_u8 13; Rust_primitives.mk_u8 14; Rust_primitives.mk_u8 15; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 8; Rust_primitives.mk_u8 9; Rust_primitives.mk_u8 10; - Rust_primitives.mk_u8 11; Rust_primitives.mk_u8 12; Rust_primitives.mk_u8 13; - Rust_primitives.mk_u8 14; Rust_primitives.mk_u8 15; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 8; Rust_primitives.mk_u8 9; - Rust_primitives.mk_u8 10; Rust_primitives.mk_u8 11; Rust_primitives.mk_u8 12; - Rust_primitives.mk_u8 13; Rust_primitives.mk_u8 14; Rust_primitives.mk_u8 15; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); (let list = [ - Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; Rust_primitives.mk_u8 6; - Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 8; Rust_primitives.mk_u8 9; - Rust_primitives.mk_u8 10; Rust_primitives.mk_u8 11; Rust_primitives.mk_u8 12; - Rust_primitives.mk_u8 13; Rust_primitives.mk_u8 14; Rust_primitives.mk_u8 15; - Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; Rust_primitives.mk_u8 255; - Rust_primitives.mk_u8 255 + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list); let list = - [ - Rust_primitives.mk_u8 0; Rust_primitives.mk_u8 1; Rust_primitives.mk_u8 2; - Rust_primitives.mk_u8 3; Rust_primitives.mk_u8 4; Rust_primitives.mk_u8 5; - Rust_primitives.mk_u8 6; Rust_primitives.mk_u8 7; Rust_primitives.mk_u8 8; - Rust_primitives.mk_u8 9; Rust_primitives.mk_u8 10; Rust_primitives.mk_u8 11; - Rust_primitives.mk_u8 12; Rust_primitives.mk_u8 13; Rust_primitives.mk_u8 14; - Rust_primitives.mk_u8 15 - ] + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); Rust_primitives.Hax.array_of_list 16 list @@ -208,6 +137,4 @@ val is_bit_set (number: usize) (bit_position: u8) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val generate_shuffle_table: Prims.unit - -> Prims.Pure (t_Array (t_Array u8 (Rust_primitives.mk_usize 16)) (Rust_primitives.mk_usize 16)) - Prims.l_True - (fun _ -> Prims.l_True) + -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst index 09fb347fe..548a6a706 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -20,10 +20,8 @@ let from_coefficient_array (coefficient_array: t_Slice i32) = Libcrux_intrinsics.Avx2_extract.t_Vec256) let to_coefficient_array (x: t_AVX2SIMDUnit) = - let coefficient_array:t_Array i32 (Rust_primitives.mk_usize 8) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) - in - let coefficient_array:t_Array i32 (Rust_primitives.mk_usize 8) = + let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in + let coefficient_array:t_Array i32 (sz 8) = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array x.f_coefficients in coefficient_array diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti index a35eb5b9e..ec092f8da 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -24,4 +24,4 @@ val from_coefficient_array (coefficient_array: t_Slice i32) : Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) val to_coefficient_array (x: t_AVX2SIMDUnit) - : Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 8)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti index 35b953c61..d14d3a5c7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -37,10 +37,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); f_to_coefficient_array_post = - (fun - (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array i32 (Rust_primitives.mk_usize 8)) - -> + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (out: t_Array i32 (sz 8)) -> true); f_to_coefficient_array = @@ -349,10 +346,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = = (fun (randomness: t_Slice u8) (out: t_Slice i32) -> let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (Rust_primitives.mk_usize 2 - ) - randomness - out + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out in let out:t_Slice i32 = tmp0 in let hax_temp_output:usize = out1 in @@ -367,10 +361,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = = (fun (randomness: t_Slice u8) (out: t_Slice i32) -> let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (Rust_primitives.mk_usize 4 - ) - randomness - out + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out in let out:t_Slice i32 = tmp0 in let hax_temp_output:usize = out1 in @@ -469,7 +460,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 (Rust_primitives.mk_usize 13)) + (out: t_Array u8 (sz 13)) -> true); f_t0_serialize @@ -498,7 +489,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) - (out: t_Array u8 (Rust_primitives.mk_usize 10)) + (out: t_Array u8 (sz 10)) -> true); f_t1_serialize @@ -522,39 +513,30 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = Libcrux_intrinsics.Avx2_extract.t_Vec256)); f_ntt_pre = - (fun - (simd_units: - t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) - -> - true); + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); f_ntt_post = (fun - (simd_units: - t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) - (out: - t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) + (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); f_ntt = - (fun - (simd_units: - t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (Rust_primitives.mk_usize 32)) - -> - let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32) = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> + let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt (Core.Array.impl_23__map #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - (Rust_primitives.mk_usize 32) + (sz 32) #Libcrux_intrinsics.Avx2_extract.t_Vec256 simd_units (fun x -> let x:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = x in x.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients) <: - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (Rust_primitives.mk_usize 32)) + t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) in Core.Array.impl_23__map #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (Rust_primitives.mk_usize 32) + (sz 32) #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit result (fun x -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index 48c1c060a..e42a2efa9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -3,723 +3,60 @@ module Libcrux_ml_dsa.Simd.Portable.Arithmetic open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY367462299 as v_DUMMY} -let compute_one_hint (v_GAMMA2 low high: i32) = - if - low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || - low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. Rust_primitives.mk_i32 0 - then Rust_primitives.mk_i32 1 - else Rust_primitives.mk_i32 0 +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY81638022 as v_DUMMY} -let get_n_least_significant_bits (n: u8) (value: u64) = - value &. ((Rust_primitives.mk_u64 1 <>! - Rust_primitives.mk_i32 23 - in - fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY524003877 as v_DUMMY} -let montgomery_reduce_element (value: i64) = - let t:u64 = - (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! - Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - in - let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in - let k_times_modulus:i64 = - (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) - in - let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in - let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in - value_high -! c +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY379549811 as v_DUMMY} -let montgomery_multiply_fe_by_fer (fe fer: i32) = - montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY657797394 as v_DUMMY} -let decompose_element (v_GAMMA2 r: i32) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((r >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (Rust_primitives.mk_usize - 1) - (Rust_primitives.mk_usize 1) - (let list = ["the representative is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [Core.Fmt.Rt.impl_1__new_display #i32 r <: Core.Fmt.Rt.t_Argument] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) - in - () - in - let r:i32 = - r +! - ((r >>! Rust_primitives.mk_i32 31 <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - in - let v_ALPHA:i32 = v_GAMMA2 *! Rust_primitives.mk_i32 2 in - let ceil_of_r_by_128_:i32 = - (r +! Rust_primitives.mk_i32 127 <: i32) >>! Rust_primitives.mk_i32 7 - in - let r1:i32 = - match v_ALPHA with - | 190464 -> - let result:i32 = - ((ceil_of_r_by_128_ *! Rust_primitives.mk_i32 11275 <: i32) +! - (Rust_primitives.mk_i32 1 <>! - Rust_primitives.mk_i32 24 - in - (result ^. ((Rust_primitives.mk_i32 43 -! result <: i32) >>! Rust_primitives.mk_i32 31 <: i32) - <: - i32) &. - result - | 523776 -> - let result:i32 = - ((ceil_of_r_by_128_ *! Rust_primitives.mk_i32 1025 <: i32) +! - (Rust_primitives.mk_i32 1 <>! - Rust_primitives.mk_i32 22 - in - result &. Rust_primitives.mk_i32 15 - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY856139336 as v_DUMMY} - <: - Rust_primitives.Hax.t_Never) - in - let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in - let r0:i32 = - r0 -! - (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! Rust_primitives.mk_i32 1 <: i32) /! - Rust_primitives.mk_i32 2 - <: - i32) -! - r0 - <: - i32) >>! - Rust_primitives.mk_i32 31 - <: - i32) &. - Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - <: - i32) - in - r0, r1 <: (i32 & i32) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY633486193 as v_DUMMY} -let power2round_element (t: i32) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((t >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (Rust_primitives.mk_usize - 1) - (Rust_primitives.mk_usize 1) - (let list = ["t is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [Core.Fmt.Rt.impl_1__new_display #i32 t <: Core.Fmt.Rt.t_Argument] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) - in - () - in - let t:i32 = - t +! - ((t >>! Rust_primitives.mk_i32 31 <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - in - let t1:i32 = - ((t -! Rust_primitives.mk_i32 1 <: i32) +! - (Rust_primitives.mk_i32 1 <>! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - in - let t0:i32 = t -! (t1 < - if r0 >. Rust_primitives.mk_i32 0 - then if r1 =. Rust_primitives.mk_i32 43 then Rust_primitives.mk_i32 0 else r1 +! hint - else if r1 =. Rust_primitives.mk_i32 0 then Rust_primitives.mk_i32 43 else r1 -! hint - | 261888 -> - if r0 >. Rust_primitives.mk_i32 0 - then (r1 +! hint <: i32) &. Rust_primitives.mk_i32 15 - else (r1 -! hint <: i32) &. Rust_primitives.mk_i32 15 - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY773619918 as v_DUMMY} - <: - Rust_primitives.Hax.t_Never) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_MONTGOMERY_SHIFT as v_MONTGOMERY_SHIFT} -let infinity_norm_exceeds - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) - = - let exceeds:bool = false in - let exceeds:bool = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter - i32 (Rust_primitives.mk_usize 8)) - #FStar.Tactics.Typeclasses.solve - (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (Rust_primitives.mk_usize 8)) - #FStar.Tactics.Typeclasses.solve - simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - <: - Core.Array.Iter.t_IntoIter i32 (Rust_primitives.mk_usize 8)) - <: - Core.Array.Iter.t_IntoIter i32 (Rust_primitives.mk_usize 8)) - exceeds - (fun exceeds coefficient -> - let exceeds:bool = exceeds in - let coefficient:i32 = coefficient in - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((coefficient >. - (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 - (Rust_primitives.mk_usize 1) - (Rust_primitives.mk_usize 1) - (let list = ["coefficient is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [ - Core.Fmt.Rt.impl_1__new_display #i32 coefficient - <: - Core.Fmt.Rt.t_Argument - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) - in - () - in - let sign:i32 = coefficient >>! Rust_primitives.mk_i32 31 in - let normalized:i32 = - coefficient -! (sign &. (Rust_primitives.mk_i32 2 *! coefficient <: i32) <: i32) - in - let exceeds:bool = exceeds |. (normalized >=. bound <: bool) in - exceeds) - in - exceeds +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {compute_one_hint as compute_one_hint} -let montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (c: i32) - = - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit i -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i:usize = i in - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (montgomery_reduce_element ((cast (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] - <: - i32) - <: - i64) *! - (cast (c <: i32) <: i64) - <: - i64) - <: - i32) - <: - t_Array i32 (Rust_primitives.mk_usize 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {get_n_least_significant_bits as get_n_least_significant_bits} -let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun sum temp_1_ -> - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in - let _:usize = temp_1_ in - true) - sum - (fun sum i -> - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in - let i:usize = i in - { - sum with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! - (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (Rust_primitives.mk_usize 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - sum +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {reduce_element as reduce_element} -let compute_hint - (v_GAMMA2: i32) - (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let one_hints_count:usize = Rust_primitives.mk_usize 0 in - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun temp_0_ temp_1_ -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (hint, one_hints_count - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) - (fun temp_0_ i -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - usize) = - temp_0_ - in - let i:usize = i in - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - hint with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (compute_one_hint v_GAMMA2 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let one_hints_count:usize = - one_hints_count +! - (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - usize) - in - hint, one_hints_count - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) - in - one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_reduce_element as montgomery_reduce_element} -let decompose - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun temp_0_ temp_1_ -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (high, low - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - (fun temp_0_ i -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let i:usize = i in - let low_part, high_part:(i32 & i32) = - decompose_element v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - in - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - low with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - low_part - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - high with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - high_part - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - high, low - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - in - low, high - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_multiply_fe_by_fer as montgomery_multiply_fe_by_fer} -let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun product temp_1_ -> - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in - let _:usize = temp_1_ in - true) - product - (fun product i -> - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in - let i:usize = i in - { - product with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (montgomery_reduce_element ((cast (lhs - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] - <: - i32) - <: - i64) *! - (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i64) - <: - i64) - <: - i32) - <: - t_Array i32 (Rust_primitives.mk_usize 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - product +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {decompose_element as decompose_element} -let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let i, t:(usize & i32) = temp_1_ in - let t0, t1:(i32 & i32) = power2round_element t in - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - t0_simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - t0 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - t1_simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - t1 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - in - t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {infinity_norm_exceeds as infinity_norm_exceeds} -let shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in - let _:usize = temp_1_ in - true) - out - (fun out i -> - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in - let i:usize = i in - { - out with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i - ] - <: - i32) < - let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in - let _:usize = temp_1_ in - true) - difference - (fun difference i -> - let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in - let i:usize = i in - { - difference with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! - (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (Rust_primitives.mk_usize 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - difference +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {use_one_hint as use_one_hint} -let use_hint - (v_GAMMA2: i32) - (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #i32 - (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun result temp_1_ -> - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in - let i:usize = i in - { - result with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (use_one_hint v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (Rust_primitives.mk_usize 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - result +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_multiply_by_constant as montgomery_multiply_by_constant} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {add as add} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {compute_hint as compute_hint} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {decompose as decompose} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_multiply as montgomery_multiply} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {power2round as power2round} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {shift_left_then_reduce as shift_left_then_reduce} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {subtract as subtract} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {use_hint as use_hint} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti deleted file mode 100644 index e987f5016..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti +++ /dev/null @@ -1,96 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let v_MONTGOMERY_SHIFT: u8 = Rust_primitives.mk_u8 32 - -val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val get_n_least_significant_bits (n: u8) (value: u64) - : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) - -val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_fe_by_fer (fe fer: i32) - : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val decompose_element (v_GAMMA2 r: i32) - : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) - -val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) - -val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val infinity_norm_exceeds - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (c: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val compute_hint - (v_GAMMA2: i32) - (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val decompose - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val use_hint - (v_GAMMA2: i32) - (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst index 59e3e305f..ff1788cd5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -7,13 +7,11 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 4 -> + | 4uy -> let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 2) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in @@ -23,19 +21,19 @@ let serialize (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = cast (coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) <: u8 in - let coefficient1:u8 = cast (coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) <: u8 in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized i - ((coefficient1 < + | 6uy -> let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 4) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in @@ -45,30 +43,24 @@ let serialize (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = cast (coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) <: u8 in - let coefficient1:u8 = cast (coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) <: u8 in - let coefficient2:u8 = cast (coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) <: u8 in - let coefficient3:u8 = cast (coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) <: u8 in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in + let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 3 *! i <: usize) - ((coefficient1 <>! Rust_primitives.mk_i32 2 <: u8) - <: - u8) + ((sz 3 *! i <: usize) +! sz 1 <: usize) + ((coefficient2 <>! 2l <: u8) <: u8) in let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 3 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((coefficient3 <>! Rust_primitives.mk_i32 4 <: u8) - <: - u8) + ((sz 3 *! i <: usize) +! sz 2 <: usize) + ((coefficient3 <>! 4l <: u8) <: u8) in serialized) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index 1101e8bd4..077803ff8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -3,430 +3,26 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY648673932 as v_DUMMY} -let serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in - let coefficient0:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient1:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient2:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient3:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient4:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient5:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient6:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) - <: - i32) - <: - u8 - in - let coefficient7:u8 = - cast (serialize_when_eta_is_2___ETA -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 7 ] - <: - i32) - <: - i32) - <: - u8 - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 0) - (((coefficient2 <>! Rust_primitives.mk_i32 2 <: u8) - <: - u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 2) - (((coefficient7 <>! Rust_primitives.mk_i32 1 <: u8) - <: - u8) - in - serialized +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY221943049 as v_DUMMY} -let serialize_when_eta_is_4_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = - cast (serialize_when_eta_is_4___ETA -! - (coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient1:u8 = - cast (serialize_when_eta_is_4___ETA -! - (coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) - <: - i32) - <: - u8 - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - i - ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit - | 4 -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA177254429 as deserialize_when_eta_is_4___ETA} - <: - Rust_primitives.Hax.t_Never) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA345140054 as serialize_when_eta_is_2___ETA} -let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 3 - <: - bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let byte0:i32 = cast (serialized.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32 in - let byte1:i32 = cast (serialized.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32 in - let byte2:i32 = cast (serialized.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - (deserialize_when_eta_is_2___ETA -! (byte0 &. Rust_primitives.mk_i32 7 <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - (deserialize_when_eta_is_2___ETA -! - ((byte0 >>! Rust_primitives.mk_i32 3 <: i32) &. Rust_primitives.mk_i32 7 <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - (deserialize_when_eta_is_2___ETA -! - (((byte0 >>! Rust_primitives.mk_i32 6 <: i32) |. - (byte1 <>! Rust_primitives.mk_i32 1 <: i32) &. Rust_primitives.mk_i32 7 <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - (deserialize_when_eta_is_2___ETA -! - ((byte1 >>! Rust_primitives.mk_i32 4 <: i32) &. Rust_primitives.mk_i32 7 <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - (deserialize_when_eta_is_2___ETA -! - (((byte1 >>! Rust_primitives.mk_i32 7 <: i32) |. - (byte2 <>! Rust_primitives.mk_i32 2 <: i32) &. Rust_primitives.mk_i32 7 <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - (deserialize_when_eta_is_2___ETA -! - ((byte2 >>! Rust_primitives.mk_i32 5 <: i32) &. Rust_primitives.mk_i32 7 <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA858068178 as serialize_when_eta_is_4___ETA} -let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 4 - <: - bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_enumerated_slice serialized - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, byte:(usize & u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2 *! i <: usize) - (deserialize_when_eta_is_4___ETA -! - (cast (byte &. Rust_primitives.mk_u8 15 <: u8) <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - (deserialize_when_eta_is_4___ETA -! - (cast (byte >>! Rust_primitives.mk_i32 4 <: u8) <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit) - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_eta_is_2_ as serialize_when_eta_is_2_} -let deserialize (v_ETA: usize) (serialized: t_Slice u8) = - match cast (v_ETA <: usize) <: u8 with - | 2 -> deserialize_when_eta_is_2_ serialized - | 4 -> deserialize_when_eta_is_4_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_eta_is_4_ as serialize_when_eta_is_4_} - <: - Rust_primitives.Hax.t_Never) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize1006998023 as serialize} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_eta_is_2_ as deserialize_when_eta_is_2_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_eta_is_4_ as deserialize_when_eta_is_4_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize154437703 as deserialize} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti deleted file mode 100644 index 7164821d8..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti +++ /dev/null @@ -1,49 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable.Encoding.Error -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let deserialize_when_eta_is_2___ETA: i32 = Rust_primitives.mk_i32 2 - -let deserialize_when_eta_is_4___ETA: i32 = Rust_primitives.mk_i32 4 - -let serialize_when_eta_is_2___ETA: i32 = Rust_primitives.mk_i32 2 - -let serialize_when_eta_is_4___ETA: i32 = Rust_primitives.mk_i32 4 - -val serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_eta_is_4_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val deserialize_when_eta_is_2_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_when_eta_is_4_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize (v_ETA: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index d1d4b15fc..8eb4337c6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -3,963 +3,30 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY771885219 as v_DUMMY} -let serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) - in - let coefficient1:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) - in - let coefficient2:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) - in - let coefficient3:i32 = - serialize_when_gamma1_is_2_pow_17___GAMMA1 -! - (coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 9 *! i <: usize) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - (cast (coefficient0 >>! Rust_primitives.mk_i32 8 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - (cast (coefficient0 >>! Rust_primitives.mk_i32 16 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((serialized.[ (Rust_primitives.mk_usize 9 *! i <: usize) +! - Rust_primitives.mk_usize 2 - <: - usize ] - <: - u8) |. - (cast (coefficient1 <>! Rust_primitives.mk_i32 6 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 4 <: usize) - (cast (coefficient1 >>! Rust_primitives.mk_i32 14 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 4 <: usize) - ((serialized.[ (Rust_primitives.mk_usize 9 *! i <: usize) +! - Rust_primitives.mk_usize 4 - <: - usize ] - <: - u8) |. - (cast (coefficient2 <>! Rust_primitives.mk_i32 4 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 6 <: usize) - (cast (coefficient2 >>! Rust_primitives.mk_i32 12 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 6 <: usize) - ((serialized.[ (Rust_primitives.mk_usize 9 *! i <: usize) +! - Rust_primitives.mk_usize 6 - <: - usize ] - <: - u8) |. - (cast (coefficient3 <>! Rust_primitives.mk_i32 2 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 9 *! i <: usize) +! Rust_primitives.mk_usize 8 <: usize) - (cast (coefficient3 >>! Rust_primitives.mk_i32 10 <: i32) <: u8) - in - serialized) - in - serialized +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY1067577027 as v_DUMMY} -let serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_OUTPUT_SIZE - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:i32 = - serialize_when_gamma1_is_2_pow_19___GAMMA1 -! - (coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) - in - let coefficient1:i32 = - serialize_when_gamma1_is_2_pow_19___GAMMA1 -! - (coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 5 *! i <: usize) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - (cast (coefficient0 >>! Rust_primitives.mk_i32 8 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - (cast (coefficient0 >>! Rust_primitives.mk_i32 16 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((serialized.[ (Rust_primitives.mk_usize 5 *! i <: usize) +! - Rust_primitives.mk_usize 2 - <: - usize ] - <: - u8) |. - (cast (coefficient1 <>! Rust_primitives.mk_i32 4 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 4 <: usize) - (cast (coefficient1 >>! Rust_primitives.mk_i32 12 <: i32) <: u8) - in - serialized) - in - serialized +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1183990813 as deserialize_when_gamma1_is_2_pow_17___GAMMA1} -let serialize - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 18 -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit - | 20 -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1_TIMES_2_BITMASK305664693 as deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_BITMASK} - <: - Rust_primitives.Hax.t_Never) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1465203885 as deserialize_when_gamma1_is_2_pow_19___GAMMA1} -let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 18 - <: - bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 9) - serialized - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4 *! i <: usize) - (cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 *! - i - <: - usize ] - <: - i32) |. - ((cast (bytes.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32) <>! - Rust_primitives.mk_i32 2 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize - 4 *! - i - <: - usize) +! - Rust_primitives.mk_usize 1 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ Rust_primitives.mk_usize 3 ] <: u8) <: i32) <>! - Rust_primitives.mk_i32 4 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize - 4 *! - i - <: - usize) +! - Rust_primitives.mk_usize 2 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ Rust_primitives.mk_usize 5 ] <: u8) <: i32) <>! - Rust_primitives.mk_i32 6 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((Rust_primitives.mk_usize 4 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize - 4 *! - i - <: - usize) +! - Rust_primitives.mk_usize 3 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ Rust_primitives.mk_usize 7 ] <: u8) <: i32) < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2 *! i <: usize) - (cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 *! - i - <: - usize ] - <: - i32) |. - ((cast (bytes.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32) <>! - Rust_primitives.mk_i32 4 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((Rust_primitives.mk_usize 2 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (Rust_primitives.mk_usize - 2 *! - i - <: - usize) +! - Rust_primitives.mk_usize 1 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ Rust_primitives.mk_usize 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized - | 19 -> deserialize_when_gamma1_is_2_pow_19_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1658756807 as serialize_when_gamma1_is_2_pow_19___GAMMA1} - <: - Rust_primitives.Hax.t_Never) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_gamma1_is_2_pow_17_ as serialize_when_gamma1_is_2_pow_17_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_gamma1_is_2_pow_19_ as serialize_when_gamma1_is_2_pow_19_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize526929060 as serialize} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_gamma1_is_2_pow_17_ as deserialize_when_gamma1_is_2_pow_17_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_gamma1_is_2_pow_19_ as deserialize_when_gamma1_is_2_pow_19_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize244287932 as deserialize} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti deleted file mode 100644 index 0c47ebcf4..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti +++ /dev/null @@ -1,61 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = - Rust_primitives.mk_i32 1 < Prims.l_True) - -val serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst index ae51fdbc1..4658c7a86 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -3,851 +3,18 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T0 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY768581343 as v_DUMMY} -let change_t0_interval (t0: i32) = - (Rust_primitives.mk_i32 1 <>! Rust_primitives.mk_i32 8 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 1) - ((serialized.[ Rust_primitives.mk_usize 1 ] <: u8) |. - (cast (coefficient1 <>! Rust_primitives.mk_i32 3 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 3) - (cast (coefficient1 >>! Rust_primitives.mk_i32 11 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 3) - ((serialized.[ Rust_primitives.mk_usize 3 ] <: u8) |. - (cast (coefficient2 <>! Rust_primitives.mk_i32 6 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 4) - ((serialized.[ Rust_primitives.mk_usize 4 ] <: u8) |. - (cast (coefficient3 <>! Rust_primitives.mk_i32 1 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 6) - (cast (coefficient3 >>! Rust_primitives.mk_i32 9 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 6) - ((serialized.[ Rust_primitives.mk_usize 6 ] <: u8) |. - (cast (coefficient4 <>! Rust_primitives.mk_i32 4 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 8) - (cast (coefficient4 >>! Rust_primitives.mk_i32 12 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 8) - ((serialized.[ Rust_primitives.mk_usize 8 ] <: u8) |. - (cast (coefficient5 <>! Rust_primitives.mk_i32 7 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 9) - ((serialized.[ Rust_primitives.mk_usize 9 ] <: u8) |. - (cast (coefficient6 <>! Rust_primitives.mk_i32 2 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 11) - (cast (coefficient6 >>! Rust_primitives.mk_i32 10 <: i32) <: u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 11) - ((serialized.[ Rust_primitives.mk_usize 11 ] <: u8) |. - (cast (coefficient7 <>! Rust_primitives.mk_i32 5 <: i32) <: u8) - in - serialized +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY442276865 as v_DUMMY} -let deserialize (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 13 - <: - bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let byte0:i32 = cast (serialized.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32 in - let byte1:i32 = cast (serialized.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32 in - let byte2:i32 = cast (serialized.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32 in - let byte3:i32 = cast (serialized.[ Rust_primitives.mk_usize 3 ] <: u8) <: i32 in - let byte4:i32 = cast (serialized.[ Rust_primitives.mk_usize 4 ] <: u8) <: i32 in - let byte5:i32 = cast (serialized.[ Rust_primitives.mk_usize 5 ] <: u8) <: i32 in - let byte6:i32 = cast (serialized.[ Rust_primitives.mk_usize 6 ] <: u8) <: i32 in - let byte7:i32 = cast (serialized.[ Rust_primitives.mk_usize 7 ] <: u8) <: i32 in - let byte8:i32 = cast (serialized.[ Rust_primitives.mk_usize 8 ] <: u8) <: i32 in - let byte9:i32 = cast (serialized.[ Rust_primitives.mk_usize 9 ] <: u8) <: i32 in - let byte10:i32 = cast (serialized.[ Rust_primitives.mk_usize 10 ] <: u8) <: i32 in - let byte11:i32 = cast (serialized.[ Rust_primitives.mk_usize 11 ] <: u8) <: i32 in - let byte12:i32 = cast (serialized.[ Rust_primitives.mk_usize 12 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - byte0 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) |. - (byte1 <>! Rust_primitives.mk_i32 5 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) |. - (byte2 <>! Rust_primitives.mk_i32 2 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) |. - (byte4 <>! Rust_primitives.mk_i32 7 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) |. - (byte5 <>! Rust_primitives.mk_i32 4 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) |. - (byte7 <>! Rust_primitives.mk_i32 1 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) |. - (byte9 <>! Rust_primitives.mk_i32 6 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) |. - (byte10 <>! Rust_primitives.mk_i32 3 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 7 ] - <: - i32) |. - (byte12 < Prims.l_True) - -let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = - (Rust_primitives.mk_i32 1 < Prims.l_True) - -val deserialize (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst index 92eb0bd96..1d556b8ed 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -3,234 +3,14 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY720308282 as v_DUMMY} -let serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) (Rust_primitives.mk_usize 10) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (Rust_primitives.mk_usize 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (Rust_primitives.mk_usize 5 *! i <: usize) - (cast ((coefficients.[ Rust_primitives.mk_usize 0 ] <: i32) &. - Rust_primitives.mk_i32 255 - <: - i32) - <: - u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 1 <: usize) - (((cast ((coefficients.[ Rust_primitives.mk_usize 1 ] <: i32) &. - Rust_primitives.mk_i32 63 - <: - i32) - <: - u8) <>! - Rust_primitives.mk_i32 8 - <: - i32) &. - Rust_primitives.mk_i32 3 - <: - i32) - <: - u8) - <: - u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 2 <: usize) - (((cast ((coefficients.[ Rust_primitives.mk_usize 2 ] <: i32) &. - Rust_primitives.mk_i32 15 - <: - i32) - <: - u8) <>! - Rust_primitives.mk_i32 6 - <: - i32) &. - Rust_primitives.mk_i32 15 - <: - i32) - <: - u8) - <: - u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 3 <: usize) - (((cast ((coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) &. - Rust_primitives.mk_i32 3 - <: - i32) - <: - u8) <>! - Rust_primitives.mk_i32 4 - <: - i32) &. - Rust_primitives.mk_i32 63 - <: - i32) - <: - u8) - <: - u8) - in - let serialized:t_Array u8 (Rust_primitives.mk_usize 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((Rust_primitives.mk_usize 5 *! i <: usize) +! Rust_primitives.mk_usize 4 <: usize) - (cast (((coefficients.[ Rust_primitives.mk_usize 3 ] <: i32) >>! - Rust_primitives.mk_i32 2 - <: - i32) &. - Rust_primitives.mk_i32 255 - <: - i32) - <: - u8) - in - serialized) - in - serialized +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY690934349 as v_DUMMY} -let deserialize (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. - Rust_primitives.mk_usize 10 - <: - bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let mask:i32 = - (Rust_primitives.mk_i32 1 < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let byte0:i32 = cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32 in - let byte1:i32 = cast (bytes.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32 in - let byte2:i32 = cast (bytes.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32 in - let byte3:i32 = cast (bytes.[ Rust_primitives.mk_usize 3 ] <: u8) <: i32 in - let byte4:i32 = cast (bytes.[ Rust_primitives.mk_usize 4 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4 *! i <: usize) - ((byte0 |. (byte1 <>! Rust_primitives.mk_i32 2 <: i32) |. - (byte2 <>! Rust_primitives.mk_i32 4 <: i32) |. - (byte3 <>! Rust_primitives.mk_i32 6 <: i32) |. - (byte4 < Prims.l_True) - -val deserialize (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index b93407247..b4ea90c2b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -3,1542 +3,42 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY486617197 as v_DUMMY} -let invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 0 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 7 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY671965844 as v_DUMMY} -let invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 0 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 7 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY879052313 as v_DUMMY} -let invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 0 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 - ] - <: - i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 - ] - <: - i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 7 ] - <: - i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 - ) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY359502844 as v_DUMMY} -let simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 1 ] - <: - i32) - zeta0 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 ] - <: - i32) - zeta1 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 ] - <: - i32) - zeta2 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 ] - <: - i32) - zeta3 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 6 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY91690999 as v_DUMMY} -let ntt_at_layer_0_ - (zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - = - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_0_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 1 - <: - usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 2 - <: - usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 3 - <: - usize ] - <: - i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 4 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in - zeta_i, re - <: - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY782304655 as v_DUMMY} -let simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta1 zeta2: i32) - = - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 2 ] - <: - i32) - zeta1 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 3 ] - <: - i32) - zeta1 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 ] - <: - i32) - zeta2 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 4 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 ] - <: - i32) - zeta2 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 5 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY344990702 as v_DUMMY} -let ntt_at_layer_1_ - (zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - = - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_1_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! - Rust_primitives.mk_usize 1 - <: - usize ] - <: - i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 2 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - in - let zeta_i:usize = zeta_i -! Rust_primitives.mk_usize 1 in - zeta_i, re - <: - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY410925233 as v_DUMMY} -let simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - = - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 4 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 0 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 5 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 1 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 6 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 2 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize 7 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) -! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (Rust_primitives.mk_usize 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ Rust_primitives.mk_usize - 3 ] - <: - i32) +! - t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY997570341 as v_DUMMY} -let ntt_at_layer_2_ - (zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - = - let (re, zeta_i), hax_temp_output:(t_Array - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (Rust_primitives.mk_usize 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (Rust_primitives.mk_usize 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_2_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - in - zeta_i, re - <: - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {invert_ntt_at_layer_0_ as invert_ntt_at_layer_0_} -let ntt - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - = - let zeta_i:usize = Rust_primitives.mk_usize 0 in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 7) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 6) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 5) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 4) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_3_plus (Rust_primitives.mk_usize 3) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_2_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_1_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) = - ntt_at_layer_0_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - tmp1 - in - let _:Prims.unit = () in - re +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {invert_ntt_at_layer_1_ as invert_ntt_at_layer_1_} -let ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - = - let step:usize = Rust_primitives.mk_usize 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! Rust_primitives.mk_usize 1 in - let offset:usize = - ((round *! step <: usize) *! Rust_primitives.mk_usize 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - re - in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - re - in - let j:usize = j in - let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re.[ j +! step_by <: usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - re) - in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32) & - usize)) - in - zeta_i, re - <: - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {invert_ntt_at_layer_2_ as invert_ntt_at_layer_2_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {simd_unit_ntt_at_layer_0_ as simd_unit_ntt_at_layer_0_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {simd_unit_ntt_at_layer_1_ as simd_unit_ntt_at_layer_1_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {simd_unit_ntt_at_layer_2_ as simd_unit_ntt_at_layer_2_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_0_ as ntt_at_layer_0_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_1_ as ntt_at_layer_1_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_2_ as ntt_at_layer_2_} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt as ntt} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_3_plus as ntt_at_layer_3_plus} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti deleted file mode 100644 index 66de4b801..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ /dev/null @@ -1,101 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable in - let open Libcrux_ml_dsa.Simd.Traits in - () - -val invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_0_ - (zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta1 zeta2: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_1_ - (zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_2_ - (zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - : Prims.Pure - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) - (re: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - : Prims.Pure - (usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst new file mode 100644 index 000000000..8841abdd5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst @@ -0,0 +1,3895 @@ +module Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let compute_one_hint (v_GAMMA2 low high: i32) = + if + low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || + low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l + then 1l + else 0l + +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in + fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + +let montgomery_reduce_element (value: i64) = + let t:u64 = + (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! + Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + in + let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in + let k_times_modulus:i64 = + (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) + in + let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + value_high -! c + +let montgomery_multiply_fe_by_fer (fe fer: i32) = + montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) + +let invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (montgomery_multiply_fe_by_fer a_minus_b zeta2 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (montgomery_multiply_fe_by_fer a_minus_b zeta3 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 1 ] + <: + i32) + zeta0 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 5 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 7 ] + <: + i32) + zeta3 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + = + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 2 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 6 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 7 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 4 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 5 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 6 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ + sz 7 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let decompose_element (v_GAMMA2 r: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((r >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) + (sz 1) + (let list = ["the representative is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [Core.Fmt.Rt.impl_1__new_display #i32 r <: Core.Fmt.Rt.t_Argument] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let v_ALPHA:i32 = v_GAMMA2 *! 2l in + let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in + let r1:i32 = + match v_ALPHA with + | 190464l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l + in + (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result + | 523776l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l + in + result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in + let r0:i32 = + r0 -! + (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! + 31l + <: + i32) &. + Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + i32) + in + r0, r1 <: (i32 & i32) + +let infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter + i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + exceeds + (fun exceeds coefficient -> + let exceeds:bool = exceeds in + let coefficient:i32 = coefficient in + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((coefficient >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 + (sz 1) + (sz 1) + (let list = ["coefficient is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [ + Core.Fmt.Rt.impl_1__new_display #i32 coefficient + <: + Core.Fmt.Rt.t_Argument + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let sign:i32 = coefficient >>! 31l in + let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in + let exceeds:bool = exceeds |. (normalized >=. bound <: bool) in + exceeds) + in + exceeds + +let power2round_element (t: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((t >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) + (sz 1) + (let list = ["t is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [Core.Fmt.Rt.impl_1__new_display #i32 t <: Core.Fmt.Rt.t_Argument] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let t1:i32 = + ((t -! 1l <: i32) +! + (1l <>! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + in + let t0:i32 = t -! (t1 < + if r0 >. 0l + then if r1 =. 43l then 0l else r1 +! hint + else if r1 =. 0l then 43l else r1 -! hint + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let coefficient0:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient1:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient2:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient3:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient4:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient5:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient6:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient7:u8 = + cast (v_ETA345140054 -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + <: + u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (((coefficient2 <>! 2l <: u8) + <: + u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 2) + (((coefficient7 <>! 1l <: u8) + <: + u8) + in + serialized + +let serialize977980603 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let serialized:t_Array u8 (sz 13) = Rust_primitives.Hax.repeat 0uy (sz 13) in + let coefficient0:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] + <: + i32) + in + let coefficient1:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] + <: + i32) + in + let coefficient2:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] + <: + i32) + in + let coefficient3:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + in + let coefficient4:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] + <: + i32) + in + let coefficient5:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + in + let coefficient6:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + in + let coefficient7:i32 = + change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + (cast (coefficient1 >>! 11l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 4) + ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + (cast (coefficient3 >>! 9l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + (cast (coefficient4 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9) + ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + (cast (coefficient6 >>! 10l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) + in + serialized + +let montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit i -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i:usize = i in + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + simd_unit + +let serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = + cast (v_ETA858068178 -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (v_ETA858068178 -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 0 ] <: i32) in + let coefficient1:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 1 ] <: i32) in + let coefficient2:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 2 ] <: i32) in + let coefficient3:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 3 ] <: i32) in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 14l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. + (cast (coefficient2 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + (cast (coefficient2 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. + (cast (coefficient3 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 8 <: usize) + (cast (coefficient3 >>! 10l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = v_GAMMA1658756807 -! (coefficients.[ sz 0 ] <: i32) in + let coefficient1:i32 = v_GAMMA1658756807 -! (coefficients.[ sz 1 ] <: i32) in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 12l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize526929060 + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize300254843 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let serialized:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 3 <: usize) + (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) + in + serialized) + in + serialized + +let ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_0_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + <: + i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let zeta_i:usize = zeta_i +! sz 4 in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_1_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let zeta_i:usize = zeta_i +! sz 2 in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let (re, zeta_i), hax_temp_output:(t_Array + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_2_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let rec add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun sum temp_1_ -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let i:usize = i in + { + sum with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + sum + +and compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let one_hints_count:usize = sz 0 in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + (fun temp_0_ i -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let i:usize = i in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (compute_one_hint v_GAMMA2 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let one_hints_count:usize = + one_hints_count +! + (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + usize) + in + hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + in + one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +and decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ i -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i:usize = i in + let low_part, high_part:(i32 & i32) = + decompose_element v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + in + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + low with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + low_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + high with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + high_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +and montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun product temp_1_ -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let _:usize = temp_1_ in + true) + product + (fun product i -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let i:usize = i in + { + product with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + product + +and power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i, t:(usize & i32) = temp_1_ in + let t0, t1:(i32 & i32) = power2round_element t in + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t0_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t0 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t1_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t1 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +and shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i + ] + <: + i32) < + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let i:usize = i in + { + difference with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + difference + +and use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let i:usize = i in + { + result with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (use_one_hint v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + result + +and deserialize_when_eta_is_2_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + (v_ETA832233724 -! (byte0 &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (v_ETA832233724 -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (v_ETA832233724 -! (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (v_ETA832233724 -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (v_ETA832233724 -! (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (v_ETA832233724 -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +and deserialize_when_eta_is_4_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, byte:(usize & u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + (v_ETA177254429 -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (v_ETA177254429 -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit) + in + simd_unit + +and deserialize154437703 (v_ETA: usize) (serialized: t_Slice u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> deserialize_when_eta_is_2_ serialized + | 4uy -> deserialize_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +and deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) + serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + (cast (bytes.[ sz 0 ] <: u8) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 *! i + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 4 *! i <: usize) +! sz 1 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 1 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 4 *! i <: usize) +! sz 2 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 2 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 4 *! i <: usize) +! sz 3 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 3 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 7 ] <: u8) <: i32) < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + (cast (bytes.[ sz 0 ] <: u8) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 *! i + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 2 *! i + <: + usize) +! + sz 1 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +and deserialize297775919 (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #FStar.Tactics.Typeclasses.solve + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in + let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in + let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in + let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in + let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in + let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in + let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in + let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in + let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + byte0 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) |. + (byte1 <>! 5l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) |. + (byte2 <>! 2l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) |. + (byte4 <>! 7l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) |. + (byte5 <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) |. + (byte7 <>! 1l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) |. + (byte9 <>! 6l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) |. + (byte10 <>! 3l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) |. + (byte12 < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + re + in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + re + in + let j:usize = j in + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re.[ j +! step_by <: usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! step_by <: usize) + (subtract (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (add (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re) + in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti similarity index 57% rename from libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti rename to libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti index f6a95bc61..ccc1ad686 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti @@ -1,4 +1,4 @@ -module Libcrux_ml_dsa.Simd.Portable +module Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 #set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -7,8 +7,266 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + let open Libcrux_ml_dsa.Simd.Traits in () +let v_MONTGOMERY_SHIFT: u8 = 32uy + +val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val get_n_least_significant_bits (n: u8) (value: u64) + : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) + +let v_ETA832233724: i32 = 2l + +let v_ETA177254429: i32 = 4l + +let v_ETA345140054: i32 = 2l + +let v_ETA858068178: i32 = 4l + +let v_GAMMA1183990813: i32 = 1l < Prims.l_True) + +let v_BITS_IN_LOWER_PART_OF_T_MASK: i32 = + (1l < Prims.l_True) + +val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_fe_by_fer (fe fer: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose_element (v_GAMMA2 r: i32) + : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize977980603 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize1006998023 + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize526929060 + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize300254843 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_2_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_4_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize154437703 (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize244287932 (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize297775919 (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize960784460 (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = @@ -36,7 +294,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = = (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array i32 (Rust_primitives.mk_usize 8)) + (out: t_Array i32 (sz 8)) -> true); f_to_coefficient_array @@ -64,7 +322,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); + add lhs rhs); f_subtract_pre = (fun @@ -86,7 +344,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); + subtract lhs rhs); f_montgomery_multiply_by_constant_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> true); @@ -101,7 +359,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_montgomery_multiply_by_constant = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); + montgomery_multiply_by_constant simd_unit c); f_montgomery_multiply_pre = (fun @@ -123,7 +381,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); + montgomery_multiply lhs rhs); f_shift_left_then_reduce_pre = (fun @@ -145,7 +403,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); + shift_left_then_reduce v_SHIFT_BY simd_unit); f_power2round_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); @@ -161,7 +419,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_power2round = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); + power2round simd_unit); f_infinity_norm_exceeds_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> @@ -177,7 +435,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_infinity_norm_exceeds = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + infinity_norm_exceeds simd_unit bound); f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> @@ -195,7 +453,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_decompose = (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); + decompose v_GAMMA2 simd_unit); f_compute_hint_pre = (fun @@ -220,7 +478,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); + compute_hint v_GAMMA2 low high); f_use_hint_pre = (fun @@ -245,7 +503,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); + use_hint v_GAMMA2 simd_unit hint); f_rejection_sample_less_than_field_modulus_pre = (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); @@ -315,7 +573,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); + serialize526929060 v_OUTPUT_SIZE simd_unit); f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); f_gamma1_deserialize_post = @@ -328,7 +586,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_gamma1_deserialize = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); + deserialize244287932 v_GAMMA1_EXPONENT serialized); f_commitment_serialize_pre = (fun @@ -372,7 +630,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); + serialize1006998023 v_OUTPUT_SIZE simd_unit); f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); f_error_deserialize_post = @@ -384,8 +642,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = true); f_error_deserialize = - (fun (v_ETA: usize) (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); + (fun (v_ETA: usize) (serialized: t_Slice u8) -> deserialize154437703 v_ETA serialized); f_t0_serialize_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); @@ -393,13 +650,13 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 (Rust_primitives.mk_usize 13)) + (out: t_Array u8 (sz 13)) -> true); f_t0_serialize = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); + serialize977980603 simd_unit); f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); f_t0_deserialize_post = @@ -408,10 +665,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_t0_deserialize - = - (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized - ); + f_t0_deserialize = (fun (serialized: t_Slice u8) -> deserialize297775919 serialized); f_t1_serialize_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); @@ -419,13 +673,13 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (out: t_Array u8 (Rust_primitives.mk_usize 10)) + (out: t_Array u8 (sz 10)) -> true); f_t1_serialize = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); + serialize300254843 simd_unit); f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); f_t1_deserialize_post = @@ -434,37 +688,26 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_t1_deserialize - = - (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized - ); + f_t1_deserialize = (fun (serialized: t_Slice u8) -> deserialize960784460 serialized); f_ntt_pre = (fun - (simd_units: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -> true); f_ntt_post = (fun - (simd_units: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) - (out: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -> true); f_ntt = (fun - (simd_units: - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (Rust_primitives.mk_usize 32)) + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); + ntt simd_units); f_invert_ntt_at_layer_0_pre = (fun @@ -495,7 +738,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (zeta2: i32) (zeta3: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); f_invert_ntt_at_layer_1_pre = (fun @@ -520,7 +763,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (zeta0: i32) (zeta1: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); + invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); f_invert_ntt_at_layer_2_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> @@ -536,5 +779,13 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_invert_ntt_at_layer_2_ = fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta + invert_ntt_at_layer_2_ simd_unit zeta } + +val ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst index 570bccd7b..25f533de9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -4,7 +4,7 @@ open Core open FStar.Mul let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) = - let sampled:usize = Rust_primitives.mk_usize 0 in + let sampled:usize = sz 0 in let out, sampled:(t_Slice i32 & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) #FStar.Tactics.Typeclasses.solve @@ -15,44 +15,36 @@ let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Sl (fun temp_0_ byte -> let out, sampled:(t_Slice i32 & usize) = temp_0_ in let byte:u8 = byte in - let try_0_:u8 = byte &. Rust_primitives.mk_u8 15 in - let try_1_:u8 = byte >>! Rust_primitives.mk_i32 4 in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in let out, sampled:(t_Slice i32 & usize) = - if try_0_ <. Rust_primitives.mk_u8 15 + if try_0_ <. 15uy then let try_0_:i32 = cast (try_0_ <: u8) <: i32 in let try_0_mod_5_:i32 = - try_0_ -! - (((try_0_ *! Rust_primitives.mk_i32 26 <: i32) >>! Rust_primitives.mk_i32 7 <: i32) *! - Rust_primitives.mk_i32 5 - <: - i32) + try_0_ -! (((try_0_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) in let out:t_Slice i32 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out sampled - (Rust_primitives.mk_i32 2 -! try_0_mod_5_ <: i32) + (2l -! try_0_mod_5_ <: i32) in - let sampled:usize = sampled +! Rust_primitives.mk_usize 1 in + let sampled:usize = sampled +! sz 1 in out, sampled <: (t_Slice i32 & usize) else out, sampled <: (t_Slice i32 & usize) in - if try_1_ <. Rust_primitives.mk_u8 15 + if try_1_ <. 15uy then let try_1_:i32 = cast (try_1_ <: u8) <: i32 in let try_1_mod_5_:i32 = - try_1_ -! - (((try_1_ *! Rust_primitives.mk_i32 26 <: i32) >>! Rust_primitives.mk_i32 7 <: i32) *! - Rust_primitives.mk_i32 5 - <: - i32) + try_1_ -! (((try_1_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) in let out:t_Slice i32 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out sampled - (Rust_primitives.mk_i32 2 -! try_1_mod_5_ <: i32) + (2l -! try_1_mod_5_ <: i32) in - let sampled:usize = sampled +! Rust_primitives.mk_usize 1 in + let sampled:usize = sampled +! sz 1 in out, sampled <: (t_Slice i32 & usize) else out, sampled <: (t_Slice i32 & usize)) in @@ -60,7 +52,7 @@ let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Sl out, hax_temp_output <: (t_Slice i32 & usize) let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) = - let sampled:usize = Rust_primitives.mk_usize 0 in + let sampled:usize = sz 0 in let out, sampled:(t_Slice i32 & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) #FStar.Tactics.Typeclasses.solve @@ -71,28 +63,28 @@ let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Sl (fun temp_0_ byte -> let out, sampled:(t_Slice i32 & usize) = temp_0_ in let byte:u8 = byte in - let try_0_:u8 = byte &. Rust_primitives.mk_u8 15 in - let try_1_:u8 = byte >>! Rust_primitives.mk_i32 4 in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in let out, sampled:(t_Slice i32 & usize) = - if try_0_ <. Rust_primitives.mk_u8 9 + if try_0_ <. 9uy then let out:t_Slice i32 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out sampled - (Rust_primitives.mk_i32 4 -! (cast (try_0_ <: u8) <: i32) <: i32) + (4l -! (cast (try_0_ <: u8) <: i32) <: i32) in - let sampled:usize = sampled +! Rust_primitives.mk_usize 1 in + let sampled:usize = sampled +! sz 1 in out, sampled <: (t_Slice i32 & usize) else out, sampled <: (t_Slice i32 & usize) in - if try_1_ <. Rust_primitives.mk_u8 9 + if try_1_ <. 9uy then let out:t_Slice i32 = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out sampled - (Rust_primitives.mk_i32 4 -! (cast (try_1_ <: u8) <: i32) <: i32) + (4l -! (cast (try_1_ <: u8) <: i32) <: i32) in - let sampled:usize = sampled +! Rust_primitives.mk_usize 1 in + let sampled:usize = sampled +! sz 1 in out, sampled <: (t_Slice i32 & usize) else out, sampled <: (t_Slice i32 & usize)) in @@ -100,38 +92,30 @@ let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Sl out, hax_temp_output <: (t_Slice i32 & usize) let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = - let sampled:usize = Rust_primitives.mk_usize 0 in + let sampled:usize = sz 0 in let out, sampled:(t_Slice i32 & usize) = Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks u8) #FStar.Tactics.Typeclasses.solve - (Core.Slice.impl__chunks #u8 randomness (Rust_primitives.mk_usize 3) - <: - Core.Slice.Iter.t_Chunks u8) + (Core.Slice.impl__chunks #u8 randomness (sz 3) <: Core.Slice.Iter.t_Chunks u8) <: Core.Slice.Iter.t_Chunks u8) (out, sampled <: (t_Slice i32 & usize)) (fun temp_0_ bytes -> let out, sampled:(t_Slice i32 & usize) = temp_0_ in let bytes:t_Slice u8 = bytes in - let b0:i32 = cast (bytes.[ Rust_primitives.mk_usize 0 ] <: u8) <: i32 in - let b1:i32 = cast (bytes.[ Rust_primitives.mk_usize 1 ] <: u8) <: i32 in - let b2:i32 = cast (bytes.[ Rust_primitives.mk_usize 2 ] <: u8) <: i32 in + let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in let coefficient:i32 = - (((b2 < Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) +type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (sz 8) } val from_coefficient_array (array: t_Slice i32) : Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) val to_coefficient_array (x: t_PortableSIMDUnit) - : Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 8)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val v_ZERO: Prims.unit -> Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst index 7c8759eec..9a392eeca 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst @@ -1,340 +1,26 @@ module Libcrux_ml_dsa.Simd.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul -type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (Rust_primitives.mk_usize 8) } +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY551832282 as v_DUMMY} -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations t_PortableSIMDUnit = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_ZERO_pre = (fun (_: Prims.unit) -> true); - f_ZERO_post = (fun (_: Prims.unit) (out: t_PortableSIMDUnit) -> true); - f_ZERO - = - (fun (_: Prims.unit) -> - { - f_coefficients - = - Rust_primitives.Hax.repeat (Rust_primitives.mk_i32 0) (Rust_primitives.mk_usize 8) - } - <: - t_PortableSIMDUnit); - f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); - f_from_coefficient_array_post = (fun (array: t_Slice i32) (out: t_PortableSIMDUnit) -> true); - f_from_coefficient_array - = - (fun (array: t_Slice i32) -> - { - f_coefficients - = - Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice i32) - #(t_Array i32 (Rust_primitives.mk_usize 8)) - #FStar.Tactics.Typeclasses.solve - (array.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; - Core.Ops.Range.f_end = Rust_primitives.mk_usize 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i32) - <: - Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) - Core.Array.t_TryFromSliceError) - } - <: - t_PortableSIMDUnit); - f_to_coefficient_array_pre = (fun (self: t_PortableSIMDUnit) -> true); - f_to_coefficient_array_post - = - (fun (self: t_PortableSIMDUnit) (out: t_Array i32 (Rust_primitives.mk_usize 8)) -> true); - f_to_coefficient_array - = - (fun (self: t_PortableSIMDUnit) -> - Core.Result.impl__unwrap #(t_Array i32 (Rust_primitives.mk_usize 8)) - #Core.Convert.t_Infallible - (Core.Convert.f_try_into #(t_Array i32 (Rust_primitives.mk_usize 8)) - #(t_Array i32 (Rust_primitives.mk_usize 8)) - #FStar.Tactics.Typeclasses.solve - self.f_coefficients - <: - Core.Result.t_Result (t_Array i32 (Rust_primitives.mk_usize 8)) - Core.Convert.t_Infallible)); - f_add_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); - f_add_post - = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); - f_add - = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); - f_subtract_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); - f_subtract_post - = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); - f_subtract - = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); - f_montgomery_multiply_by_constant_pre = (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> true); - f_montgomery_multiply_by_constant_post - = - (fun (simd_unit: t_PortableSIMDUnit) (c: i32) (out: t_PortableSIMDUnit) -> true); - f_montgomery_multiply_by_constant - = - (fun (simd_unit: t_PortableSIMDUnit) (c: i32) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); - f_montgomery_multiply_pre = (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> true); - f_montgomery_multiply_post - = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); - f_montgomery_multiply - = - (fun (lhs: t_PortableSIMDUnit) (rhs: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); - f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> true); - f_shift_left_then_reduce_post - = - (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) (out: t_PortableSIMDUnit) -> true); - f_shift_left_then_reduce - = - (fun (v_SHIFT_BY: i32) (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); - f_power2round_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); - f_power2round_post - = - (fun (simd_unit: t_PortableSIMDUnit) (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) -> true); - f_power2round - = - (fun (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); - f_infinity_norm_exceeds_pre = (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> true); - f_infinity_norm_exceeds_post - = - (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) (out: bool) -> true); - f_infinity_norm_exceeds - = - (fun (simd_unit: t_PortableSIMDUnit) (bound: i32) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); - f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> true); - f_decompose_post - = - (fun - (v_GAMMA2: i32) - (simd_unit: t_PortableSIMDUnit) - (out: (t_PortableSIMDUnit & t_PortableSIMDUnit)) - -> - true); - f_decompose - = - (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); - f_compute_hint_pre - = - (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> true); - f_compute_hint_post - = - (fun - (v_GAMMA2: i32) - (low: t_PortableSIMDUnit) - (high: t_PortableSIMDUnit) - (out: (usize & t_PortableSIMDUnit)) - -> - true); - f_compute_hint - = - (fun (v_GAMMA2: i32) (low: t_PortableSIMDUnit) (high: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); - f_use_hint_pre - = - (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> true); - f_use_hint_post - = - (fun - (v_GAMMA2: i32) - (simd_unit: t_PortableSIMDUnit) - (hint: t_PortableSIMDUnit) - (out: t_PortableSIMDUnit) - -> - true); - f_use_hint - = - (fun (v_GAMMA2: i32) (simd_unit: t_PortableSIMDUnit) (hint: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); - f_rejection_sample_less_than_field_modulus_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_field_modulus_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_field_modulus - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_2_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_2_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_2_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_rejection_sample_less_than_eta_equals_4_pre - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); - f_rejection_sample_less_than_eta_equals_4_post - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); - f_rejection_sample_less_than_eta_equals_4_ - = - (fun (randomness: t_Slice u8) (out: t_Slice i32) -> - let tmp0, out1:(t_Slice i32 & usize) = - Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness - out - in - let out:t_Slice i32 = tmp0 in - let hax_temp_output:usize = out1 in - out, hax_temp_output <: (t_Slice i32 & usize)); - f_gamma1_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); - f_gamma1_serialize_post - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> - true); - f_gamma1_serialize - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); - f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); - f_gamma1_deserialize_post - = - (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); - f_gamma1_deserialize - = - (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); - f_commitment_serialize_pre - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); - f_commitment_serialize_post - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> - true); - f_commitment_serialize - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); - f_error_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> true); - f_error_serialize_post - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 v_OUTPUT_SIZE) -> - true); - f_error_serialize - = - (fun (v_OUTPUT_SIZE: usize) (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); - f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); - f_error_deserialize_post - = - (fun (v_ETA: usize) (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); - f_error_deserialize - = - (fun (v_ETA: usize) (serialized: t_Slice u8) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); - f_t0_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); - f_t0_serialize_post - = - (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 13)) -> true); - f_t0_serialize - = - (fun (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); - f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t0_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); - f_t0_deserialize - = - (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized - ); - f_t1_serialize_pre = (fun (simd_unit: t_PortableSIMDUnit) -> true); - f_t1_serialize_post - = - (fun (simd_unit: t_PortableSIMDUnit) (out: t_Array u8 (Rust_primitives.mk_usize 10)) -> true); - f_t1_serialize - = - (fun (simd_unit: t_PortableSIMDUnit) -> - Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); - f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); - f_t1_deserialize_post = (fun (serialized: t_Slice u8) (out: t_PortableSIMDUnit) -> true); - f_t1_deserialize - = - (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized - ); - f_ntt_pre = (fun (simd_units: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) -> true); - f_ntt_post - = - (fun - (simd_units: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - (out: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) - -> - true); - f_ntt - = - (fun (simd_units: t_Array t_PortableSIMDUnit (Rust_primitives.mk_usize 32)) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); - f_invert_ntt_at_layer_0_pre - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> true - ); - f_invert_ntt_at_layer_0_post - = - (fun - (simd_unit: t_PortableSIMDUnit) - (zeta0: i32) - (zeta1: i32) - (zeta2: i32) - (zeta3: i32) - (out: t_PortableSIMDUnit) - -> - true); - f_invert_ntt_at_layer_0_ - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (zeta2: i32) (zeta3: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); - f_invert_ntt_at_layer_1_pre - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> true); - f_invert_ntt_at_layer_1_post - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) (out: t_PortableSIMDUnit) -> true - ); - f_invert_ntt_at_layer_1_ - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta0: i32) (zeta1: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); - f_invert_ntt_at_layer_2_pre = (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> true); - f_invert_ntt_at_layer_2_post - = - (fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) (out: t_PortableSIMDUnit) -> true); - f_invert_ntt_at_layer_2_ - = - fun (simd_unit: t_PortableSIMDUnit) (zeta: i32) -> - Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta - } +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY541533844 as v_DUMMY} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY900481996 as v_DUMMY} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY384609919 as v_DUMMY} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY450911580 as v_DUMMY} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {arithmetic as arithmetic} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {encoding as encoding} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt as ntt} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {sample as sample} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {vector_type as vector_type} + +include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {impl as impl} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index b18bea023..1ef0cb0e8 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -16,9 +16,9 @@ class t_Operations (v_Self: Type0) = { (f_from_coefficient_array_pre x0) (fun result -> f_from_coefficient_array_post x0 result); f_to_coefficient_array_pre:v_Self -> Type0; - f_to_coefficient_array_post:v_Self -> t_Array i32 (Rust_primitives.mk_usize 8) -> Type0; + f_to_coefficient_array_post:v_Self -> t_Array i32 (sz 8) -> Type0; f_to_coefficient_array:x0: v_Self - -> Prims.Pure (t_Array i32 (Rust_primitives.mk_usize 8)) + -> Prims.Pure (t_Array i32 (sz 8)) (f_to_coefficient_array_pre x0) (fun result -> f_to_coefficient_array_post x0 result); f_add_pre:v_Self -> v_Self -> Type0; @@ -129,9 +129,9 @@ class t_Operations (v_Self: Type0) = { (f_error_deserialize_pre v_ETA x0) (fun result -> f_error_deserialize_post v_ETA x0 result); f_t0_serialize_pre:v_Self -> Type0; - f_t0_serialize_post:v_Self -> t_Array u8 (Rust_primitives.mk_usize 13) -> Type0; + f_t0_serialize_post:v_Self -> t_Array u8 (sz 13) -> Type0; f_t0_serialize:x0: v_Self - -> Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 13)) + -> Prims.Pure (t_Array u8 (sz 13)) (f_t0_serialize_pre x0) (fun result -> f_t0_serialize_post x0 result); f_t0_deserialize_pre:t_Slice u8 -> Type0; @@ -139,24 +139,19 @@ class t_Operations (v_Self: Type0) = { f_t0_deserialize:x0: t_Slice u8 -> Prims.Pure v_Self (f_t0_deserialize_pre x0) (fun result -> f_t0_deserialize_post x0 result); f_t1_serialize_pre:v_Self -> Type0; - f_t1_serialize_post:v_Self -> t_Array u8 (Rust_primitives.mk_usize 10) -> Type0; + f_t1_serialize_post:v_Self -> t_Array u8 (sz 10) -> Type0; f_t1_serialize:x0: v_Self - -> Prims.Pure (t_Array u8 (Rust_primitives.mk_usize 10)) + -> Prims.Pure (t_Array u8 (sz 10)) (f_t1_serialize_pre x0) (fun result -> f_t1_serialize_post x0 result); f_t1_deserialize_pre:t_Slice u8 -> Type0; f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; f_t1_deserialize:x0: t_Slice u8 -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); - f_ntt_pre:t_Array v_Self (Rust_primitives.mk_usize 32) -> Type0; - f_ntt_post: - t_Array v_Self (Rust_primitives.mk_usize 32) -> - t_Array v_Self (Rust_primitives.mk_usize 32) - -> Type0; - f_ntt:x0: t_Array v_Self (Rust_primitives.mk_usize 32) - -> Prims.Pure (t_Array v_Self (Rust_primitives.mk_usize 32)) - (f_ntt_pre x0) - (fun result -> f_ntt_post x0 result); + f_ntt_pre:t_Array v_Self (sz 32) -> Type0; + f_ntt_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; + f_ntt:x0: t_Array v_Self (sz 32) + -> Prims.Pure (t_Array v_Self (sz 32)) (f_ntt_pre x0) (fun result -> f_ntt_post x0 result); f_invert_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; f_invert_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; f_invert_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 @@ -177,138 +172,50 @@ class t_Operations (v_Self: Type0) = { (fun result -> f_invert_ntt_at_layer_2_post x0 x1 result) } -let v_COEFFICIENTS_IN_SIMD_UNIT: usize = Rust_primitives.mk_usize 8 +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 -let v_FIELD_MODULUS: i32 = Rust_primitives.mk_i32 8380417 +let v_FIELD_MODULUS: i32 = 8380417l -let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = Rust_primitives.mk_u64 58728449 +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL let v_SIMD_UNITS_IN_RING_ELEMENT: usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (Rust_primitives.mk_usize 256) = +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = let list = [ - Rust_primitives.mk_i32 0; Rust_primitives.mk_i32 25847; Rust_primitives.mk_i32 (-2608894); - Rust_primitives.mk_i32 (-518909); Rust_primitives.mk_i32 237124; - Rust_primitives.mk_i32 (-777960); Rust_primitives.mk_i32 (-876248); - Rust_primitives.mk_i32 466468; Rust_primitives.mk_i32 1826347; Rust_primitives.mk_i32 2353451; - Rust_primitives.mk_i32 (-359251); Rust_primitives.mk_i32 (-2091905); - Rust_primitives.mk_i32 3119733; Rust_primitives.mk_i32 (-2884855); - Rust_primitives.mk_i32 3111497; Rust_primitives.mk_i32 2680103; Rust_primitives.mk_i32 2725464; - Rust_primitives.mk_i32 1024112; Rust_primitives.mk_i32 (-1079900); - Rust_primitives.mk_i32 3585928; Rust_primitives.mk_i32 (-549488); - Rust_primitives.mk_i32 (-1119584); Rust_primitives.mk_i32 2619752; - Rust_primitives.mk_i32 (-2108549); Rust_primitives.mk_i32 (-2118186); - Rust_primitives.mk_i32 (-3859737); Rust_primitives.mk_i32 (-1399561); - Rust_primitives.mk_i32 (-3277672); Rust_primitives.mk_i32 1757237; - Rust_primitives.mk_i32 (-19422); Rust_primitives.mk_i32 4010497; Rust_primitives.mk_i32 280005; - Rust_primitives.mk_i32 2706023; Rust_primitives.mk_i32 95776; Rust_primitives.mk_i32 3077325; - Rust_primitives.mk_i32 3530437; Rust_primitives.mk_i32 (-1661693); - Rust_primitives.mk_i32 (-3592148); Rust_primitives.mk_i32 (-2537516); - Rust_primitives.mk_i32 3915439; Rust_primitives.mk_i32 (-3861115); - Rust_primitives.mk_i32 (-3043716); Rust_primitives.mk_i32 3574422; - Rust_primitives.mk_i32 (-2867647); Rust_primitives.mk_i32 3539968; - Rust_primitives.mk_i32 (-300467); Rust_primitives.mk_i32 2348700; - Rust_primitives.mk_i32 (-539299); Rust_primitives.mk_i32 (-1699267); - Rust_primitives.mk_i32 (-1643818); Rust_primitives.mk_i32 3505694; - Rust_primitives.mk_i32 (-3821735); Rust_primitives.mk_i32 3507263; - Rust_primitives.mk_i32 (-2140649); Rust_primitives.mk_i32 (-1600420); - Rust_primitives.mk_i32 3699596; Rust_primitives.mk_i32 811944; Rust_primitives.mk_i32 531354; - Rust_primitives.mk_i32 954230; Rust_primitives.mk_i32 3881043; Rust_primitives.mk_i32 3900724; - Rust_primitives.mk_i32 (-2556880); Rust_primitives.mk_i32 2071892; - Rust_primitives.mk_i32 (-2797779); Rust_primitives.mk_i32 (-3930395); - Rust_primitives.mk_i32 (-1528703); Rust_primitives.mk_i32 (-3677745); - Rust_primitives.mk_i32 (-3041255); Rust_primitives.mk_i32 (-1452451); - Rust_primitives.mk_i32 3475950; Rust_primitives.mk_i32 2176455; - Rust_primitives.mk_i32 (-1585221); Rust_primitives.mk_i32 (-1257611); - Rust_primitives.mk_i32 1939314; Rust_primitives.mk_i32 (-4083598); - Rust_primitives.mk_i32 (-1000202); Rust_primitives.mk_i32 (-3190144); - Rust_primitives.mk_i32 (-3157330); Rust_primitives.mk_i32 (-3632928); - Rust_primitives.mk_i32 126922; Rust_primitives.mk_i32 3412210; - Rust_primitives.mk_i32 (-983419); Rust_primitives.mk_i32 2147896; - Rust_primitives.mk_i32 2715295; Rust_primitives.mk_i32 (-2967645); - Rust_primitives.mk_i32 (-3693493); Rust_primitives.mk_i32 (-411027); - Rust_primitives.mk_i32 (-2477047); Rust_primitives.mk_i32 (-671102); - Rust_primitives.mk_i32 (-1228525); Rust_primitives.mk_i32 (-22981); - Rust_primitives.mk_i32 (-1308169); Rust_primitives.mk_i32 (-381987); - Rust_primitives.mk_i32 1349076; Rust_primitives.mk_i32 1852771; - Rust_primitives.mk_i32 (-1430430); Rust_primitives.mk_i32 (-3343383); - Rust_primitives.mk_i32 264944; Rust_primitives.mk_i32 508951; Rust_primitives.mk_i32 3097992; - Rust_primitives.mk_i32 44288; Rust_primitives.mk_i32 (-1100098); Rust_primitives.mk_i32 904516; - Rust_primitives.mk_i32 3958618; Rust_primitives.mk_i32 (-3724342); - Rust_primitives.mk_i32 (-8578); Rust_primitives.mk_i32 1653064; - Rust_primitives.mk_i32 (-3249728); Rust_primitives.mk_i32 2389356; - Rust_primitives.mk_i32 (-210977); Rust_primitives.mk_i32 759969; - Rust_primitives.mk_i32 (-1316856); Rust_primitives.mk_i32 189548; - Rust_primitives.mk_i32 (-3553272); Rust_primitives.mk_i32 3159746; - Rust_primitives.mk_i32 (-1851402); Rust_primitives.mk_i32 (-2409325); - Rust_primitives.mk_i32 (-177440); Rust_primitives.mk_i32 1315589; - Rust_primitives.mk_i32 1341330; Rust_primitives.mk_i32 1285669; - Rust_primitives.mk_i32 (-1584928); Rust_primitives.mk_i32 (-812732); - Rust_primitives.mk_i32 (-1439742); Rust_primitives.mk_i32 (-3019102); - Rust_primitives.mk_i32 (-3881060); Rust_primitives.mk_i32 (-3628969); - Rust_primitives.mk_i32 3839961; Rust_primitives.mk_i32 2091667; Rust_primitives.mk_i32 3407706; - Rust_primitives.mk_i32 2316500; Rust_primitives.mk_i32 3817976; - Rust_primitives.mk_i32 (-3342478); Rust_primitives.mk_i32 2244091; - Rust_primitives.mk_i32 (-2446433); Rust_primitives.mk_i32 (-3562462); - Rust_primitives.mk_i32 266997; Rust_primitives.mk_i32 2434439; - Rust_primitives.mk_i32 (-1235728); Rust_primitives.mk_i32 3513181; - Rust_primitives.mk_i32 (-3520352); Rust_primitives.mk_i32 (-3759364); - Rust_primitives.mk_i32 (-1197226); Rust_primitives.mk_i32 (-3193378); - Rust_primitives.mk_i32 900702; Rust_primitives.mk_i32 1859098; Rust_primitives.mk_i32 909542; - Rust_primitives.mk_i32 819034; Rust_primitives.mk_i32 495491; - Rust_primitives.mk_i32 (-1613174); Rust_primitives.mk_i32 (-43260); - Rust_primitives.mk_i32 (-522500); Rust_primitives.mk_i32 (-655327); - Rust_primitives.mk_i32 (-3122442); Rust_primitives.mk_i32 2031748; - Rust_primitives.mk_i32 3207046; Rust_primitives.mk_i32 (-3556995); - Rust_primitives.mk_i32 (-525098); Rust_primitives.mk_i32 (-768622); - Rust_primitives.mk_i32 (-3595838); Rust_primitives.mk_i32 342297; - Rust_primitives.mk_i32 286988; Rust_primitives.mk_i32 (-2437823); - Rust_primitives.mk_i32 4108315; Rust_primitives.mk_i32 3437287; - Rust_primitives.mk_i32 (-3342277); Rust_primitives.mk_i32 1735879; - Rust_primitives.mk_i32 203044; Rust_primitives.mk_i32 2842341; Rust_primitives.mk_i32 2691481; - Rust_primitives.mk_i32 (-2590150); Rust_primitives.mk_i32 1265009; - Rust_primitives.mk_i32 4055324; Rust_primitives.mk_i32 1247620; Rust_primitives.mk_i32 2486353; - Rust_primitives.mk_i32 1595974; Rust_primitives.mk_i32 (-3767016); - Rust_primitives.mk_i32 1250494; Rust_primitives.mk_i32 2635921; - Rust_primitives.mk_i32 (-3548272); Rust_primitives.mk_i32 (-2994039); - Rust_primitives.mk_i32 1869119; Rust_primitives.mk_i32 1903435; - Rust_primitives.mk_i32 (-1050970); Rust_primitives.mk_i32 (-1333058); - Rust_primitives.mk_i32 1237275; Rust_primitives.mk_i32 (-3318210); - Rust_primitives.mk_i32 (-1430225); Rust_primitives.mk_i32 (-451100); - Rust_primitives.mk_i32 1312455; Rust_primitives.mk_i32 3306115; - Rust_primitives.mk_i32 (-1962642); Rust_primitives.mk_i32 (-1279661); - Rust_primitives.mk_i32 1917081; Rust_primitives.mk_i32 (-2546312); - Rust_primitives.mk_i32 (-1374803); Rust_primitives.mk_i32 1500165; - Rust_primitives.mk_i32 777191; Rust_primitives.mk_i32 2235880; Rust_primitives.mk_i32 3406031; - Rust_primitives.mk_i32 (-542412); Rust_primitives.mk_i32 (-2831860); - Rust_primitives.mk_i32 (-1671176); Rust_primitives.mk_i32 (-1846953); - Rust_primitives.mk_i32 (-2584293); Rust_primitives.mk_i32 (-3724270); - Rust_primitives.mk_i32 594136; Rust_primitives.mk_i32 (-3776993); - Rust_primitives.mk_i32 (-2013608); Rust_primitives.mk_i32 2432395; - Rust_primitives.mk_i32 2454455; Rust_primitives.mk_i32 (-164721); - Rust_primitives.mk_i32 1957272; Rust_primitives.mk_i32 3369112; Rust_primitives.mk_i32 185531; - Rust_primitives.mk_i32 (-1207385); Rust_primitives.mk_i32 (-3183426); - Rust_primitives.mk_i32 162844; Rust_primitives.mk_i32 1616392; Rust_primitives.mk_i32 3014001; - Rust_primitives.mk_i32 810149; Rust_primitives.mk_i32 1652634; - Rust_primitives.mk_i32 (-3694233); Rust_primitives.mk_i32 (-1799107); - Rust_primitives.mk_i32 (-3038916); Rust_primitives.mk_i32 3523897; - Rust_primitives.mk_i32 3866901; Rust_primitives.mk_i32 269760; Rust_primitives.mk_i32 2213111; - Rust_primitives.mk_i32 (-975884); Rust_primitives.mk_i32 1717735; - Rust_primitives.mk_i32 472078; Rust_primitives.mk_i32 (-426683); - Rust_primitives.mk_i32 1723600; Rust_primitives.mk_i32 (-1803090); - Rust_primitives.mk_i32 1910376; Rust_primitives.mk_i32 (-1667432); - Rust_primitives.mk_i32 (-1104333); Rust_primitives.mk_i32 (-260646); - Rust_primitives.mk_i32 (-3833893); Rust_primitives.mk_i32 (-2939036); - Rust_primitives.mk_i32 (-2235985); Rust_primitives.mk_i32 (-420899); - Rust_primitives.mk_i32 (-2286327); Rust_primitives.mk_i32 183443; - Rust_primitives.mk_i32 (-976891); Rust_primitives.mk_i32 1612842; - Rust_primitives.mk_i32 (-3545687); Rust_primitives.mk_i32 (-554416); - Rust_primitives.mk_i32 3919660; Rust_primitives.mk_i32 (-48306); - Rust_primitives.mk_i32 (-1362209); Rust_primitives.mk_i32 3937738; - Rust_primitives.mk_i32 1400424; Rust_primitives.mk_i32 (-846154); - Rust_primitives.mk_i32 1976782 + 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; + 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; + 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); + (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; + 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); + (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); + (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; + 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); + (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); + (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); + 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); + (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; + (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; + (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); + 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; + 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); + 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); + (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); + (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); + (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); + 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; + 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; + 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; + (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; + (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); + (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); + 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; + 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; + 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); + 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); + (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; + (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst index ec1147591..8af0ff228 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -17,18 +17,18 @@ let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE let t_SigningError_cast_to_repr (x: t_SigningError) = match x with - | SigningError_RejectionSamplingError -> Rust_primitives.mk_isize 0 - | SigningError_ContextTooLongError -> Rust_primitives.mk_isize 1 + | SigningError_RejectionSamplingError -> isz 0 + | SigningError_ContextTooLongError -> isz 1 let t_VerificationError_cast_to_repr (x: t_VerificationError) = match x with - | VerificationError_MalformedHintError -> Rust_primitives.mk_isize 0 - | VerificationError_SignerResponseExceedsBoundError -> Rust_primitives.mk_isize 1 - | VerificationError_CommitmentHashesDontMatchError -> Rust_primitives.mk_isize 3 - | VerificationError_ContextTooLongError -> Rust_primitives.mk_isize 6 - -let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self._0 <: t_Slice u8 + | VerificationError_MalformedHintError -> isz 0 + | VerificationError_SignerResponseExceedsBoundError -> isz 1 + | VerificationError_CommitmentHashesDontMatchError -> isz 3 + | VerificationError_ContextTooLongError -> isz 6 let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self._0 <: t_Slice u8 let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self._0 <: t_Slice u8 + +let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self._0 <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti index e1c781c13..f121066d7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -20,46 +20,18 @@ val impl_2__len: v_SIZE: usize -> Prims.unit val impl_4__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) -type t_SigningError = - | SigningError_RejectionSamplingError : t_SigningError - | SigningError_ContextTooLongError : t_SigningError - -val t_SigningError_cast_to_repr (x: t_SigningError) - : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) - -type t_VerificationError = - | VerificationError_MalformedHintError : t_VerificationError - | VerificationError_SignerResponseExceedsBoundError : t_VerificationError - | VerificationError_CommitmentHashesDontMatchError : t_VerificationError - | VerificationError_ContextTooLongError : t_VerificationError - -val t_VerificationError_cast_to_repr (x: t_VerificationError) - : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) - ///An ML-DSA signature. type t_MLDSASignature (v_SIZE: usize) = | MLDSASignature : t_Array u8 v_SIZE -> t_MLDSASignature v_SIZE -/// A reference to the raw byte slice. -val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - ///An ML-DSA signature key. type t_MLDSASigningKey (v_SIZE: usize) = | MLDSASigningKey : t_Array u8 v_SIZE -> t_MLDSASigningKey v_SIZE -/// A reference to the raw byte slice. -val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - ///An ML-DSA verification key. type t_MLDSAVerificationKey (v_SIZE: usize) = | MLDSAVerificationKey : t_Array u8 v_SIZE -> t_MLDSAVerificationKey v_SIZE -/// A reference to the raw byte slice. -val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) - : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) - /// An ML-DSA key pair. type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = { f_signing_key:t_MLDSASigningKey v_SIGNING_KEY_SIZE; @@ -73,5 +45,33 @@ type t_Signature f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A; - f_hint:t_Array (t_Array i32 (Rust_primitives.mk_usize 256)) v_ROWS_IN_A + f_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A } + +type t_SigningError = + | SigningError_RejectionSamplingError : t_SigningError + | SigningError_ContextTooLongError : t_SigningError + +val t_SigningError_cast_to_repr (x: t_SigningError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +type t_VerificationError = + | VerificationError_MalformedHintError : t_VerificationError + | VerificationError_SignerResponseExceedsBoundError : t_VerificationError + | VerificationError_CommitmentHashesDontMatchError : t_VerificationError + | VerificationError_ContextTooLongError : t_VerificationError + +val t_VerificationError_cast_to_repr (x: t_VerificationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst index 02b37aa5a..82aa84965 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst @@ -12,18 +12,18 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = in () in - let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat (Rust_primitives.mk_u8 0) v_LEN in + let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in let out:t_Array u8 v_LEN = Rust_primitives.Hax.Monomorphized_update_at.update_at_range out ({ - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; + Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize } <: Core.Ops.Range.t_Range usize) (Core.Slice.impl__copy_from_slice #u8 (out.[ { - Core.Ops.Range.f_start = Rust_primitives.mk_usize 0; + Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize } <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph index 2c831085a..ddce2bce1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph +++ b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph @@ -5,21 +5,20 @@ digraph { "fstar_reflection_const" -> "prims" "libcrux_ml_dsa_ml_dsa_87__portable" -> "core_result" "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_87__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ntt" -> "core_slice" "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" - "libcrux_ml_dsa_ntt" -> "core_slice" "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_ntt" -> "rust_primitives" - "libcrux_ml_dsa_ntt" -> "rust_primitives" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" @@ -35,9 +34,19 @@ digraph { "libcrux_ml_dsa_ntt" -> "prims" "libcrux_ml_dsa_ntt" -> "prims" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_ntt" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" - "libcrux_ml_dsa_ml_dsa_44_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44_" -> "core" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" @@ -90,10 +99,21 @@ digraph { "core_fmt" -> "fstar_pervasives" "core_fmt" -> "prims" "core_fmt" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" @@ -134,10 +154,10 @@ digraph { "fstar_tactics_v1_logic" -> "fstar_pervasives" "fstar_tactics_v1_logic" -> "prims" "fstar_tactics_v1_logic" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" @@ -182,10 +202,6 @@ digraph { "fstar_tactics_bv" -> "prims" "fstar_tactics_bv" -> "prims" "fstar_tactics_bv" -> "fstar_tactics_bv" - "libcrux_platform_platform" -> "fstar_mul" - "libcrux_platform_platform" -> "core" - "libcrux_platform_platform" -> "fstar_pervasives" - "libcrux_platform_platform" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" @@ -194,9 +210,15 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" @@ -206,8 +228,8 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" @@ -249,8 +271,8 @@ digraph { "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" @@ -264,7 +286,6 @@ digraph { "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_87__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" @@ -332,16 +353,18 @@ digraph { "fstar_tactics_bv_lemmas" -> "fstar_pervasives" "fstar_tactics_bv_lemmas" -> "prims" "fstar_tactics_bv_lemmas" -> "prims" - "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" - "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" - "libcrux_sha3_portable_incremental" -> "fstar_mul" - "libcrux_sha3_portable_incremental" -> "fstar_mul" - "libcrux_sha3_portable_incremental" -> "core" - "libcrux_sha3_portable_incremental" -> "core" - "libcrux_sha3_portable_incremental" -> "fstar_pervasives" - "libcrux_sha3_portable_incremental" -> "fstar_pervasives" - "libcrux_sha3_portable_incremental" -> "prims" - "libcrux_sha3_portable_incremental" -> "prims" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" "fstar_uint" -> "fstar_seq_base" "fstar_uint" -> "fstar_seq_base" "fstar_uint" -> "fstar_math_lemmas" @@ -396,17 +419,26 @@ digraph { "lib_sequence" -> "fstar_pervasives" "lib_sequence" -> "prims" "lib_sequence" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_ml_dsa_65_" -> "core_result" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_ml_dsa_65_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65_" -> "core" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" - "libcrux_ml_dsa_ml_dsa_87_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87_" -> "core" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" @@ -416,8 +448,6 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" @@ -428,6 +458,10 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_gamma1" -> "prims" "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_platform_platform" -> "fstar_mul" + "libcrux_platform_platform" -> "core" + "libcrux_platform_platform" -> "fstar_pervasives" + "libcrux_platform_platform" -> "prims" "fstar_pervasives" -> "prims" "fstar_pervasives" -> "prims" "fstar_pervasives" -> "fstar_pervasives" @@ -452,8 +486,6 @@ digraph { "rust_primitives_hax" -> "prims" "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" - "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" - "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" @@ -478,8 +510,10 @@ digraph { "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_traits" -> "rust_primitives" - "libcrux_ml_dsa_simd_traits" -> "rust_primitives" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" "libcrux_ml_dsa_simd_traits" -> "core_clone" "libcrux_ml_dsa_simd_traits" -> "core_clone" "libcrux_ml_dsa_simd_traits" -> "core_marker" @@ -494,14 +528,17 @@ digraph { "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" "libcrux_ml_dsa_simd_traits" -> "prims" "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" - "libcrux_ml_dsa_ml_dsa_65__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_65__neon" + "libcrux_ml_dsa_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" @@ -510,25 +547,22 @@ digraph { "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t0" -> "core_option" "libcrux_ml_dsa_encoding_t0" -> "core_option" "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" - "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" - "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" - "libcrux_ml_dsa_encoding_t0" -> "core_slice" - "libcrux_ml_dsa_encoding_t0" -> "core_ops_range" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" @@ -572,7 +606,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_platform_platform" - "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" @@ -614,19 +647,6 @@ digraph { "fstar_string" -> "fstar_pervasives" "fstar_string" -> "prims" "fstar_string" -> "prims" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "bitvec_equality" "spec_sha3" -> "fstar_pervasives_native" "spec_sha3" -> "fstar_pervasives_native" "spec_sha3" -> "spec_sha3_constants" @@ -649,18 +669,18 @@ digraph { "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" - "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" - "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" - "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives" - "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4_incremental" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" @@ -670,6 +690,19 @@ digraph { "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_simd256" -> "prims" "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "prims" "fstar_calc" -> "fstar_classical" "fstar_calc" -> "fstar_classical" "fstar_calc" -> "fstar_preorder" @@ -681,6 +714,43 @@ digraph { "fstar_calc" -> "prims" "fstar_calc" -> "prims" "fstar_calc" -> "fstar_calc" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "core_ops_range" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "core" + "spec_utils" -> "core" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "prims" + "spec_utils" -> "prims" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" @@ -689,8 +759,8 @@ digraph { "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_num" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" @@ -710,8 +780,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" @@ -776,8 +844,8 @@ digraph { "lib_inttypes" -> "fstar_pervasives" "lib_inttypes" -> "prims" "lib_inttypes" -> "prims" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" @@ -804,15 +872,19 @@ digraph { "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_encoding_signature" -> "core_result" "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" "libcrux_ml_dsa_encoding_signature" -> "core_ops_range" "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" - "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" @@ -841,8 +913,8 @@ digraph { "libcrux_ml_dsa_utils" -> "core_ops_range" "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_utils" -> "rust_primitives" - "libcrux_ml_dsa_utils" -> "rust_primitives" + "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "fstar_uint8" "libcrux_ml_dsa_utils" -> "rust_primitives_hax" "libcrux_ml_dsa_utils" -> "rust_primitives_hax" "libcrux_ml_dsa_utils" -> "core_slice" @@ -973,14 +1045,20 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_slice" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" @@ -1005,8 +1083,8 @@ digraph { "fstar_list_tot_properties" -> "prims" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_ntt" -> "core" @@ -1015,10 +1093,16 @@ digraph { "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_sha3_avx2_x4" -> "prims" "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" - "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" - "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" @@ -1029,10 +1113,19 @@ digraph { "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" "libcrux_ml_dsa_hash_functions_shake128" -> "prims" "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "libcrux_sha3_portable" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" @@ -1073,36 +1166,36 @@ digraph { "rust_primitives_hax_folds" -> "fstar_pervasives" "rust_primitives_hax_folds" -> "prims" "rust_primitives_hax_folds" -> "prims" - "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" - "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" - "libcrux_ml_dsa_encoding_signing_key" -> "core_array" - "libcrux_ml_dsa_encoding_signing_key" -> "core_array" - "libcrux_ml_dsa_encoding_signing_key" -> "core_result" - "libcrux_ml_dsa_encoding_signing_key" -> "core_result" - "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" - "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" - "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" - "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" - "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" - "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" - "libcrux_ml_dsa_encoding_signing_key" -> "core_slice" - "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_encoding_signing_key" -> "core_ops_range" "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" - "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" @@ -1118,23 +1211,12 @@ digraph { "libcrux_ml_dsa_encoding_signing_key" -> "prims" "libcrux_ml_dsa_encoding_signing_key" -> "prims" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_signing_key" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core_slice" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "hax_lib" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_encoding_t0" - "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_vector_type" -> "core" @@ -1152,12 +1234,13 @@ digraph { "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_simd_portable_sample" -> "core_slice" "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_uint8" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_portable_sample" -> "core_slice_iter" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_collect" "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_iterator" - "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_sample" -> "core" "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" @@ -1172,12 +1255,16 @@ digraph { "fstar_stubs_tactics_types" -> "fstar_pervasives" "fstar_stubs_tactics_types" -> "prims" "fstar_stubs_tactics_types" -> "prims" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" "libcrux_ml_dsa_samplex4" -> "core_panicking" "libcrux_ml_dsa_samplex4" -> "core_panicking" "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" @@ -1186,8 +1273,8 @@ digraph { "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_samplex4" -> "rust_primitives" - "libcrux_ml_dsa_samplex4" -> "rust_primitives" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" @@ -1213,8 +1300,6 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" - "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" @@ -1236,7 +1321,6 @@ digraph { "fstar_stubs_tactics_result" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core_result" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" @@ -1249,13 +1333,12 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_65__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" - "libcrux_ml_dsa_constants" -> "rust_primitives" - "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_int32" "libcrux_ml_dsa_constants" -> "fstar_mul" "libcrux_ml_dsa_constants" -> "fstar_mul" "libcrux_ml_dsa_constants" -> "core" @@ -1290,10 +1373,10 @@ digraph { "fstar_int" -> "fstar_pervasives" "fstar_int" -> "prims" "fstar_int" -> "prims" + "libcrux_ml_dsa_matrix" -> "fstar_int32" + "libcrux_ml_dsa_matrix" -> "fstar_int32" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" - "libcrux_ml_dsa_matrix" -> "rust_primitives" - "libcrux_ml_dsa_matrix" -> "rust_primitives" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" @@ -1316,12 +1399,12 @@ digraph { "libcrux_ml_dsa_matrix" -> "prims" "libcrux_ml_dsa_matrix" -> "prims" "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" - "libcrux_ml_dsa_ml_dsa_44__neon" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_44__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" @@ -1431,7 +1514,6 @@ digraph { "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" "libcrux_ml_dsa_ml_dsa_65__neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_65__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" @@ -1479,17 +1561,6 @@ digraph { "fstar_tactics_effect" -> "fstar_pervasives" "fstar_tactics_effect" -> "prims" "fstar_tactics_effect" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" - "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" @@ -1524,8 +1595,8 @@ digraph { "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" - "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" @@ -1550,8 +1621,6 @@ digraph { "fstar_stubs_syntax_syntax" -> "fstar_pervasives" "fstar_stubs_syntax_syntax" -> "prims" "fstar_stubs_syntax_syntax" -> "prims" - "libcrux_ml_dsa_polynomial" -> "rust_primitives" - "libcrux_ml_dsa_polynomial" -> "rust_primitives" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" @@ -1568,8 +1637,6 @@ digraph { "core_fmt_rt" -> "fstar_pervasives" "core_fmt_rt" -> "prims" "core_fmt_rt" -> "prims" - "libcrux_ml_dsa_types" -> "rust_primitives" - "libcrux_ml_dsa_types" -> "rust_primitives" "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_types" -> "fstar_mul" @@ -1581,15 +1648,6 @@ digraph { "libcrux_ml_dsa_types" -> "prims" "libcrux_ml_dsa_types" -> "prims" "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_types" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "prims" - "libcrux_sha3_portable" -> "prims" - "libcrux_sha3_portable" -> "libcrux_sha3_portable" "lib_bytesequence" -> "fstar_pervasives_native" "lib_bytesequence" -> "fstar_pervasives_native" "lib_bytesequence" -> "fstar_calc" @@ -1646,18 +1704,18 @@ digraph { "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" - "libcrux_ml_dsa_pre_hash" -> "core_result" - "libcrux_ml_dsa_pre_hash" -> "core_result" - "libcrux_ml_dsa_pre_hash" -> "core_option" - "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "fstar_uint8" + "libcrux_ml_dsa_pre_hash" -> "fstar_uint8" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_pre_hash" -> "core_convert" "libcrux_ml_dsa_pre_hash" -> "core_convert" - "libcrux_ml_dsa_pre_hash" -> "rust_primitives" - "libcrux_ml_dsa_pre_hash" -> "rust_primitives" "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" @@ -1738,8 +1796,8 @@ digraph { "libcrux_ml_dsa_simd_portable" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" @@ -1748,15 +1806,6 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" - "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" - "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" - "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" - "libcrux_sha3_avx2_x4_incremental" -> "core" - "libcrux_sha3_avx2_x4_incremental" -> "core" - "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" - "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" - "libcrux_sha3_avx2_x4_incremental" -> "prims" - "libcrux_sha3_avx2_x4_incremental" -> "prims" "fstar_seq_base" -> "fstar_list_tot" "fstar_seq_base" -> "fstar_list_tot" "fstar_seq_base" -> "fstar_pervasives" @@ -1777,6 +1826,20 @@ digraph { "fstar_int8" -> "prims" "fstar_int8" -> "prims" "fstar_int8" -> "fstar_int8" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "core" + "bitvec_utils" -> "core" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "prims" + "bitvec_utils" -> "prims" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" @@ -1795,15 +1858,7 @@ digraph { "core_clone" -> "fstar_pervasives" "core_clone" -> "prims" "core_clone" -> "prims" - "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives_native" - "libcrux_ml_dsa_simd_portable_ntt" -> "core_slice" - "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_arithmetic" - "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_ntt" -> "core" "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" @@ -1818,27 +1873,27 @@ digraph { "fstar_bv" -> "prims" "fstar_bv" -> "prims" "libcrux_ml_dsa_polynomial" -> "core_ops_range" - "libcrux_ml_dsa_polynomial" -> "core_array_iter" - "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" - "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" - "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" - "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_polynomial" -> "core_option" "libcrux_ml_dsa_polynomial" -> "core_option" "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_polynomial" -> "core_slice_iter" "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "core_slice" "libcrux_ml_dsa_polynomial" -> "hax_lib" "libcrux_ml_dsa_polynomial" -> "hax_lib" - "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_polynomial" -> "core_slice" - "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_polynomial" -> "rust_primitives" - "libcrux_ml_dsa_polynomial" -> "rust_primitives" "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "core_array_iter" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" @@ -1852,8 +1907,6 @@ digraph { "libcrux_ml_dsa_polynomial" -> "prims" "libcrux_ml_dsa_polynomial" -> "prims" "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_types" -> "rust_primitives" - "libcrux_ml_dsa_types" -> "rust_primitives" "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" @@ -1937,28 +1990,14 @@ digraph { "core_marker" -> "fstar_pervasives" "core_marker" -> "prims" "core_marker" -> "prims" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" - "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" - "libcrux_ml_dsa_simd_portable" -> "core_ops_range" - "libcrux_ml_dsa_simd_portable" -> "core_convert" - "libcrux_ml_dsa_simd_portable" -> "core_array" - "libcrux_ml_dsa_simd_portable" -> "core_result" - "libcrux_ml_dsa_simd_portable" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable" -> "fstar_mul" "libcrux_ml_dsa_simd_portable" -> "core" "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable" -> "prims" "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" "libcrux_ml_dsa_encoding_verification_key" -> "core_array" @@ -1967,17 +2006,15 @@ digraph { "libcrux_ml_dsa_encoding_verification_key" -> "core_result" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "core_ops_range" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_verification_key" -> "core_slice" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_encoding_verification_key" -> "core_ops_range" - "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" - "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" + "libcrux_ml_dsa_encoding_verification_key" -> "core_slice" "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" @@ -2123,6 +2160,16 @@ digraph { "fstar_uint8" -> "prims" "fstar_uint8" -> "prims" "fstar_uint8" -> "fstar_uint8" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" "rust_primitives" -> "fstar_seq" "rust_primitives" -> "fstar_seq" "rust_primitives" -> "fstar_tactics_typeclasses" @@ -2147,8 +2194,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" @@ -2198,17 +2243,6 @@ digraph { "fstar_reflection_v1" -> "fstar_pervasives" "fstar_reflection_v1" -> "prims" "fstar_reflection_v1" -> "prims" - "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" - "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" - "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" - "libcrux_sha3_neon_x2_incremental" -> "core" - "libcrux_sha3_neon_x2_incremental" -> "core" - "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" - "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" - "libcrux_sha3_neon_x2_incremental" -> "prims" - "libcrux_sha3_neon_x2_incremental" -> "prims" "fstar_tactics_v2_logic" -> "fstar_pervasives_native" "fstar_tactics_v2_logic" -> "fstar_pervasives_native" "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" @@ -2227,18 +2261,8 @@ digraph { "fstar_tactics_v2_logic" -> "fstar_pervasives" "fstar_tactics_v2_logic" -> "prims" "fstar_tactics_v2_logic" -> "prims" - "libcrux_sha3_avx2_x4" -> "fstar_mul" - "libcrux_sha3_avx2_x4" -> "fstar_mul" - "libcrux_sha3_avx2_x4" -> "core" - "libcrux_sha3_avx2_x4" -> "core" - "libcrux_sha3_avx2_x4" -> "fstar_pervasives" - "libcrux_sha3_avx2_x4" -> "fstar_pervasives" - "libcrux_sha3_avx2_x4" -> "prims" - "libcrux_sha3_avx2_x4" -> "prims" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_samplex4" -> "rust_primitives" - "libcrux_ml_dsa_samplex4" -> "rust_primitives" "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" @@ -2349,8 +2373,8 @@ digraph { "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" "libcrux_ml_dsa_ntt" -> "fstar_list_tot" "libcrux_ml_dsa_ntt" -> "fstar_list_tot" - "libcrux_ml_dsa_ntt" -> "rust_primitives" - "libcrux_ml_dsa_ntt" -> "rust_primitives" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ntt" -> "fstar_mul" @@ -2415,32 +2439,20 @@ digraph { "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_neon" "libcrux_ml_dsa_ml_dsa_44_" -> "core_result" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_ml_dsa_44_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44_" -> "core" "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_44_" -> "prims" "libcrux_ml_dsa_ml_dsa_87_" -> "core_result" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_ml_dsa_87_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87_" -> "core" "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_87_" -> "prims" - "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" - "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "prims" - "libcrux_sha3_generic_keccak" -> "prims" "fstar_tactics_unseal" -> "fstar_tactics_effect" "fstar_tactics_unseal" -> "fstar_tactics_effect" "fstar_tactics_unseal" -> "fstar_sealed" @@ -2455,8 +2467,6 @@ digraph { "libcrux_ml_dsa_pre_hash" -> "core_slice" "libcrux_ml_dsa_pre_hash" -> "core_option" "libcrux_ml_dsa_pre_hash" -> "core_option" - "libcrux_ml_dsa_pre_hash" -> "rust_primitives" - "libcrux_ml_dsa_pre_hash" -> "rust_primitives" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" @@ -2493,27 +2503,27 @@ digraph { "fstar_bv" -> "fstar_bv" "fstar_pervasives_native" -> "prims" "fstar_pervasives_native" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_gamma1" -> "core_option" "libcrux_ml_dsa_encoding_gamma1" -> "core_option" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" - "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" - "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" - "libcrux_ml_dsa_encoding_gamma1" -> "core_slice" - "libcrux_ml_dsa_encoding_gamma1" -> "core_ops_range" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" - "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" - "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" @@ -2527,9 +2537,9 @@ digraph { "libcrux_ml_dsa_encoding_gamma1" -> "prims" "libcrux_ml_dsa_encoding_gamma1" -> "prims" "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" - "libcrux_ml_dsa_ml_dsa_87__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" @@ -2623,8 +2633,6 @@ digraph { "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_error" -> "fstar_mul" @@ -2673,6 +2681,10 @@ digraph { "core_result" -> "fstar_pervasives" "core_result" -> "prims" "core_result" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_portable_vector_type" -> "core_ops_range" "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" @@ -2682,10 +2694,6 @@ digraph { "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" - "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_vector_type" -> "core" @@ -2697,8 +2705,8 @@ digraph { "libcrux_ml_dsa_simd_portable_vector_type" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" @@ -2745,6 +2753,15 @@ digraph { "libcrux_ml_dsa_utils" -> "fstar_pervasives" "libcrux_ml_dsa_utils" -> "prims" "libcrux_ml_dsa_utils" -> "prims" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "libcrux_sha3_traits" "fstar_ghost" -> "fstar_pervasives" "fstar_ghost" -> "fstar_pervasives" "fstar_ghost" -> "prims" @@ -2826,46 +2843,34 @@ digraph { "fstar_all" -> "fstar_pervasives" "fstar_all" -> "prims" "fstar_all" -> "prims" - "spec_utils" -> "rust_primitives_integers" - "spec_utils" -> "rust_primitives_integers" - "spec_utils" -> "fstar_calc" - "spec_utils" -> "fstar_calc" - "spec_utils" -> "fstar_int32" - "spec_utils" -> "fstar_int32" - "spec_utils" -> "fstar_int16" - "spec_utils" -> "fstar_int16" - "spec_utils" -> "fstar_math_lemmas" - "spec_utils" -> "fstar_math_lemmas" - "spec_utils" -> "fstar_classical_sugar" - "spec_utils" -> "fstar_classical_sugar" - "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" - "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" - "spec_utils" -> "core_ops_range" - "spec_utils" -> "lib_inttypes" - "spec_utils" -> "lib_inttypes" - "spec_utils" -> "lib_rawinttypes" - "spec_utils" -> "lib_rawinttypes" - "spec_utils" -> "spec_sha3" - "spec_utils" -> "spec_sha3" - "spec_utils" -> "fstar_list_tot" - "spec_utils" -> "fstar_list_tot" - "spec_utils" -> "rust_primitives_hax" - "spec_utils" -> "rust_primitives_hax" - "spec_utils" -> "lib_loopcombinators" - "spec_utils" -> "lib_loopcombinators" - "spec_utils" -> "fstar_seq" - "spec_utils" -> "fstar_seq" - "spec_utils" -> "core" - "spec_utils" -> "core" - "spec_utils" -> "fstar_mul" - "spec_utils" -> "fstar_mul" - "spec_utils" -> "fstar_pervasives" - "spec_utils" -> "fstar_pervasives" - "spec_utils" -> "prims" - "spec_utils" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_slice" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_array_iter" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_fmt_rt" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_fmt" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint64" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_ml_dsa_65__portable" -> "core_result" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_65__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" @@ -2874,8 +2879,6 @@ digraph { "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" - "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" @@ -2901,6 +2904,16 @@ digraph { "core_convert" -> "fstar_pervasives" "core_convert" -> "prims" "core_convert" -> "prims" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "prims" + "libcrux_sha3_portable_incremental" -> "prims" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_base" @@ -2917,6 +2930,10 @@ digraph { "fstar_seq_properties" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" @@ -2928,10 +2945,12 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" @@ -2943,9 +2962,9 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" - "libcrux_ml_dsa_ml_dsa_87__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" @@ -2964,8 +2983,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" - "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" @@ -3021,18 +3038,6 @@ digraph { "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" "fstar_stubs_tactics_v1_builtins" -> "prims" "fstar_stubs_tactics_v1_builtins" -> "prims" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" @@ -3043,15 +3048,21 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_slice" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" @@ -3068,8 +3079,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" @@ -3080,7 +3089,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" @@ -3093,12 +3101,50 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "bitvec_intrinsics" -> "prims" "core_ops_arith_neg" -> "rust_primitives" "core_ops_arith_neg" -> "rust_primitives" "core_ops_arith_neg" -> "fstar_pervasives" "core_ops_arith_neg" -> "fstar_pervasives" "core_ops_arith_neg" -> "prims" "core_ops_arith_neg" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" @@ -3110,8 +3156,6 @@ digraph { "libcrux_ml_dsa_arithmetic" -> "core_slice" "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" - "libcrux_ml_dsa_arithmetic" -> "rust_primitives" - "libcrux_ml_dsa_arithmetic" -> "rust_primitives" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_folds" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" @@ -3134,11 +3178,13 @@ digraph { "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" @@ -3221,7 +3267,6 @@ digraph { "fstar_tactics_v1_derived" -> "prims" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" @@ -3246,46 +3291,14 @@ digraph { "libcrux_ml_dsa_hash_functions_shake128" -> "prims" "libcrux_ml_dsa_hash_functions_shake128" -> "prims" "libcrux_ml_dsa_hash_functions_shake128" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" - "libcrux_ml_dsa_ml_dsa_87__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_87__neon" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_char" - "tactics_utils" -> "fstar_string" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "core" - "tactics_utils" -> "core" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "prims" - "tactics_utils" -> "prims" "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" "fstar_tactics_typeclasses" -> "fstar_list_tot" "fstar_tactics_typeclasses" -> "fstar_list_tot" @@ -3321,8 +3334,8 @@ digraph { "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" @@ -3394,15 +3407,15 @@ digraph { "fstar_int128" -> "fstar_int128" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" - "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives" - "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives" - "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" @@ -3441,8 +3454,6 @@ digraph { "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2" -> "core_convert" "libcrux_ml_dsa_simd_avx2" -> "core_convert" - "libcrux_ml_dsa_simd_avx2" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" @@ -3457,6 +3468,8 @@ digraph { "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" "libcrux_ml_dsa_simd_avx2" -> "prims" "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_slice" @@ -3473,10 +3486,12 @@ digraph { "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" @@ -3516,8 +3531,6 @@ digraph { "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" - "libcrux_ml_dsa_encoding_t0" -> "rust_primitives" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" @@ -3542,8 +3555,6 @@ digraph { "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_sample" -> "rust_primitives" - "libcrux_ml_dsa_sample" -> "rust_primitives" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" @@ -3566,6 +3577,22 @@ digraph { "fstar_vconfig" -> "fstar_pervasives" "fstar_vconfig" -> "prims" "fstar_vconfig" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "core_slice" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_properties" "fstar_seq_properties" -> "fstar_list_tot_base" @@ -3606,9 +3633,9 @@ digraph { "core_ops_index" -> "fstar_pervasives" "core_ops_index" -> "prims" "core_ops_index" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" - "libcrux_ml_dsa_ml_dsa_44__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" @@ -3618,10 +3645,23 @@ digraph { "fstar_float" -> "fstar_pervasives" "fstar_float" -> "prims" "fstar_float" -> "prims" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" @@ -3668,6 +3708,19 @@ digraph { "fstar_tactics_v2" -> "fstar_pervasives" "fstar_tactics_v2" -> "prims" "fstar_tactics_v2" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" "fstar_reflection_v2_derived" -> "fstar_list_tot_base" "fstar_reflection_v2_derived" -> "fstar_list_tot_base" "fstar_reflection_v2_derived" -> "fstar_pervasives_native" @@ -3688,34 +3741,10 @@ digraph { "fstar_reflection_v2_derived" -> "fstar_pervasives" "fstar_reflection_v2_derived" -> "prims" "fstar_reflection_v2_derived" -> "prims" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_int32" -> "fstar_int32" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "prims" - "libcrux_sha3_traits" -> "prims" - "libcrux_sha3_traits" -> "libcrux_sha3_traits" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" @@ -3782,7 +3811,6 @@ digraph { "fstar_int_cast" -> "prims" "libcrux_ml_dsa_ml_dsa_44__neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_44__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" @@ -3818,8 +3846,8 @@ digraph { "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" - "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" @@ -3837,24 +3865,6 @@ digraph { "libcrux_ml_dsa_encoding_commitment" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "prims" "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_encoding_commitment" - "libcrux_intrinsics_avx2_extract" -> "core_slice" - "libcrux_intrinsics_avx2_extract" -> "rust_primitives" - "libcrux_intrinsics_avx2_extract" -> "rust_primitives" - "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" - "libcrux_intrinsics_avx2_extract" -> "fstar_int32" - "libcrux_intrinsics_avx2_extract" -> "fstar_int32" - "libcrux_intrinsics_avx2_extract" -> "spec_utils" - "libcrux_intrinsics_avx2_extract" -> "spec_utils" - "libcrux_intrinsics_avx2_extract" -> "fstar_seq" - "libcrux_intrinsics_avx2_extract" -> "fstar_seq" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "prims" "fstar_reflection_v2" -> "fstar_reflection_v2_collect" "fstar_reflection_v2" -> "fstar_reflection_v2_collect" "fstar_reflection_v2" -> "fstar_reflection_v2_compare" @@ -3877,6 +3887,8 @@ digraph { "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" @@ -3887,8 +3899,6 @@ digraph { "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" - "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" - "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" @@ -3906,6 +3916,15 @@ digraph { "lib_rawinttypes" -> "prims" "lib_rawinttypes" -> "prims" "lib_rawinttypes" -> "lib_rawinttypes" + "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "libcrux_sha3_avx2_x4_incremental" -> "prims" "fstar_tactics_namedview" -> "fstar_range" "fstar_tactics_namedview" -> "fstar_reflection_v2" "fstar_tactics_namedview" -> "fstar_reflection_v2" @@ -3949,18 +3968,19 @@ digraph { "libcrux_ml_dsa_matrix" -> "fstar_pervasives" "libcrux_ml_dsa_matrix" -> "prims" "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" - "libcrux_ml_dsa_ml_dsa_65__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_65__portable" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_int32" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_uint8" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" @@ -3968,8 +3988,6 @@ digraph { "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" - "libcrux_ml_dsa_arithmetic" -> "rust_primitives" - "libcrux_ml_dsa_arithmetic" -> "rust_primitives" "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" @@ -3984,9 +4002,9 @@ digraph { "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" "libcrux_ml_dsa_arithmetic" -> "prims" "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" - "libcrux_ml_dsa_ml_dsa_65__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" @@ -4036,42 +4054,6 @@ digraph { "libcrux_ml_dsa_constants" -> "prims" "libcrux_ml_dsa_constants" -> "prims" "libcrux_ml_dsa_constants" -> "libcrux_ml_dsa_constants" - "bitvec_intrinsics" -> "fstar_string" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" - "bitvec_intrinsics" -> "fstar_int8" - "bitvec_intrinsics" -> "fstar_int8" - "bitvec_intrinsics" -> "fstar_uint8" - "bitvec_intrinsics" -> "fstar_uint8" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_seq" - "bitvec_intrinsics" -> "fstar_seq" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "prims" - "bitvec_intrinsics" -> "prims" "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" @@ -4125,6 +4107,8 @@ digraph { "fstar_int64" -> "prims" "fstar_int64" -> "prims" "fstar_int64" -> "fstar_int64" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" @@ -4133,30 +4117,36 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" - "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" "libcrux_ml_dsa_ml_dsa_generic" -> "core_slice" "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" @@ -4166,8 +4156,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" - "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" @@ -4188,7 +4176,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_87__neon" -> "core_result" "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_87__neon" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" @@ -4209,8 +4196,6 @@ digraph { "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" @@ -4242,25 +4227,25 @@ digraph { "fstar_predicateextensionality" -> "fstar_pervasives" "fstar_predicateextensionality" -> "prims" "fstar_predicateextensionality" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_t1" -> "core_option" "libcrux_ml_dsa_encoding_t1" -> "core_option" "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" - "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" - "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" - "libcrux_ml_dsa_encoding_t1" -> "core_slice" - "libcrux_ml_dsa_encoding_t1" -> "core_ops_range" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" - "libcrux_ml_dsa_encoding_t1" -> "rust_primitives" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" @@ -4279,17 +4264,21 @@ digraph { "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_ops_range" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" - "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_slice" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" @@ -4302,9 +4291,21 @@ digraph { "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" - "libcrux_ml_dsa_ml_dsa_65_" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_65_" -> "core" "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" @@ -4327,8 +4328,12 @@ digraph { "libcrux_ml_dsa_sample" -> "hax_lib" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_sample" -> "fstar_uint8" + "libcrux_ml_dsa_sample" -> "fstar_uint8" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "rust_primitives" "libcrux_ml_dsa_sample" -> "core_convert" "libcrux_ml_dsa_sample" -> "core_convert" "libcrux_ml_dsa_sample" -> "core_array" @@ -4336,6 +4341,8 @@ digraph { "libcrux_ml_dsa_sample" -> "core_result" "libcrux_ml_dsa_sample" -> "core_result" "libcrux_ml_dsa_sample" -> "core_num" + "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "fstar_uint64" "libcrux_ml_dsa_sample" -> "core_panicking" "libcrux_ml_dsa_sample" -> "core_panicking" "libcrux_ml_dsa_sample" -> "rust_primitives_hax" @@ -4354,10 +4361,12 @@ digraph { "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "fstar_int32" "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_sample" -> "rust_primitives" - "libcrux_ml_dsa_sample" -> "rust_primitives" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" @@ -4375,33 +4384,11 @@ digraph { "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_sample" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core_result" - "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "fstar_mul" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "core" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "fstar_pervasives" - "libcrux_sha3_generic_keccak" -> "prims" - "libcrux_sha3_generic_keccak" -> "prims" - "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "core_slice" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "hax_lib" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "core_panicking" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" @@ -4450,17 +4437,7 @@ digraph { "lib_sequence" -> "prims" "lib_sequence" -> "prims" "lib_sequence" -> "lib_sequence" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core_slice" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "hax_lib" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" @@ -4518,34 +4495,12 @@ digraph { "fstar_uint128" -> "fstar_pervasives" "fstar_uint128" -> "prims" "fstar_uint128" -> "prims" - "bitvec_utils" -> "fstar_list_tot" - "bitvec_utils" -> "fstar_list_tot" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "core" - "bitvec_utils" -> "core" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "prims" - "bitvec_utils" -> "prims" "fstar_tset" -> "fstar_set" "fstar_tset" -> "fstar_set" "fstar_tset" -> "fstar_pervasives" "fstar_tset" -> "fstar_pervasives" "fstar_tset" -> "prims" "fstar_tset" -> "prims" - "libcrux_sha3_neon_x2" -> "fstar_mul" - "libcrux_sha3_neon_x2" -> "fstar_mul" - "libcrux_sha3_neon_x2" -> "core" - "libcrux_sha3_neon_x2" -> "core" - "libcrux_sha3_neon_x2" -> "fstar_pervasives" - "libcrux_sha3_neon_x2" -> "fstar_pervasives" - "libcrux_sha3_neon_x2" -> "prims" - "libcrux_sha3_neon_x2" -> "prims" "fstar_list_tot" -> "fstar_list_tot_properties" "fstar_list_tot" -> "fstar_list_tot_properties" "fstar_list_tot" -> "fstar_list_tot_base" @@ -4572,17 +4527,7 @@ digraph { "fstar_reflection_v2_compare" -> "prims" "fstar_reflection_v2_compare" -> "prims" "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core_slice" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "hax_lib" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core_panicking" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" @@ -4642,6 +4587,17 @@ digraph { "fstar_tset" -> "prims" "fstar_tset" -> "prims" "fstar_tset" -> "fstar_tset" + "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "libcrux_sha3_neon_x2_incremental" -> "prims" "fstar_tactics_visit" -> "fstar_pervasives_native" "fstar_tactics_visit" -> "fstar_pervasives_native" "fstar_tactics_visit" -> "fstar_tactics_util" @@ -4691,33 +4647,33 @@ digraph { "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" "fstar_reflection_v2_derived_lemmas" -> "prims" "fstar_reflection_v2_derived_lemmas" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" "libcrux_ml_dsa_encoding_error" -> "core_option" "libcrux_ml_dsa_encoding_error" -> "core_option" "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" - "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" - "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_error" -> "core_panicking" "libcrux_ml_dsa_encoding_error" -> "core_panicking" - "libcrux_ml_dsa_encoding_error" -> "core_slice" - "libcrux_ml_dsa_encoding_error" -> "core_ops_range" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives" - "libcrux_ml_dsa_encoding_error" -> "rust_primitives" "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" - "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" - "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "core_slice" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" @@ -4756,8 +4712,6 @@ digraph { "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_signature" -> "prims" "libcrux_ml_dsa_encoding_signature" -> "prims" - "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" - "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" @@ -4772,19 +4726,8 @@ digraph { "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" "libcrux_ml_dsa_encoding_verification_key" -> "prims" "libcrux_ml_dsa_encoding_verification_key" -> "prims" - "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "fstar_mul" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "core" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "fstar_pervasives" - "libcrux_sha3_portable" -> "prims" - "libcrux_sha3_portable" -> "prims" "libcrux_ml_dsa_ml_dsa_44__portable" -> "core_result" "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" - "libcrux_ml_dsa_ml_dsa_44__portable" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" @@ -4808,16 +4751,24 @@ digraph { "fstar_reflection_v2_compare" -> "fstar_pervasives" "fstar_reflection_v2_compare" -> "prims" "fstar_reflection_v2_compare" -> "prims" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "prims" + "libcrux_sha3_neon_x2" -> "prims" "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" "fstar_tactics_v1_logic_lemmas" -> "prims" "fstar_tactics_v1_logic_lemmas" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" - "libcrux_ml_dsa_ml_dsa_44__avx2" -> "rust_primitives" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" @@ -4842,25 +4793,39 @@ digraph { "core_array_iter" -> "fstar_pervasives" "core_array_iter" -> "prims" "core_array_iter" -> "prims" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_slice" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax_folds" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_tactics_typeclasses" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_array_iter" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_iter_traits_collect" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_iter_traits_iterator" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_vector_type" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_constants" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives_native" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_fmt_rt" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_list_tot" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_fmt" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_panicking" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives_hax" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "core_ops_arith_neg" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" - "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_char" + "tactics_utils" -> "fstar_string" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "core" + "tactics_utils" -> "core" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "prims" + "tactics_utils" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" @@ -4894,16 +4859,6 @@ digraph { "fstar_tactics_v2_logic" -> "prims" "fstar_tactics_v2_logic" -> "prims" "fstar_tactics_v2_logic" -> "fstar_tactics_v2_logic" - "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" - "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "fstar_mul" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "core" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "fstar_pervasives" - "libcrux_sha3_traits" -> "prims" - "libcrux_sha3_traits" -> "prims" "core_iter" -> "rust_primitives_arrays" "core_iter" -> "rust_primitives_arrays" "core_iter" -> "core_ops_range" From 5151722990239044a215c85e119eaa6cb2664c60 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 22 Oct 2024 19:50:30 +0200 Subject: [PATCH 09/74] progress up to Libcrux_sha3.Traits.fsti --- Cargo.lock | 152 +++++++++--------- .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 6 +- .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 24 +-- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 24 +-- ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 4 +- ...ibcrux_ml_dsa.Hash_functions.Shake256.fsti | 72 ++++----- ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 24 +-- .../extraction/Libcrux_ml_dsa.Sample.fst | 10 +- libcrux-ml-dsa/src/arithmetic.rs | 2 +- libcrux-ml-dsa/src/hash_functions.rs | 50 +++--- libcrux-ml-dsa/src/sample.rs | 10 +- libcrux-ml-dsa/src/simd.rs | 4 +- sys/pqclean/src/bindings.rs | 2 +- 13 files changed, 191 insertions(+), 193 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e0178e2ec..863b1451e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -84,9 +84,9 @@ checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110" [[package]] name = "autocfg" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "base16ct" @@ -126,9 +126,9 @@ dependencies = [ [[package]] name = "bindgen" -version = "0.69.4" +version = "0.69.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0" +checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088" dependencies = [ "bitflags", "cexpr", @@ -143,7 +143,7 @@ dependencies = [ "regex", "rustc-hash", "shlex", - "syn 2.0.77", + "syn 2.0.82", "which", ] @@ -191,9 +191,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.21" +version = "1.1.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" +checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" dependencies = [ "jobserver", "libc", @@ -290,9 +290,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.18" +version = "4.5.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0956a43b323ac1afaffc053ed5c4b7c1f1800bacd1683c353aabbb752515dd3" +checksum = "b97f376d85a664d5837dbae44bf546e6477a679ff6610010f17276f686d867e8" dependencies = [ "clap_builder", "clap_derive", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.18" +version = "4.5.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d72166dd41634086d5803a47eb71ae740e61d84709c36f3c34110173db3961b" +checksum = "19bc80abd44e4bed93ca373a0704ccbd1b710dc5749406201bb018272808dc54" dependencies = [ "anstream", "anstyle", @@ -319,7 +319,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] @@ -483,7 +483,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] @@ -701,8 +701,8 @@ dependencies = [ [[package]] name = "hax-lib" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#c2093b4963099522c65f5cd42b96d6433afb0617" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/?branch=main#24979addf0edca995599fddff6c5cf2720873506" dependencies = [ "hax-lib-macros", "num-bigint", @@ -711,21 +711,21 @@ dependencies = [ [[package]] name = "hax-lib-macros" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#c2093b4963099522c65f5cd42b96d6433afb0617" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/?branch=main#24979addf0edca995599fddff6c5cf2720873506" dependencies = [ "hax-lib-macros-types", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] name = "hax-lib-macros-types" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/?branch=main#c2093b4963099522c65f5cd42b96d6433afb0617" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/?branch=main#24979addf0edca995599fddff6c5cf2720873506" dependencies = [ "proc-macro2", "quote", @@ -849,9 +849,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.70" +version = "0.3.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a" +checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" dependencies = [ "wasm-bindgen", ] @@ -889,9 +889,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.158" +version = "0.2.161" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" [[package]] name = "libcrux" @@ -1166,9 +1166,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "oorandom" @@ -1184,9 +1184,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.66" +version = "0.10.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" +checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" dependencies = [ "bitflags", "cfg-if", @@ -1205,14 +1205,14 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] name = "openssl-sys" -version = "0.9.103" +version = "0.9.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" +checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" dependencies = [ "cc", "libc", @@ -1367,12 +1367,12 @@ dependencies = [ [[package]] name = "prettyplease" -version = "0.2.22" +version = "0.2.24" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "479cf940fbbb3426c32c5d5176f62ad57549a0bb84773423ba8be9d089f5faba" +checksum = "910d41a655dac3b764f1ade94821093d3610248694320cd072303a8eedcf221d" dependencies = [ "proc-macro2", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] @@ -1410,9 +1410,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.88" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "7c3a7fc5db1e57d5a779a352c8cdb57b29aa4c40cc69c3a68a7fedc815fbf2f9" dependencies = [ "unicode-ident", ] @@ -1500,9 +1500,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.6" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" +checksum = "38200e5ee88914975b69f657f0801b6f6dccafd44fd9326302a4aaeecfacb1d8" dependencies = [ "aho-corasick", "memchr", @@ -1512,9 +1512,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.7" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" +checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" dependencies = [ "aho-corasick", "memchr", @@ -1523,9 +1523,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.4" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" +checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" [[package]] name = "rfc6979" @@ -1623,29 +1623,29 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.210" +version = "1.0.211" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" +checksum = "1ac55e59090389fb9f0dd9e0f3c09615afed1d19094284d0b200441f13550793" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.210" +version = "1.0.211" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" +checksum = "54be4f245ce16bc58d57ef2716271d0d4519e0f6defa147f6e081005bcb278ff" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] name = "serde_json" -version = "1.0.128" +version = "1.0.132" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" +checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" dependencies = [ "itoa", "memchr", @@ -1737,9 +1737,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.77" +version = "2.0.82" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "83540f837a8afc019423a8edb95b52a8effe46957ee402287f4292fae35be021" dependencies = [ "proc-macro2", "quote", @@ -1801,9 +1801,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314" +checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a" dependencies = [ "getrandom", ] @@ -1838,9 +1838,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" +checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" dependencies = [ "cfg-if", "once_cell", @@ -1849,24 +1849,24 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" +checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" dependencies = [ "bumpalo", "log", "once_cell", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-futures" -version = "0.4.43" +version = "0.4.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed" +checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b" dependencies = [ "cfg-if", "js-sys", @@ -1876,9 +1876,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" +checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -1886,28 +1886,28 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" +checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" +checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" [[package]] name = "wasm-bindgen-test" -version = "0.3.43" +version = "0.3.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68497a05fb21143a08a7d24fc81763384a3072ee43c44e86aad1744d6adef9d9" +checksum = "d381749acb0943d357dcbd8f0b100640679883fcdeeef04def49daf8d33a5426" dependencies = [ "console_error_panic_hook", "js-sys", @@ -1920,20 +1920,20 @@ dependencies = [ [[package]] name = "wasm-bindgen-test-macro" -version = "0.3.43" +version = "0.3.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b8220be1fa9e4c889b30fd207d4906657e7e90b12e0e6b0c8b8d8709f5de021" +checksum = "c97b2ef2c8d627381e51c071c2ab328eac606d3f69dd82bcbca20a9e389d95f0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] name = "web-sys" -version = "0.3.70" +version = "0.3.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0" +checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112" dependencies = [ "js-sys", "wasm-bindgen", @@ -2084,7 +2084,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] [[package]] @@ -2104,5 +2104,5 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.82", ] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst index 4899b5510..787aefa44 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -441,12 +441,10 @@ let vector_infinity_norm_exceeds let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = ring_element in - exceeds |. + exceeds || (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound <: - bool) - <: - bool) + bool)) in exceeds diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti index 6f4f9d9f4..2b1e2d69a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -211,11 +211,11 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { - f_init_absorb_pre + f_init_absorb_x4_pre = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true ); - f_init_absorb_post + f_init_absorb_x4_post = (fun (input0: t_Slice u8) @@ -225,7 +225,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (out: t_Shake256x4) -> true); - f_init_absorb + f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = @@ -258,8 +258,8 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) in { f_state = state } <: t_Shake256x4); - f_squeeze_first_block_pre = (fun (self: t_Shake256x4) -> true); - f_squeeze_first_block_post + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_x4_post = (fun (self: t_Shake256x4) @@ -269,7 +269,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = ) -> true); - f_squeeze_first_block + f_squeeze_first_block_x4 = (fun (self: t_Shake256x4) -> let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in @@ -328,8 +328,8 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = <: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); - f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); - f_squeeze_next_block_post + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_x4_post = (fun (self: t_Shake256x4) @@ -339,7 +339,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = ) -> true); - f_squeeze_next_block + f_squeeze_next_block_x4 = (fun (self: t_Shake256x4) -> let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in @@ -398,7 +398,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = <: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); - f_shake256_pre + f_shake256_x4_pre = (fun (v_OUT_LEN: usize) @@ -412,7 +412,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (out3: t_Array u8 v_OUT_LEN) -> true); - f_shake256_post + f_shake256_x4_post = (fun (v_OUT_LEN: usize) @@ -429,7 +429,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = )) -> true); - f_shake256 + f_shake256_x4 = fun (v_OUT_LEN: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 55811609f..30b65ad6d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -262,11 +262,11 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = { - f_init_absorb_pre + f_init_absorb_x4_pre = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true ); - f_init_absorb_post + f_init_absorb_x4_post = (fun (input0: t_Slice u8) @@ -276,7 +276,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = (out: t_Shake256X4) -> true); - f_init_absorb + f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> let state0:Libcrux_sha3.Portable.t_KeccakState = @@ -306,8 +306,8 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } <: t_Shake256X4); - f_squeeze_first_block_pre = (fun (self: t_Shake256X4) -> true); - f_squeeze_first_block_post + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_first_block_x4_post = (fun (self: t_Shake256X4) @@ -317,7 +317,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = ) -> true); - f_squeeze_first_block + f_squeeze_first_block_x4 = (fun (self: t_Shake256X4) -> let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in @@ -358,8 +358,8 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = <: (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); - f_squeeze_next_block_pre = (fun (self: t_Shake256X4) -> true); - f_squeeze_next_block_post + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_next_block_x4_post = (fun (self: t_Shake256X4) @@ -369,7 +369,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = ) -> true); - f_squeeze_next_block + f_squeeze_next_block_x4 = (fun (self: t_Shake256X4) -> let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in @@ -410,7 +410,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = <: (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); - f_shake256_pre + f_shake256_x4_pre = (fun (v_OUT_LEN: usize) @@ -424,7 +424,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = (out3: t_Array u8 v_OUT_LEN) -> true); - f_shake256_post + f_shake256_x4_post = (fun (v_OUT_LEN: usize) @@ -441,7 +441,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = )) -> true); - f_shake256 + f_shake256_x4 = fun (v_OUT_LEN: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti index d5bc80a18..aa229c844 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -67,6 +67,6 @@ class t_XofX4 (v_Self: Type0) = { (fun result -> f_squeeze_next_block_post x0 result) } -let v_BLOCK_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_BLOCK_SIZE: usize = sz 168 -let v_FIVE_BLOCKS_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti index 6ad902487..bd150aa95 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -34,7 +34,37 @@ class t_Xof (v_Self: Type0) = { } class t_XofX4 (v_Self: Type0) = { - f_shake256_pre: + f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb_x4:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_x4_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_x4_post x0 x1 x2 x3 result); + f_squeeze_first_block_x4_pre:v_Self -> Type0; + f_squeeze_first_block_x4_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_first_block_x4:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_first_block_x4_pre x0) + (fun result -> f_squeeze_first_block_x4_post x0 result); + f_squeeze_next_block_x4_pre:v_Self -> Type0; + f_squeeze_next_block_x4_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_next_block_x4:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_next_block_x4_pre x0) + (fun result -> f_squeeze_next_block_x4_post x0 result); + f_shake256_x4_pre: v_OUT_LEN: usize -> t_Slice u8 -> t_Slice u8 -> @@ -45,7 +75,7 @@ class t_XofX4 (v_Self: Type0) = { t_Array u8 v_OUT_LEN -> t_Array u8 v_OUT_LEN -> Type0; - f_shake256_post: + f_shake256_x4_post: v_OUT_LEN: usize -> t_Slice u8 -> t_Slice u8 -> @@ -57,7 +87,7 @@ class t_XofX4 (v_Self: Type0) = { t_Array u8 v_OUT_LEN -> (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) -> Type0; - f_shake256: + f_shake256_x4: v_OUT_LEN: usize -> x0: t_Slice u8 -> x1: t_Slice u8 -> @@ -69,38 +99,8 @@ class t_XofX4 (v_Self: Type0) = { x7: t_Array u8 v_OUT_LEN -> Prims.Pure (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) - (f_shake256_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) - (fun result -> f_shake256_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result); - f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; - f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; - f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 - -> Prims.Pure v_Self - (f_init_absorb_pre x0 x1 x2 x3) - (fun result -> f_init_absorb_post x0 x1 x2 x3 result); - f_squeeze_first_block_pre:v_Self -> Type0; - f_squeeze_first_block_post: - v_Self -> - (v_Self & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - -> Type0; - f_squeeze_first_block:x0: v_Self - -> Prims.Pure - (v_Self & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - (f_squeeze_first_block_pre x0) - (fun result -> f_squeeze_first_block_post x0 result); - f_squeeze_next_block_pre:v_Self -> Type0; - f_squeeze_next_block_post: - v_Self -> - (v_Self & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - -> Type0; - f_squeeze_next_block:x0: v_Self - -> Prims.Pure - (v_Self & - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) - (f_squeeze_next_block_pre x0) - (fun result -> f_squeeze_next_block_post x0 result) + (f_shake256_x4_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) + (fun result -> f_shake256_x4_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result) } -let v_BLOCK_SIZE: usize = Rust_primitives.Hax.dropped_body +let v_BLOCK_SIZE: usize = sz 136 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index 4d39cccaa..39904caa5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -210,11 +210,11 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { - f_init_absorb_pre + f_init_absorb_x4_pre = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true ); - f_init_absorb_post + f_init_absorb_x4_post = (fun (input0: t_Slice u8) @@ -224,7 +224,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (out: t_Shake256x4) -> true); - f_init_absorb + f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = @@ -234,8 +234,8 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = Libcrux_sha3.Avx2.X4.Incremental.shake256_absorb_final state input0 input1 input2 input3 in { f_state = state } <: t_Shake256x4); - f_squeeze_first_block_pre = (fun (self: t_Shake256x4) -> true); - f_squeeze_first_block_post + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_x4_post = (fun (self: t_Shake256x4) @@ -245,7 +245,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = ) -> true); - f_squeeze_first_block + f_squeeze_first_block_x4 = (fun (self: t_Shake256x4) -> let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in @@ -279,8 +279,8 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = <: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); - f_squeeze_next_block_pre = (fun (self: t_Shake256x4) -> true); - f_squeeze_next_block_post + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_x4_post = (fun (self: t_Shake256x4) @@ -290,7 +290,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = ) -> true); - f_squeeze_next_block + f_squeeze_next_block_x4 = (fun (self: t_Shake256x4) -> let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in @@ -324,7 +324,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = <: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); - f_shake256_pre + f_shake256_x4_pre = (fun (v_OUT_LEN: usize) @@ -338,7 +338,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (out3: t_Array u8 v_OUT_LEN) -> true); - f_shake256_post + f_shake256_x4_post = (fun (v_OUT_LEN: usize) @@ -355,7 +355,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = )) -> true); - f_shake256 + f_shake256_x4 = fun (v_OUT_LEN: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst index bd75bc9c7..f2d7ff6c7 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -422,7 +422,7 @@ let sample_four_error_ring_elements (cast (domain_separator3 >>! 8l <: u16) <: u8) in let state:v_Shake256 = - Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256 #FStar.Tactics.Typeclasses.solve (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) @@ -431,7 +431,7 @@ let sample_four_error_ring_elements in let tmp0, out4:(v_Shake256 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256 #FStar.Tactics.Typeclasses.solve state in @@ -555,7 +555,7 @@ let sample_four_error_ring_elements let tmp0, out4:(v_Shake256 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256 #FStar.Tactics.Typeclasses.solve state in @@ -1128,7 +1128,7 @@ let sample_mask_vector let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256X4 + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4 #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 in @@ -1181,7 +1181,7 @@ let sample_mask_vector let out3:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 640) & t_Array u8 (sz 640) & t_Array u8 (sz 640) & t_Array u8 (sz 640)) = - Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256X4 + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4 #FStar.Tactics.Typeclasses.solve (sz 640) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 in diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 7030bef96..25db431db 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -14,7 +14,7 @@ pub(crate) fn vector_infinity_norm_exceeds( - input0: &[u8], - input1: &[u8], - input2: &[u8], - input3: &[u8], - out0: &mut [u8; OUT_LEN], - out1: &mut [u8; OUT_LEN], - out2: &mut [u8; OUT_LEN], - out3: &mut [u8; OUT_LEN], - ); - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self; - fn squeeze_first_block( + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self; + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; BLOCK_SIZE], @@ -32,7 +22,7 @@ pub(crate) mod shake256 { [u8; BLOCK_SIZE], [u8; BLOCK_SIZE], ); - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; BLOCK_SIZE], @@ -40,6 +30,16 @@ pub(crate) mod shake256 { [u8; BLOCK_SIZE], [u8; BLOCK_SIZE], ); + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ); } } @@ -202,7 +202,7 @@ pub(crate) mod portable { } impl shake256::XofX4 for Shake256X4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { let mut state0 = incremental::shake256_init(); incremental::shake256_absorb_final(&mut state0, input0); @@ -223,7 +223,7 @@ pub(crate) mod portable { } } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -243,7 +243,7 @@ pub(crate) mod portable { (out0, out1, out2, out3) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -263,7 +263,7 @@ pub(crate) mod portable { (out0, out1, out2, out3) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -386,13 +386,13 @@ pub(crate) mod simd256 { } impl shake256::XofX4 for Shake256x4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { let mut state = x4::incremental::init(); x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); Self { state } } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -415,7 +415,7 @@ pub(crate) mod simd256 { (out0, out1, out2, out3) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -438,7 +438,7 @@ pub(crate) mod simd256 { (out0, out1, out2, out3) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -510,14 +510,14 @@ pub(crate) mod neon { } impl shake256::XofX4 for Shake256x4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { let mut state = [x2::incremental::init(), x2::incremental::init()]; x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); Self { state } } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -535,7 +535,7 @@ pub(crate) mod neon { (out0, out1, out2, out3) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -553,7 +553,7 @@ pub(crate) mod neon { (out0, out1, out2, out3) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index dfbb5b554..f1558eb7f 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -251,8 +251,8 @@ pub(crate) fn sample_four_error_ring_elements< seed3[64] = domain_separator3 as u8; seed3[65] = (domain_separator3 >> 8) as u8; - let mut state = Shake256::init_absorb(&seed0, &seed1, &seed2, &seed3); - let randomnesses = state.squeeze_first_block(); + let mut state = Shake256::init_absorb_x4(&seed0, &seed1, &seed2, &seed3); + let randomnesses = state.squeeze_first_block_x4(); // Every call to |rejection_sample_less_than_field_modulus| // will result in a call to |SIMDUnit::rejection_sample_less_than_field_modulus|; @@ -283,7 +283,7 @@ pub(crate) fn sample_four_error_ring_elements< while !done0 || !done1 || !done2 || !done3 { // Always sample another 4, but we only use it if we actually need it. - let randomnesses = state.squeeze_next_block(); + let randomnesses = state.squeeze_next_block_x4(); if !done0 { done0 = rejection_sample_less_than_eta::( &randomnesses.0, @@ -380,7 +380,7 @@ pub(crate) fn sample_mask_vector< let mut out1 = [0; 576]; let mut out2 = [0; 576]; let mut out3 = [0; 576]; - Shake256X4::shake256( + Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); mask[0] = encoding::gamma1::deserialize::(&out0); @@ -393,7 +393,7 @@ pub(crate) fn sample_mask_vector< let mut out1 = [0; 640]; let mut out2 = [0; 640]; let mut out3 = [0; 640]; - Shake256X4::shake256( + Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); mask[0] = encoding::gamma1::deserialize::(&out0); diff --git a/libcrux-ml-dsa/src/simd.rs b/libcrux-ml-dsa/src/simd.rs index 653246a60..476db6916 100644 --- a/libcrux-ml-dsa/src/simd.rs +++ b/libcrux-ml-dsa/src/simd.rs @@ -4,6 +4,6 @@ pub(crate) mod avx2; pub(crate) mod portable; pub(crate) mod traits; -#[cfg(test)] -pub(crate) mod tests; +// #[cfg(test)] +// pub(crate) mod tests; diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs index 5f6602af9..9c1755073 100644 --- a/sys/pqclean/src/bindings.rs +++ b/sys/pqclean/src/bindings.rs @@ -1,4 +1,4 @@ -/* automatically generated by rust-bindgen 0.69.4 */ +/* automatically generated by rust-bindgen 0.69.5 */ pub const SHAKE128_RATE: u32 = 168; pub const SHAKE256_RATE: u32 = 136; From c4bb39ea3ce185ce403f24ef43ac22f0d8634e48 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 23 Oct 2024 12:08:03 +0200 Subject: [PATCH 10/74] almost laxing --- Cargo.lock | 1 + libcrux-ml-dsa/Cargo.toml | 2 + libcrux-ml-dsa/hax.py | 2 +- .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 329 ++------- ...Libcrux_ml_dsa.Hash_functions.Portable.fst | 13 - ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 348 ++++----- ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 233 ++---- ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 11 +- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 1 + .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 196 ++--- .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 1 - libcrux-ml-dsa/src/hash_functions.rs | 675 ++++++++++++------ libcrux-ml-dsa/src/ml_dsa_generic.rs | 55 +- 13 files changed, 815 insertions(+), 1052 deletions(-) delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst diff --git a/Cargo.lock b/Cargo.lock index 863b1451e..a36ef9e2c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -992,6 +992,7 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", + "hax-lib", "hex", "libcrux-intrinsics", "libcrux-platform", diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index db847540e..acf9bbc52 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -20,6 +20,8 @@ libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } +hax-lib.workspace = true + [dev-dependencies] rand = { version = "0.8" } hex = { version = "0.4.3", features = ["serde"] } diff --git a/libcrux-ml-dsa/hax.py b/libcrux-ml-dsa/hax.py index d6183de4f..e8d2ba309 100755 --- a/libcrux-ml-dsa/hax.py +++ b/libcrux-ml-dsa/hax.py @@ -82,7 +82,7 @@ def __call__(self, parser, args, values, option_string=None) -> None: includes = [ "+**", "-libcrux_ml_dsa::hash_functions::portable::*", - "-libcrux_ml_dsa::hash_functions::avx2::*", + "-libcrux_ml_dsa::hash_functions::simd256::*", "-libcrux_ml_dsa::hash_functions::neon::*", "+:libcrux_ml_dsa::hash_functions::*::*", ] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti index 2b1e2d69a..6805e0d00 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -3,10 +3,45 @@ module Libcrux_ml_dsa.Hash_functions.Neon open Core open FStar.Mul -type t_Shake128x4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } +val t_Shake128x4:Type0 /// Neon SHAKE 256 x4 state -type t_Shake256x4 = { f_state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) } +val t_Shake256x4:Type0 + +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) + : Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (x: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (x: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (x: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = @@ -28,36 +63,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = f_init_absorb = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = - let list = - [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (sz 0) - (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input0 - input1 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (sz 1) - (Libcrux_sha3.Neon.X2.Incremental.shake128_absorb_final (state.[ sz 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input2 - input3 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - { f_state = state } <: t_Shake128x4); + init_absorb input0 input1 input2 input3); f_squeeze_first_five_blocks_pre = (fun @@ -90,47 +96,16 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (out2: t_Array u8 (sz 840)) (out3: t_Array u8 (sz 840)) -> - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 840) & + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & t_Array u8 (sz 840)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ sz 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 - } - <: - t_Shake128x4 + squeeze_first_five_blocks self out0 out1 out2 out3 in + let self:t_Shake128x4 = tmp0 in let out0:t_Array u8 (sz 840) = tmp1 in let out1:t_Array u8 (sz 840) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 840) & - t_Array u8 (sz 840)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_first_five_blocks (self.f_state.[ sz 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 - } - <: - t_Shake128x4 - in - let out2:t_Array u8 (sz 840) = tmp1 in - let out3:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in let _:Prims.unit = () in self, out0, out1, out2, out3 <: @@ -141,7 +116,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = = (fun (self: t_Shake128x4) - (out4: + (out5: (t_Shake128x4 & (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) ) @@ -150,57 +125,14 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = f_squeeze_next_block = fun (self: t_Shake128x4) -> - let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & - t_Array u8 (sz 168)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ sz 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 + let tmp0, out4:(t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 - } - <: - t_Shake128x4 - in - let out0:t_Array u8 (sz 168) = tmp1 in - let out1:t_Array u8 (sz 168) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 168) & - t_Array u8 (sz 168)) = - Libcrux_sha3.Neon.X2.Incremental.shake128_squeeze_next_block (self.f_state.[ sz 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake128x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 - } - <: - t_Shake128x4 - in - let out2:t_Array u8 (sz 168) = tmp1 in - let out3:t_Array u8 (sz 168) = tmp2 in - let _:Prims.unit = () in + let self:t_Shake128x4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) + out4 in self, hax_temp_output <: @@ -208,6 +140,13 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } +val squeeze_next_block_x4 (x: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { @@ -228,42 +167,13 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = - let list = - [Libcrux_sha3.Neon.X2.Incremental.init (); Libcrux_sha3.Neon.X2.Incremental.init ()] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (sz 0) - (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ sz 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input0 - input1 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - let state:t_Array Libcrux_sha3.Neon.X2.Incremental.t_KeccakState (sz 2) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize state - (sz 1) - (Libcrux_sha3.Neon.X2.Incremental.shake256_absorb_final (state.[ sz 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - input2 - input3 - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - in - { f_state = state } <: t_Shake256x4); + init_absorb_x4 input0 input1 input2 input3); f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); f_squeeze_first_block_x4_post = (fun (self: t_Shake256x4) - (out4: + (out5: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) ) @@ -272,57 +182,14 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_squeeze_first_block_x4 = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ sz 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 - } - <: - t_Shake256x4 - in - let out0:t_Array u8 (sz 136) = tmp1 in - let out1:t_Array u8 (sz 136) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_first_block (self.f_state.[ sz 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 - } - <: - t_Shake256x4 - in - let out2:t_Array u8 (sz 136) = tmp1 in - let out3:t_Array u8 (sz 136) = tmp2 in - let _:Prims.unit = () in + let self:t_Shake256x4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + out4 in self, hax_temp_output <: @@ -333,7 +200,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = = (fun (self: t_Shake256x4) - (out4: + (out5: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) ) @@ -342,57 +209,14 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_squeeze_next_block_x4 = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ sz 0 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out0 - out1 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 0) tmp0 - } - <: - t_Shake256x4 - in - let out0:t_Array u8 (sz 136) = tmp1 in - let out1:t_Array u8 (sz 136) = tmp2 in - let _:Prims.unit = () in - let tmp0, tmp1, tmp2:(Libcrux_sha3.Neon.X2.Incremental.t_KeccakState & t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - Libcrux_sha3.Neon.X2.Incremental.shake256_squeeze_next_block (self.f_state.[ sz 1 ] - <: - Libcrux_sha3.Neon.X2.Incremental.t_KeccakState) - out2 - out3 - in - let self:t_Shake256x4 = - { - self with - f_state - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_state (sz 1) tmp0 - } - <: - t_Shake256x4 + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self in - let out2:t_Array u8 (sz 136) = tmp1 in - let out3:t_Array u8 (sz 136) = tmp2 in - let _:Prims.unit = () in + let self:t_Shake256x4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + out4 in self, hax_temp_output <: @@ -442,17 +266,14 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = (out2: t_Array u8 v_OUT_LEN) (out3: t_Array u8 v_OUT_LEN) -> - let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = - Libcrux_sha3.Neon.X2.shake256 input0 input1 out0 out1 + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & + t_Array u8 v_OUT_LEN) = + shake256_x4 v_OUT_LEN input0 input1 input2 input3 out0 out1 out2 out3 in let out0:t_Array u8 v_OUT_LEN = tmp0 in let out1:t_Array u8 v_OUT_LEN = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = - Libcrux_sha3.Neon.X2.shake256 input2 input3 out2 out3 - in - let out2:t_Array u8 v_OUT_LEN = tmp0 in - let out3:t_Array u8 v_OUT_LEN = tmp1 in + let out2:t_Array u8 v_OUT_LEN = tmp2 in + let out3:t_Array u8 v_OUT_LEN = tmp3 in let _:Prims.unit = () in out0, out1, out2, out3 <: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst deleted file mode 100644 index fd24408ba..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fst +++ /dev/null @@ -1,13 +0,0 @@ -module Libcrux_ml_dsa.Hash_functions.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let init_absorb__init_absorb (input: t_Slice u8) = - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake128_init () - in - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake128_absorb_final state input - in - state diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 30b65ad6d..2d75db5dd 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -7,28 +7,89 @@ open FStar.Mul type t_Shake128 = | Shake128 : t_Shake128 /// Portable SHAKE 128 x4 state. -/// We're using a portable implementation so this is actually sequential. -type t_Shake128X4 = { - f_state0:Libcrux_sha3.Portable.t_KeccakState; - f_state1:Libcrux_sha3.Portable.t_KeccakState; - f_state2:Libcrux_sha3.Portable.t_KeccakState; - f_state3:Libcrux_sha3.Portable.t_KeccakState -} +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake128X4:Type0 /// Portable SHAKE 256 state -type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } +val t_Shake256:Type0 /// Portable SHAKE 256 x4 state. -/// We're using a portable implementation so this is actually sequential. -type t_Shake256X4 = { - f_state0:Libcrux_sha3.Portable.t_KeccakState; - f_state1:Libcrux_sha3.Portable.t_KeccakState; - f_state2:Libcrux_sha3.Portable.t_KeccakState; - f_state3:Libcrux_sha3.Portable.t_KeccakState -} +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake256X4:Type0 -val init_absorb__init_absorb (input: t_Slice u8) - : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) +val t_Shake256Absorb:Type0 + +val t_Shake256Squeeze:Type0 + +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_shake256 (input: t_Slice u8) + : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) + +val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = + { + f_shake128_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake128_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake128 + = + fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = shake128 v_OUTPUT_LENGTH input out in + out + } + +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +val shake256_absorb (st: t_Shake256Absorb) (input: t_Slice u8) + : Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) + +val shake256_absorb_final (st: t_Shake256Absorb) (input: t_Slice u8) + : Prims.Pure t_Shake256Squeeze Prims.l_True (fun _ -> Prims.l_True) + +val shake256_init: Prims.unit -> Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) + +val shake256_squeeze (st: t_Shake256Squeeze) (out: t_Slice u8) + : Prims.Pure (t_Shake256Squeeze & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_shake256 (x: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (x: t_Shake256X4) + : Prims.Pure + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (x: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (x: t_Shake128X4) + : Prims.Pure + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = @@ -50,13 +111,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = f_init_absorb = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state0:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input0 in - let state1:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input1 in - let state2:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input2 in - let state3:Libcrux_sha3.Portable.t_KeccakState = init_absorb__init_absorb input3 in - { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } - <: - t_Shake128X4); + init_absorb input0 input1 input2 input3); f_squeeze_first_five_blocks_pre = (fun @@ -89,29 +144,16 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = (out2: t_Array u8 (sz 840)) (out3: t_Array u8 (sz 840)) -> - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state0 out0 + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 in - let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in + let self:t_Shake128X4 = tmp0 in let out0:t_Array u8 (sz 840) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state1 out1 - in - let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in - let out1:t_Array u8 (sz 840) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state2 out2 - in - let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in - let out2:t_Array u8 (sz 840) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 840)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_first_five_blocks self.f_state3 out3 - in - let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in - let out3:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in let _:Prims.unit = () in self, out0, out1, out2, out3 <: @@ -122,7 +164,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = = (fun (self: t_Shake128X4) - (out4: + (out5: (t_Shake128X4 & (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) ) @@ -131,39 +173,14 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = f_squeeze_next_block = fun (self: t_Shake128X4) -> - let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state0 out0 + let tmp0, out4:(t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self in - let self:t_Shake128X4 = { self with f_state0 = tmp0 } <: t_Shake128X4 in - let out0:t_Array u8 (sz 168) = tmp1 in - let _:Prims.unit = () in - let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state1 out1 - in - let self:t_Shake128X4 = { self with f_state1 = tmp0 } <: t_Shake128X4 in - let out1:t_Array u8 (sz 168) = tmp1 in - let _:Prims.unit = () in - let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state2 out2 - in - let self:t_Shake128X4 = { self with f_state2 = tmp0 } <: t_Shake128X4 in - let out2:t_Array u8 (sz 168) = tmp1 in - let _:Prims.unit = () in - let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 168)) = - Libcrux_sha3.Portable.Incremental.shake128_squeeze_next_block self.f_state3 out3 - in - let self:t_Shake128X4 = { self with f_state3 = tmp0 } <: t_Shake128X4 in - let out3:t_Array u8 (sz 168) = tmp1 in - let _:Prims.unit = () in + let self:t_Shake128X4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) + out4 in self, hax_temp_output <: @@ -171,27 +188,8 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = - { - f_shake128_pre - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); - f_shake128_post - = - (fun - (v_OUTPUT_LENGTH: usize) - (input: t_Slice u8) - (out: t_Array u8 v_OUTPUT_LENGTH) - (out1: t_Array u8 v_OUTPUT_LENGTH) - -> - true); - f_shake128 - = - fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> - let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake128 out input in - out - } +val squeeze_next_block_shake256 (x: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = @@ -211,54 +209,42 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = f_shake256 = (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> - let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake256 out input in + let out:t_Array u8 v_OUTPUT_LENGTH = shake256 v_OUTPUT_LENGTH input out in out); f_init_absorb_pre = (fun (input: t_Slice u8) -> true); f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); - f_init_absorb - = - (fun (input: t_Slice u8) -> - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state input - in - { f_state = state } <: t_Shake256); + f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input); f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); f_squeeze_first_block_post = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); f_squeeze_first_block = (fun (self: t_Shake256) -> - let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out - in - let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (sz 136) = out in + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); f_squeeze_next_block_post = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); f_squeeze_next_block = fun (self: t_Shake256) -> - let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out - in - let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (sz 136) = out in + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) } +val squeeze_next_block_x4 (x: t_Shake256X4) + : Prims.Pure + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = { @@ -279,39 +265,13 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state0:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state0:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state0 input0 - in - let state1:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state1:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state1 input1 - in - let state2:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state2:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state2 input2 - in - let state3:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state3:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state3 input3 - in - { f_state0 = state0; f_state1 = state1; f_state2 = state2; f_state3 = state3 } - <: - t_Shake256X4); + init_absorb_x4 input0 input1 input2 input3); f_squeeze_first_block_x4_pre = (fun (self: t_Shake256X4) -> true); f_squeeze_first_block_x4_post = (fun (self: t_Shake256X4) - (out4: + (out5: (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) ) @@ -320,39 +280,14 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = f_squeeze_first_block_x4 = (fun (self: t_Shake256X4) -> - let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state0 out0 + let tmp0, out4:(t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self in - let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in - let out0:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state1 out1 - in - let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in - let out1:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state2 out2 - in - let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in - let out2:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state3 out3 - in - let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in - let out3:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in + let self:t_Shake256X4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + out4 in self, hax_temp_output <: @@ -363,7 +298,7 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = = (fun (self: t_Shake256X4) - (out4: + (out5: (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) ) @@ -372,39 +307,14 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = f_squeeze_next_block_x4 = (fun (self: t_Shake256X4) -> - let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state0 out0 - in - let self:t_Shake256X4 = { self with f_state0 = tmp0 } <: t_Shake256X4 in - let out0:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state1 out1 - in - let self:t_Shake256X4 = { self with f_state1 = tmp0 } <: t_Shake256X4 in - let out1:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state2 out2 + let tmp0, out4:(t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self in - let self:t_Shake256X4 = { self with f_state2 = tmp0 } <: t_Shake256X4 in - let out2:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state3 out3 - in - let self:t_Shake256X4 = { self with f_state3 = tmp0 } <: t_Shake256X4 in - let out3:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in + let self:t_Shake256X4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + out4 in self, hax_temp_output <: @@ -454,10 +364,10 @@ let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = (out2: t_Array u8 v_OUT_LEN) (out3: t_Array u8 v_OUT_LEN) -> - let out0:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out0 input0 in - let out1:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out1 input1 in - let out2:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out2 input2 in - let out3:t_Array u8 v_OUT_LEN = Libcrux_sha3.Portable.shake256 out3 input3 in + let out0:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input0 out0 in + let out1:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input1 out1 in + let out2:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input2 out2 in + let out3:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input3 out3 in out0, out1, out2, out3 <: (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index 39904caa5..0359b18d6 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -6,13 +6,45 @@ open FStar.Mul /// AVX2 SHAKE 128 state /// This only implements the XofX4 API. For the single Xof, the portable /// version is used. -type t_Shake128x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } +val t_Shake128x4:Type0 /// AVX2 SHAKE 256 x4 state. -type t_Shake256x4 = { f_state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState } +val t_Shake256x4:Type0 -/// AVX2 SHAKE 256 state -type t_Shake256 = { f_state:Libcrux_sha3.Portable.t_KeccakState } +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) + : Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (x: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (x: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (x: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = @@ -34,13 +66,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = f_init_absorb = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = - Libcrux_sha3.Avx2.X4.Incremental.init () - in - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = - Libcrux_sha3.Avx2.X4.Incremental.shake128_absorb_final state input0 input1 input2 input3 - in - { f_state = state } <: t_Shake128x4); + init_absorb input0 input1 input2 input3); f_squeeze_first_five_blocks_pre = (fun @@ -73,18 +99,12 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (out2: t_Array u8 (sz 840)) (out3: t_Array u8 (sz 840)) -> - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (sz 840) & - t_Array u8 (sz 840) & + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840)) = - Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze_first_five_blocks self.f_state - out0 - out1 - out2 - out3 + squeeze_first_five_blocks self out0 out1 out2 out3 in - let self:t_Shake128x4 = { self with f_state = tmp0 } <: t_Shake128x4 in + let self:t_Shake128x4 = tmp0 in let out0:t_Array u8 (sz 840) = tmp1 in let out1:t_Array u8 (sz 840) = tmp2 in let out2:t_Array u8 (sz 840) = tmp3 in @@ -99,7 +119,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = = (fun (self: t_Shake128x4) - (out4: + (out5: (t_Shake128x4 & (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) ) @@ -108,32 +128,14 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = f_squeeze_next_block = fun (self: t_Shake128x4) -> - let out0:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let out1:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let out2:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let out3:t_Array u8 (sz 168) = Rust_primitives.Hax.repeat 0uy (sz 168) in - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (sz 168) & - t_Array u8 (sz 168) & - t_Array u8 (sz 168) & - t_Array u8 (sz 168)) = - Libcrux_sha3.Avx2.X4.Incremental.shake128_squeeze_next_block self.f_state - out0 - out1 - out2 - out3 + let tmp0, out4:(t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self in - let self:t_Shake128x4 = { self with f_state = tmp0 } <: t_Shake128x4 in - let out0:t_Array u8 (sz 168) = tmp1 in - let out1:t_Array u8 (sz 168) = tmp2 in - let out2:t_Array u8 (sz 168) = tmp3 in - let out3:t_Array u8 (sz 168) = tmp4 in - let _:Prims.unit = () in + let self:t_Shake128x4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168)) + out4 in self, hax_temp_output <: @@ -141,74 +143,15 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = - { - f_shake256_pre - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); - f_shake256_post - = - (fun - (v_OUTPUT_LENGTH: usize) - (input: t_Slice u8) - (out: t_Array u8 v_OUTPUT_LENGTH) - (out1: t_Array u8 v_OUTPUT_LENGTH) - -> - true); - f_shake256 - = - (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> - let out:t_Array u8 v_OUTPUT_LENGTH = Libcrux_sha3.Portable.shake256 out input in - out); - f_init_absorb_pre = (fun (input: t_Slice u8) -> true); - f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); - f_init_absorb - = - (fun (input: t_Slice u8) -> - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_init () - in - let state:Libcrux_sha3.Portable.t_KeccakState = - Libcrux_sha3.Portable.Incremental.shake256_absorb_final state input - in - { f_state = state } <: t_Shake256); - f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); - f_squeeze_first_block_post - = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); - f_squeeze_first_block - = - (fun (self: t_Shake256) -> - let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_first_block self.f_state out - in - let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (sz 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); - f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); - f_squeeze_next_block_post - = - (fun (self: t_Shake256) (out1: (t_Shake256 & t_Array u8 (sz 136))) -> true); - f_squeeze_next_block - = - fun (self: t_Shake256) -> - let out:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1:(Libcrux_sha3.Portable.t_KeccakState & t_Array u8 (sz 136)) = - Libcrux_sha3.Portable.Incremental.shake256_squeeze_next_block self.f_state out - in - let self:t_Shake256 = { self with f_state = tmp0 } <: t_Shake256 in - let out:t_Array u8 (sz 136) = tmp1 in - let _:Prims.unit = () in - let hax_temp_output:t_Array u8 (sz 136) = out in - self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) - } +val squeeze_next_block_x4 (x: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { f_init_absorb_x4_pre = @@ -227,19 +170,13 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = - Libcrux_sha3.Avx2.X4.Incremental.init () - in - let state:Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState = - Libcrux_sha3.Avx2.X4.Incremental.shake256_absorb_final state input0 input1 input2 input3 - in - { f_state = state } <: t_Shake256x4); + init_absorb_x4 input0 input2 input2 input3); f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); f_squeeze_first_block_x4_post = (fun (self: t_Shake256x4) - (out4: + (out5: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) ) @@ -248,32 +185,14 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_squeeze_first_block_x4 = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (sz 136) & - t_Array u8 (sz 136) & - t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - Libcrux_sha3.Avx2.X4.Incremental.shake256_squeeze_first_block self.f_state - out0 - out1 - out2 - out3 + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self in - let self:t_Shake256x4 = { self with f_state = tmp0 } <: t_Shake256x4 in - let out0:t_Array u8 (sz 136) = tmp1 in - let out1:t_Array u8 (sz 136) = tmp2 in - let out2:t_Array u8 (sz 136) = tmp3 in - let out3:t_Array u8 (sz 136) = tmp4 in - let _:Prims.unit = () in + let self:t_Shake256x4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + out4 in self, hax_temp_output <: @@ -284,7 +203,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = = (fun (self: t_Shake256x4) - (out4: + (out5: (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) ) @@ -293,32 +212,14 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_squeeze_next_block_x4 = (fun (self: t_Shake256x4) -> - let out0:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out1:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out2:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let out3:t_Array u8 (sz 136) = Rust_primitives.Hax.repeat 0uy (sz 136) in - let tmp0, tmp1, tmp2, tmp3, tmp4:(Libcrux_sha3.Avx2.X4.Incremental.t_KeccakState & - t_Array u8 (sz 136) & - t_Array u8 (sz 136) & - t_Array u8 (sz 136) & - t_Array u8 (sz 136)) = - Libcrux_sha3.Avx2.X4.Incremental.shake256_squeeze_next_block self.f_state - out0 - out1 - out2 - out3 + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self in - let self:t_Shake256x4 = { self with f_state = tmp0 } <: t_Shake256x4 in - let out0:t_Array u8 (sz 136) = tmp1 in - let out1:t_Array u8 (sz 136) = tmp2 in - let out2:t_Array u8 (sz 136) = tmp3 in - let out3:t_Array u8 (sz 136) = tmp4 in - let _:Prims.unit = () in + let self:t_Shake256x4 = tmp0 in let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) = - out0, out1, out2, out3 - <: - (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)) + out4 in self, hax_temp_output <: @@ -370,7 +271,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = -> let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) = - Libcrux_sha3.Avx2.X4.shake256 input0 input1 input2 input3 out0 out1 out2 out3 + shake256_x4 v_OUT_LEN input0 input1 input2 input3 out0 out1 out2 out3 in let out0:t_Array u8 v_OUT_LEN = tmp0 in let out1:t_Array u8 v_OUT_LEN = tmp1 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index 6066f3058..7aab62832 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -6,6 +6,7 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in @@ -21,7 +22,7 @@ let generate_key_pair = Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness @@ -36,7 +37,7 @@ let sign = Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT @@ -54,7 +55,7 @@ let sign_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE @@ -73,7 +74,7 @@ let verify = Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature @@ -90,7 +91,7 @@ let verify_pre_hashed_shake128 = Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index 09d4842de..c244ca0d5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -6,6 +6,7 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in let open Libcrux_ml_dsa.Hash_functions.Shake128 in let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Hash_functions.Simd256 in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index df5dc6fe8..95d331653 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -10,7 +10,6 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Traits in - let open Libcrux_sha3.Portable.Incremental in () let derive_message_representative @@ -20,27 +19,18 @@ let derive_message_representative (message: t_Slice u8) (message_representative: t_Array u8 (sz 64)) = - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - () + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (verification_key_hash <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = match domain_separation_context with | Core.Option.Option_Some domain_separation_context -> - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake ((let list = [ cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) @@ -58,11 +48,8 @@ let derive_message_representative <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake ((let list = [ cast (Core.Slice.impl__len #u8 @@ -80,38 +67,23 @@ let derive_message_representative <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8) in (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with | Core.Option.Option_Some pre_hash_oid -> - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - (pre_hash_oid <: t_Slice u8) + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (pre_hash_oid <: t_Slice u8) | _ -> shake) | _ -> shake in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = - Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - message + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake message in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 64)) = - Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - message_representative + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake message_representative in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in let message_representative:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in message_representative @@ -174,41 +146,23 @@ let sign_internal message_representative in let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - () + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - (seed_for_signing <: t_Slice u8) + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (seed_for_signing <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = - Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake (message_representative <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 64)) = - Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - mask_seed + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake mask_seed in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in let mask_seed:t_Array u8 (sz 64) = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in @@ -305,35 +259,22 @@ let sign_internal v_COMMITMENT_VECTOR_SIZE commitment in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - () + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (message_representative <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = - Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake (commitment_serialized <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash_candidate + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash_candidate in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in @@ -781,35 +722,22 @@ let verify_internal v_COMMITMENT_VECTOR_SIZE commitment in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - () + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (message_representative <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = - Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake (commitment_serialized <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 v_COMMITMENT_HASH_SIZE) = - Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - commitment_hash + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in let commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in let _:Prims.unit = () in let _:Prims.unit = () in @@ -942,38 +870,24 @@ let generate_key_pair (randomness: t_Array u8 (sz 32)) = let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_new #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - () + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Absorb = - Libcrux_sha3.Portable.Incremental.f_absorb #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - (randomness <: t_Slice u8) + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = - Libcrux_sha3.Portable.Incremental.f_absorb_final #Libcrux_sha3.Portable.Incremental.t_Shake256Absorb - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list) <: t_Slice u8) in - let tmp0, tmp1:(Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze & t_Array u8 (sz 128)) = - Libcrux_sha3.Portable.Incremental.f_squeeze #Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze - #(sz 136) - #FStar.Tactics.Typeclasses.solve - shake - seed_expanded + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake seed_expanded in - let shake:Libcrux_sha3.Portable.Incremental.t_Shake256Squeeze = tmp0 in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in let seed_expanded:t_Array u8 (sz 128) = tmp1 in let _:Prims.unit = () in let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti index 6ed00153a..abf9c8d7c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -10,7 +10,6 @@ let _ = let open Libcrux_ml_dsa.Hash_functions.Shake256 in let open Libcrux_ml_dsa.Pre_hash in let open Libcrux_ml_dsa.Simd.Traits in - let open Libcrux_sha3.Portable.Incremental in () /// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 3a71c21d1..36d043c16 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -76,44 +76,78 @@ pub(crate) mod shake128 { /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`]. pub(crate) mod portable { - use libcrux_sha3::portable::{ - incremental::{self, shake128_absorb_final, shake128_init}, - shake128, shake256, KeccakState, - }; + use libcrux_sha3::portable::incremental; use super::{shake128, shake256}; /// Portable SHAKE 128 x4 state. /// /// We're using a portable implementation so this is actually sequential. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128X4 { - state0: KeccakState, - state1: KeccakState, - state2: KeccakState, - state3: KeccakState, + state0: libcrux_sha3::portable::KeccakState, + state1: libcrux_sha3::portable::KeccakState, + state2: libcrux_sha3::portable::KeccakState, + state3: libcrux_sha3::portable::KeccakState, + } + + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128X4 { + let mut state0 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state0, &input0); + + let mut state1 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state1, &input1); + + let mut state2 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state2, &input2); + + let mut state3 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state3, &input3); + + Shake128X4 { + state0, + state1, + state2, + state3, + } + } + + fn squeeze_first_five_blocks( + x: &mut Shake128X4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + incremental::shake128_squeeze_first_five_blocks(&mut x.state0, out0); + incremental::shake128_squeeze_first_five_blocks(&mut x.state1, out1); + incremental::shake128_squeeze_first_five_blocks(&mut x.state2, out2); + incremental::shake128_squeeze_first_five_blocks(&mut x.state3, out3); + } + + fn squeeze_next_block( + x: &mut Shake128X4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut x.state0, &mut out0); + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut x.state1, &mut out1); + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut x.state2, &mut out2); + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut x.state3, &mut out3); + + (out0, out1, out2, out3) } impl shake128::XofX4 for Shake128X4 { fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - #[inline(always)] - fn init_absorb(input: &[u8]) -> KeccakState { - let mut state = shake128_init(); - shake128_absorb_final(&mut state, &input); - - state - } - - let state0 = init_absorb(input0); - let state1 = init_absorb(input1); - let state2 = init_absorb(input2); - let state3 = init_absorb(input3); - - Self { - state0, - state1, - state2, - state3, - } + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -123,12 +157,8 @@ pub(crate) mod portable { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - incremental::shake128_squeeze_first_five_blocks(&mut self.state0, out0); - incremental::shake128_squeeze_first_five_blocks(&mut self.state1, out1); - incremental::shake128_squeeze_first_five_blocks(&mut self.state2, out2); - incremental::shake128_squeeze_first_five_blocks(&mut self.state3, out3); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } - fn squeeze_next_block( &mut self, ) -> ( @@ -137,90 +167,146 @@ pub(crate) mod portable { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) - } + squeeze_next_block(self) + } } /// Portable SHAKE 128 state pub(crate) struct Shake128 {} + fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake128(out, input); + } + impl shake128::Xof for Shake128 { fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - shake128(out, input); + shake128(input, out); } } /// Portable SHAKE 256 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256 { - state: KeccakState, + state: libcrux_sha3::portable::KeccakState, + } + + + fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake256(out, input); } - //pub(crate) type Shake256Absorb = libcrux_sha3::portable::incremental::Shake256Absorb; + fn init_absorb_shake256(input: &[u8]) -> Shake256 { + let mut state = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state, input); + Shake256 { state } + } + + fn squeeze_first_block_shake256(x: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut x.state, &mut out); + out + } + + fn squeeze_next_block_shake256(x: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut x.state, &mut out); + out + } impl shake256::Xof for Shake256 { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - shake256(out, input); + shake256(input, out); } fn init_absorb(input: &[u8]) -> Self { - let mut state = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state, input); - - Self { state } + init_absorb_shake256(input) } fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - out + squeeze_first_block_shake256(self) } fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - out + squeeze_next_block_shake256(self) } } /// Portable SHAKE 256 x4 state. /// /// We're using a portable implementation so this is actually sequential. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256X4 { - state0: KeccakState, - state1: KeccakState, - state2: KeccakState, - state3: KeccakState, + state0: libcrux_sha3::portable::KeccakState, + state1: libcrux_sha3::portable::KeccakState, + state2: libcrux_sha3::portable::KeccakState, + state3: libcrux_sha3::portable::KeccakState, } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256X4 { + let mut state0 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state0, input0); - impl shake256::XofX4 for Shake256X4 { - fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state0 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state0, input0); + let mut state1 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state1, input1); + + let mut state2 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state2, input2); - let mut state1 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state1, input1); + let mut state3 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state3, input3); - let mut state2 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state2, input2); + Shake256X4 { + state0, + state1, + state2, + state3, + } + } - let mut state3 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state3, input3); + fn squeeze_first_block_x4( + x: &mut Shake256X4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut x.state0, &mut out0); + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut x.state1, &mut out1); + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut x.state2, &mut out2); + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut x.state3, &mut out3); + + (out0, out1, out2, out3) + } - Self { - state0, - state1, - state2, - state3, - } + fn squeeze_next_block_x4( + x: &mut Shake256X4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut x.state0, &mut out0); + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut x.state1, &mut out1); + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut x.state2, &mut out2); + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut x.state3, &mut out3); + + (out0, out1, out2, out3) + } + + + impl shake256::XofX4 for Shake256X4 { + + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } fn squeeze_first_block_x4( @@ -231,16 +317,7 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } fn squeeze_next_block_x4( @@ -251,16 +328,7 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } fn shake256_x4( @@ -273,41 +341,109 @@ pub(crate) mod portable { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - shake256(out0, input0); - shake256(out1, input1); - shake256(out2, input2); - shake256(out3, input3); + shake256(input0, out0); + shake256(input1, out1); + shake256(input2, out2); + shake256(input3, out3); } } + + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Absorb { + state: libcrux_sha3::portable::incremental::Shake256Absorb + } + + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Squeeze { + state: libcrux_sha3::portable::incremental::Shake256Squeeze + } + + use libcrux_sha3::portable::incremental::{XofAbsorb, XofSqueeze}; + + pub(crate) fn shake256_init() -> Shake256Absorb { + Shake256Absorb {state: libcrux_sha3::portable::incremental::Shake256Absorb::new ()} + } + pub(crate) fn shake256_absorb(st:&mut Shake256Absorb, input:&[u8]) { + st.state.absorb (input) + } + pub(crate) fn shake256_absorb_final(st:Shake256Absorb, input:&[u8]) -> Shake256Squeeze { + Shake256Squeeze {state: st.state.absorb_final (input)} + } + pub(crate) fn shake256_squeeze(st:&mut Shake256Squeeze, out: &mut [u8]) { + st.state.squeeze (out) + } } /// A SIMD256 implementation of [`shake128::XofX4`] and [`shake256::Xof`] for AVX2. #[cfg(feature = "simd256")] pub(crate) mod simd256 { - use libcrux_sha3::{ - avx2::x4::{self, incremental::KeccakState}, - portable, - }; - + use libcrux_sha3::avx2::x4; + use libcrux_sha3::portable; use super::{shake128, shake256}; + /// AVX2 SHAKE 128 state /// /// This only implements the XofX4 API. For the single Xof, the portable /// version is used. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128x4 { - state: KeccakState, + state: libcrux_sha3::avx2::x4::incremental::KeccakState, + } + + /// Init the state and absorb 4 blocks in parallel. + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { + let mut state = x4::incremental::init(); + x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); + Shake128x4 { state } + } + + fn squeeze_first_five_blocks( + x: &mut Shake128x4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + x4::incremental::shake128_squeeze_first_five_blocks( + &mut x.state, + out0, + out1, + out2, + out3, + ); + } + + fn squeeze_next_block( + x: &mut Shake128x4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + x4::incremental::shake128_squeeze_next_block( + &mut x.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) } impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = x4::incremental::init(); - x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); - Self { state } + init_absorb(input0, input1, input2, input3) } - + fn squeeze_first_five_blocks( &mut self, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], @@ -315,13 +451,7 @@ pub(crate) mod simd256 { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x4::incremental::shake128_squeeze_first_five_blocks( - &mut self.state, - out0, - out1, - out2, - out3, - ); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } fn squeeze_next_block( @@ -332,19 +462,7 @@ pub(crate) mod simd256 { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x4::incremental::shake128_squeeze_next_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } @@ -352,46 +470,111 @@ pub(crate) mod simd256 { // we should use the portable Xof impelmentation above. /// AVX2 SHAKE 256 state - pub(crate) struct Shake256 { - state: portable::KeccakState, + pub(crate) type Shake256 = super::portable::Shake256; + + + // impl shake256::Xof for Shake256 { + // fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + // portable::shake256(out, input); + // } + + // fn init_absorb(input: &[u8]) -> Self { + // let mut state = portable::incremental::shake256_init(); + // portable::incremental::shake256_absorb_final(&mut state, input); + + // Self { state } + // } + + // fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { + // let mut out = [0u8; shake256::BLOCK_SIZE]; + // portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); + // out + // } + + // fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { + // let mut out = [0u8; shake256::BLOCK_SIZE]; + // portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); + // out + // } + // } + + /// AVX2 SHAKE 256 x4 state. + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256x4 { + state: libcrux_sha3::avx2::x4::incremental::KeccakState, } - impl shake256::Xof for Shake256 { - fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - portable::shake256(out, input); - } - fn init_absorb(input: &[u8]) -> Self { - let mut state = portable::incremental::shake256_init(); - portable::incremental::shake256_absorb_final(&mut state, input); + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { + let mut state = x4::incremental::init(); + x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); + Shake256x4 { state } + } - Self { state } - } + fn squeeze_first_block_x4( + x: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x4::incremental::shake256_squeeze_first_block( + &mut x.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); - fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - out - } + (out0, out1, out2, out3) + } - fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - out - } + fn squeeze_next_block_x4( + x: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x4::incremental::shake256_squeeze_next_block( + &mut x.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) } - /// AVX2 SHAKE 256 x4 state. - pub(crate) struct Shake256x4 { - state: KeccakState, + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ) { + x4::shake256(input0, input1, input2, input3, out0, out1, out2, out3); } impl shake256::XofX4 for Shake256x4 { + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = x4::incremental::init(); - x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); - Self { state } + init_absorb_x4(input0, input2, input2, input3) } - + fn squeeze_first_block_x4( &mut self, ) -> ( @@ -400,19 +583,7 @@ pub(crate) mod simd256 { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x4::incremental::shake256_squeeze_first_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } fn squeeze_next_block_x4( @@ -423,19 +594,7 @@ pub(crate) mod simd256 { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x4::incremental::shake256_squeeze_next_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } fn shake256_x4( @@ -448,7 +607,7 @@ pub(crate) mod simd256 { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - x4::shake256(input0, input1, input2, input3, out0, out1, out2, out3); + shake256_x4(input0, input1, input2, input3, out0, out1, out2, out3); } } } @@ -457,21 +616,57 @@ pub(crate) mod simd256 { #[cfg(feature = "simd128")] pub(crate) mod neon { - use libcrux_sha3::neon::x2::{self, incremental::KeccakState}; - + use libcrux_sha3::neon::x2; use super::{shake128, shake256}; + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) type KeccakState = x2::incremental::KeccakState; + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128x4 { state: [KeccakState; 2], } + /// Init the state and absorb 4 blocks in parallel. + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { + let mut state = [x2::incremental::init(), x2::incremental::init()]; + x2::incremental::shake128_absorb_final(&mut state[0], &input0, &input1); + x2::incremental::shake128_absorb_final(&mut state[1], &input2, &input3); + Shake128x4 { state } + } + + fn squeeze_first_five_blocks( + x: &mut Shake128x4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + x2::incremental::shake128_squeeze_first_five_blocks(&mut x.state[0], out0, out1); + x2::incremental::shake128_squeeze_first_five_blocks(&mut x.state[1], out2, out3); + } + + fn squeeze_next_block( + x: &mut Shake128x4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + x2::incremental::shake128_squeeze_next_block(&mut x.state[0], &mut out0, &mut out1); + x2::incremental::shake128_squeeze_next_block(&mut x.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = [x2::incremental::init(), x2::incremental::init()]; - x2::incremental::shake128_absorb_final(&mut state[0], &input0, &input1); - x2::incremental::shake128_absorb_final(&mut state[1], &input2, &input3); - Self { state } + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -481,8 +676,7 @@ pub(crate) mod neon { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x2::incremental::shake128_squeeze_first_five_blocks(&mut self.state[0], out0, out1); - x2::incremental::shake128_squeeze_first_five_blocks(&mut self.state[1], out2, out3); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } fn squeeze_next_block( @@ -493,28 +687,76 @@ pub(crate) mod neon { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake128_squeeze_next_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } /// Neon SHAKE 256 x4 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256x4 { state: [KeccakState; 2], } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { + let mut state = [x2::incremental::init(), x2::incremental::init()]; + x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); + x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); + Shake256x4 { state } + } + + fn squeeze_first_block_x4( + x:&mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x2::incremental::shake256_squeeze_first_block(&mut x.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_first_block(&mut x.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + + fn squeeze_next_block_x4( + x: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x2::incremental::shake256_squeeze_next_block(&mut x.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_next_block(&mut x.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ) { + x2::shake256(input0, input1, out0, out1); + x2::shake256(input2, input3, out2, out3); + } + impl shake256::XofX4 for Shake256x4 { fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = [x2::incremental::init(), x2::incremental::init()]; - x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); - x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); - Self { state } + init_absorb_x4(input0, input1, input2, input3) } fn squeeze_first_block_x4( @@ -525,14 +767,7 @@ pub(crate) mod neon { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_first_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_first_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } fn squeeze_next_block_x4( @@ -543,14 +778,7 @@ pub(crate) mod neon { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_next_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_next_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } fn shake256_x4( @@ -563,8 +791,7 @@ pub(crate) mod neon { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - x2::shake256(input0, input1, out0, out1); - x2::shake256(input2, input3, out2, out3); + shake256_x4(input0, input1, input2, input3, out0, out1, out2, out3); } } } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 366f5def4..41b5994fa 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -1,12 +1,11 @@ -use libcrux_sha3::portable::incremental::{Shake256Absorb, XofAbsorb, XofSqueeze}; - use crate::{ arithmetic::{ decompose_vector, make_hint, power2round_vector, use_hint, vector_infinity_norm_exceeds, }, constants::*, encoding, - hash_functions::{shake128, shake256}, + hash_functions::{shake128, shake256, + portable::{shake256_init, shake256_absorb, shake256_absorb_final, shake256_squeeze}}, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, @@ -42,10 +41,10 @@ pub(crate) fn generate_key_pair< ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE let mut seed_expanded = [0; 128]; - let mut shake = Shake256Absorb::new(); - shake.absorb(&randomness); - let mut shake = shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); - shake.squeeze(&mut seed_expanded); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &randomness); + let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake256_squeeze(&mut shake, &mut seed_expanded); let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); let (seed_for_error_vectors, seed_for_signing) = @@ -256,12 +255,12 @@ pub(crate) fn sign_internal< let mut mask_seed = [0; MASK_SEED_SIZE]; { - let mut shake = Shake256Absorb::new(); - shake.absorb(&seed_for_signing); - shake.absorb(&randomness); - let mut shake = shake.absorb_final(&message_representative); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &seed_for_signing); + shake256_absorb(&mut shake, &randomness); + let mut shake = shake256_absorb_final(shake, &message_representative); - shake.squeeze(&mut mask_seed); + shake256_squeeze(&mut shake, &mut mask_seed); } let mut domain_separator_for_mask: u16 = 0; @@ -302,11 +301,11 @@ pub(crate) fn sign_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = Shake256Absorb::new(); - shake.absorb(&message_representative); - let mut shake = shake.absorb_final(&commitment_serialized); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &message_representative); + let mut shake = shake256_absorb_final(shake, &commitment_serialized); - shake.squeeze(&mut commitment_hash_candidate); + shake256_squeeze(&mut shake, &mut commitment_hash_candidate); } let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< @@ -419,19 +418,19 @@ fn derive_message_representative( message: &[u8], message_representative: &mut [u8; 64], ) { - let mut shake = Shake256Absorb::new(); - shake.absorb(&verification_key_hash); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { - shake.absorb(&[domain_separation_context.pre_hash_oid().is_some() as u8]); - shake.absorb(&[domain_separation_context.context().len() as u8]); - shake.absorb(domain_separation_context.context()); + shake256_absorb(&mut shake, &[domain_separation_context.pre_hash_oid().is_some() as u8]); + shake256_absorb(&mut shake, &[domain_separation_context.context().len() as u8]); + shake256_absorb(&mut shake, domain_separation_context.context()); if let Some(pre_hash_oid) = domain_separation_context.pre_hash_oid() { - shake.absorb(pre_hash_oid) + shake256_absorb(&mut shake, pre_hash_oid) } } - let mut shake = shake.absorb_final(message); - shake.squeeze(message_representative); + let mut shake = shake256_absorb_final(shake, message); + shake256_squeeze(&mut shake, message_representative); } /// The internal verification API. @@ -521,11 +520,11 @@ pub(crate) fn verify_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = Shake256Absorb::new(); - shake.absorb(&message_representative); - let mut shake = shake.absorb_final(&commitment_serialized); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &message_representative); + let mut shake = shake256_absorb_final(shake, &commitment_serialized); - shake.squeeze(&mut commitment_hash); + shake256_squeeze(&mut shake, &mut commitment_hash); } if signature.commitment_hash != commitment_hash { From 924d808ff9cbc5dd8ff202d0c9f773728ee54cec Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 25 Oct 2024 14:24:59 +0200 Subject: [PATCH 11/74] ml-dsa refresh --- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 10 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 10 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 673 ++- ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 89 + ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 336 +- ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 42 + ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 832 +++- ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 48 + ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 752 +++- ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 17 + ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 144 +- ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 12 + .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 1229 +++++- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 83 + ...dsa.Simd.Portable.Rec_bundle_437004224.fst | 3895 ----------------- .../Libcrux_ml_dsa.Simd.Portable.fst | 26 - ...fsti => Libcrux_ml_dsa.Simd.Portable.fsti} | 319 +- libcrux-ml-dsa/src/encoding/error.rs | 2 +- libcrux-ml-dsa/src/simd.rs | 4 +- libcrux-ml-dsa/src/simd/portable.rs | 2 +- .../src/simd/portable/arithmetic.rs | 24 +- .../src/simd/portable/encoding/error.rs | 7 +- .../src/simd/portable/encoding/gamma1.rs | 7 +- .../src/simd/portable/encoding/t0.rs | 9 +- .../src/simd/portable/encoding/t1.rs | 9 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 7 +- .../src/simd/portable/vector_type.rs | 5 +- libcrux-ml-dsa/src/simd/tests.rs | 95 + libcrux-ml-dsa/src/simd/traits.rs | 99 - .../Libcrux_ml_kem.Hash_functions.Avx2.fsti | 10 +- .../Libcrux_ml_kem.Hash_functions.Neon.fsti | 10 +- ...ibcrux_ml_kem.Hash_functions.Portable.fsti | 10 +- ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 66 +- ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 90 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fst | 454 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fsti | 192 +- .../extraction/Libcrux_ml_kem.Ind_cca.fst | 348 +- .../extraction/Libcrux_ml_kem.Ind_cca.fsti | 130 +- .../Libcrux_ml_kem.Ind_cpa.Unpacked.fsti | 18 +- .../extraction/Libcrux_ml_kem.Ind_cpa.fst | 824 ++-- .../extraction/Libcrux_ml_kem.Ind_cpa.fsti | 428 +- .../extraction/Libcrux_ml_kem.Matrix.fst | 346 +- .../extraction/Libcrux_ml_kem.Matrix.fsti | 102 +- .../extraction/Libcrux_ml_kem.Polynomial.fst | 160 +- .../extraction/Libcrux_ml_kem.Polynomial.fsti | 44 +- .../extraction/Libcrux_ml_kem.Sampling.fst | 196 +- .../extraction/Libcrux_ml_kem.Sampling.fsti | 20 +- .../extraction/Libcrux_ml_kem.Serialize.fst | 1190 ++--- .../extraction/Libcrux_ml_kem.Serialize.fsti | 188 +- .../extraction/Libcrux_ml_kem.Types.fsti | 232 +- .../Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst | 2 +- .../extraction/Libcrux_ml_kem.Vector.Avx2.fst | 14 +- .../Libcrux_ml_kem.Vector.Avx2.fsti | 16 +- .../Libcrux_ml_kem.Vector.Neon.Arithmetic.fst | 186 +- ...Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti | 36 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fst | 26 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fsti | 6 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fst | 116 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fsti | 20 +- .../Libcrux_ml_kem.Vector.Neon.Serialize.fst | 278 +- .../Libcrux_ml_kem.Vector.Neon.Serialize.fsti | 12 +- .../Libcrux_ml_kem.Vector.Portable.fsti | 32 +- libcrux-ml-kem/src/vector/portable/ntt.rs | 2 +- libcrux-sha3/src/generic_keccak.rs | 2 +- 64 files changed, 7224 insertions(+), 7369 deletions(-) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst delete mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst rename libcrux-ml-dsa/proofs/fstar/extraction/{Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti => Libcrux_ml_dsa.Simd.Portable.fsti} (59%) create mode 100644 libcrux-ml-dsa/src/simd/tests.rs diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index cd110c1ec..f096cc94a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -83,8 +83,9 @@ let invert_ntt_at_layer_2_ (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let (re, zeta_i), hax_temp_output:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize) = + let (re, zeta_i), hax_temp_output:((Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) & + Prims.unit) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) (fun temp_0_ temp_1_ -> @@ -132,8 +133,9 @@ let invert_ntt_at_layer_3_plus (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = let step:usize = sz 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index ecb029df7..6eac6010b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -205,8 +205,9 @@ let ntt_at_layer_3_plus (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let step:usize = sz 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> @@ -386,8 +387,9 @@ let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let (re, zeta_i), hax_temp_output:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & - usize) = + let (re, zeta_i), hax_temp_output:((t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & + usize) & + Prims.unit) = Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index e42a2efa9..4d9c2f736 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -3,60 +3,657 @@ module Libcrux_ml_dsa.Simd.Portable.Arithmetic open Core open FStar.Mul -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY367462299 as v_DUMMY} +let compute_one_hint (v_GAMMA2 low high: i32) = + if + low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || + low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l + then 1l + else 0l -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY81638022 as v_DUMMY} +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in + fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY524003877 as v_DUMMY} +let montgomery_reduce_element (value: i64) = + let t:u64 = + (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! + Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + in + let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in + let k_times_modulus:i64 = + (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) + in + let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + value_high -! c -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY379549811 as v_DUMMY} +let montgomery_multiply_fe_by_fer (fe fer: i32) = + montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY657797394 as v_DUMMY} +let decompose_element (v_GAMMA2 r: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((r >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) + (sz 1) + (let list = ["the representative is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [Core.Fmt.Rt.impl_1__new_display #i32 r <: Core.Fmt.Rt.t_Argument] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let v_ALPHA:i32 = v_GAMMA2 *! 2l in + let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in + let r1:i32 = + match v_ALPHA with + | 190464l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l + in + (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result + | 523776l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l + in + result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY856139336 as v_DUMMY} + <: + Rust_primitives.Hax.t_Never) + in + let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in + let r0:i32 = + r0 -! + (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! + 31l + <: + i32) &. + Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + i32) + in + r0, r1 <: (i32 & i32) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY633486193 as v_DUMMY} +let infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter + i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + exceeds + (fun exceeds coefficient -> + let exceeds:bool = exceeds in + let coefficient:i32 = coefficient in + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((coefficient >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 + (sz 1) + (sz 1) + (let list = ["coefficient is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [ + Core.Fmt.Rt.impl_1__new_display #i32 coefficient + <: + Core.Fmt.Rt.t_Argument + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let sign:i32 = coefficient >>! 31l in + let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in + let exceeds:bool = exceeds |. (normalized >=. bound <: bool) in + exceeds) + in + exceeds -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY237543931 as v_DUMMY} +let power2round_element (t: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + if + ~.((t >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + then + Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) + (sz 1) + (let list = ["t is "] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + (let list = + [Core.Fmt.Rt.impl_1__new_display #i32 t <: Core.Fmt.Rt.t_Argument] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + Core.Fmt.t_Arguments) + <: + Rust_primitives.Hax.t_Never) + in + () + in + let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let t1:i32 = + ((t -! 1l <: i32) +! + (1l <>! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + in + let t0:i32 = t -! (t1 < + if r0 >. 0l + then if r1 =. 43l then 0l else r1 +! hint + else if r1 =. 0l then 43l else r1 -! hint + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_MONTGOMERY_SHIFT as v_MONTGOMERY_SHIFT} + <: + Rust_primitives.Hax.t_Never) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {compute_one_hint as compute_one_hint} +let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i, t:(usize & i32) = temp_1_ in + let t0, t1:(i32 & i32) = power2round_element t in + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t0_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t0 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t1_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t1 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {get_n_least_significant_bits as get_n_least_significant_bits} +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun sum temp_1_ -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let i:usize = i in + { + sum with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + sum -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {reduce_element as reduce_element} +let compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let one_hints_count:usize = sz 0 in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + (fun temp_0_ i -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let i:usize = i in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (compute_one_hint v_GAMMA2 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let one_hints_count:usize = + one_hints_count +! + (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + usize) + in + hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + in + one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_reduce_element as montgomery_reduce_element} +let decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ i -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i:usize = i in + let low_part, high_part:(i32 & i32) = + decompose_element v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + in + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + low with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + low_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + high with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + high_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_multiply_fe_by_fer as montgomery_multiply_fe_by_fer} +let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun product temp_1_ -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let _:usize = temp_1_ in + true) + product + (fun product i -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let i:usize = i in + { + product with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + product -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {decompose_element as decompose_element} +let montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit i -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i:usize = i in + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {infinity_norm_exceeds as infinity_norm_exceeds} +let shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i + ] + <: + i32) < + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let i:usize = i in + { + difference with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + difference -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {use_one_hint as use_one_hint} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_multiply_by_constant as montgomery_multiply_by_constant} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {add as add} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {compute_hint as compute_hint} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {decompose as decompose} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {montgomery_multiply as montgomery_multiply} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {power2round as power2round} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {shift_left_then_reduce as shift_left_then_reduce} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {subtract as subtract} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {use_hint as use_hint} +let use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let i:usize = i in + { + result with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (use_one_hint v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti new file mode 100644 index 000000000..2a50db3ec --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -0,0 +1,89 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_MONTGOMERY_SHIFT: u8 = 32uy + +val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val get_n_least_significant_bits (n: u8) (value: u64) + : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) + +val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_fe_by_fer (fe fer: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val decompose_element (v_GAMMA2 r: i32) + : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst index 077803ff8..a91008218 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -3,26 +3,330 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Error open Core open FStar.Mul -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY648673932 as v_DUMMY} +let serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let coefficient0:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient2:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient3:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient4:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient5:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient6:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient7:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + <: + u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (((coefficient2 <>! 2l <: u8) + <: + u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 2) + (((coefficient7 <>! 1l <: u8) + <: + u8) + in + serialized -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY221943049 as v_DUMMY} +let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (deserialize_when_eta_is_2___ETA -! + (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (deserialize_when_eta_is_2___ETA -! + (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA832233724 as deserialize_when_eta_is_2___ETA} +let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, byte:(usize & u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit) + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA177254429 as deserialize_when_eta_is_4___ETA} +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> deserialize_when_eta_is_2_ serialized + | 4uy -> deserialize_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA345140054 as serialize_when_eta_is_2___ETA} + <: + Rust_primitives.Hax.t_Never) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_ETA858068178 as serialize_when_eta_is_4___ETA} +let serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_eta_is_4_ as serialize_when_eta_is_4_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize1006998023 as serialize} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_eta_is_2_ as deserialize_when_eta_is_2_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_eta_is_4_ as deserialize_when_eta_is_4_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize154437703 as deserialize} + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti new file mode 100644 index 000000000..e973dc734 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -0,0 +1,42 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_eta_is_2___ETA: i32 = 2l + +let deserialize_when_eta_is_4___ETA: i32 = 4l + +let serialize_when_eta_is_2___ETA: i32 = 2l + +let serialize_when_eta_is_4___ETA: i32 = 4l + +val serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_2_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_4_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index 8eb4337c6..5851c5998 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -3,30 +3,822 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 open Core open FStar.Mul -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY771885219 as v_DUMMY} +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) + serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + (cast (bytes.[ sz 0 ] <: u8) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 *! i + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 4 *! i <: usize) +! sz 1 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 1 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 4 *! i <: usize) +! sz 2 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 2 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 4 *! i <: usize) +! sz 3 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i + <: + usize) +! + sz 3 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 7 ] <: u8) <: i32) < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + (cast (bytes.[ sz 0 ] <: u8) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 *! i + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 2 *! i + <: + usize) +! + sz 1 + <: + usize ] + <: + i32) |. + ((cast (bytes.[ sz 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1_TIMES_2_BITMASK305664693 as deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_BITMASK} + <: + Rust_primitives.Hax.t_Never) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1465203885 as deserialize_when_gamma1_is_2_pow_19___GAMMA1} +let serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let coefficient2:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32) + in + let coefficient3:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 14l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. + (cast (coefficient2 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + (cast (coefficient2 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. + (cast (coefficient3 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 8 <: usize) + (cast (coefficient3 >>! 10l <: i32) <: u8) + in + serialized) + in + serialized -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1_TIMES_2_BITMASK614047129 as deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_BITMASK} +let serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 12l <: i32) <: u8) + in + serialized) + in + serialized -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1331343739 as serialize_when_gamma1_is_2_pow_17___GAMMA1} +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_GAMMA1658756807 as serialize_when_gamma1_is_2_pow_19___GAMMA1} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_gamma1_is_2_pow_17_ as serialize_when_gamma1_is_2_pow_17_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize_when_gamma1_is_2_pow_19_ as serialize_when_gamma1_is_2_pow_19_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize526929060 as serialize} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_gamma1_is_2_pow_17_ as deserialize_when_gamma1_is_2_pow_17_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize_when_gamma1_is_2_pow_19_ as deserialize_when_gamma1_is_2_pow_19_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize244287932 as deserialize} + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti new file mode 100644 index 000000000..a22f485c1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -0,0 +1,48 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst index 4658c7a86..64bb1f928 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -3,18 +3,744 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T0 open Core open FStar.Mul -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY768581343 as v_DUMMY} +let change_t0_interval (t0: i32) = + (1l <>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + (cast (coefficient1 >>! 11l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 4) + ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + (cast (coefficient3 >>! 9l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + (cast (coefficient4 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9) + ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + (cast (coefficient6 >>! 10l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) + in + serialized -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY442276865 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY787543067 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {change_t0_interval as change_t0_interval} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_BITS_IN_LOWER_PART_OF_T_MASK as deserialize__BITS_IN_LOWER_PART_OF_T_MASK} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {serialize977980603 as serialize} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {deserialize297775919 as deserialize} +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in + let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in + let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in + let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in + let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in + let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in + let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in + let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in + let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + byte0 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) |. + (byte1 <>! 5l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) |. + (byte2 <>! 2l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) |. + (byte4 <>! 7l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) |. + (byte5 <>! 4l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) |. + (byte7 <>! 1l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) |. + (byte9 <>! 6l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) |. + (byte10 <>! 3l <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) |. + (byte12 < Prims.l_True) + +let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = + (1l < Prims.l_True) + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst index 1d556b8ed..aab3acfcc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -3,14 +3,138 @@ module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 open Core open FStar.Mul -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY720308282 as v_DUMMY} +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let mask:i32 = (1l < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 < + let serialized:t_Array u8 (sz 10) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 3 <: usize) + (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) + in + serialized) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti new file mode 100644 index 000000000..0d94a5f30 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index b4ea90c2b..3fca93ccb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -3,42 +3,1213 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY486617197 as v_DUMMY} +let invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY671965844 as v_DUMMY} +let invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY879052313 as v_DUMMY} +let invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY359502844 as v_DUMMY} +let simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] + <: + i32) + zeta0 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta3 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY91690999 as v_DUMMY} +let simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY782304655 as v_DUMMY} +let simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY344990702 as v_DUMMY} +let ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_0_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + <: + i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let zeta_i:usize = zeta_i +! sz 4 in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY410925233 as v_DUMMY} +let ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_1_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let zeta_i:usize = zeta_i +! sz 2 in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY997570341 as v_DUMMY} +let ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let (re, zeta_i), hax_temp_output:((t_Array + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) & + Prims.unit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_2_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {invert_ntt_at_layer_0_ as invert_ntt_at_layer_0_} +let ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let step:usize = sz 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + re + in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + re + in + let j:usize = j in + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + step_by + <: + usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re) + in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {invert_ntt_at_layer_1_ as invert_ntt_at_layer_1_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {invert_ntt_at_layer_2_ as invert_ntt_at_layer_2_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {simd_unit_ntt_at_layer_0_ as simd_unit_ntt_at_layer_0_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {simd_unit_ntt_at_layer_1_ as simd_unit_ntt_at_layer_1_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {simd_unit_ntt_at_layer_2_ as simd_unit_ntt_at_layer_2_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_0_ as ntt_at_layer_0_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_1_ as ntt_at_layer_1_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_2_ as ntt_at_layer_2_} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt as ntt} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt_at_layer_3_plus as ntt_at_layer_3_plus} +let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + let zeta_i:usize = sz 0 in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 7) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 6) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 5) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 4) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 3) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_2_ zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_1_ zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_0_ zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti new file mode 100644 index 000000000..abb1d13d4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -0,0 +1,83 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst deleted file mode 100644 index 8841abdd5..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fst +++ /dev/null @@ -1,3895 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Simd.Portable.Vector_type in - let open Libcrux_ml_dsa.Simd.Traits in - () - -let compute_one_hint (v_GAMMA2 low high: i32) = - if - low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || - low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l - then 1l - else 0l - -let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in - fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - -let montgomery_reduce_element (value: i64) = - let t:u64 = - (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! - Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - in - let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in - let k_times_modulus:i64 = - (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) - in - let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in - let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in - value_high -! c - -let montgomery_multiply_fe_by_fer (fe fer: i32) = - montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) - -let invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - (montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - (montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - (montgomery_multiply_fe_by_fer a_minus_b zeta2 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (montgomery_multiply_fe_by_fer a_minus_b zeta3 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - (montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - (montgomery_multiply_fe_by_fer a_minus_b zeta0 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - (montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (montgomery_multiply_fe_by_fer a_minus_b zeta1 <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - = - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let a_minus_b:i32 = - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (montgomery_multiply_fe_by_fer a_minus_b zeta <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 1 ] - <: - i32) - zeta0 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 3 ] - <: - i32) - zeta1 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 5 ] - <: - i32) - zeta2 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 7 ] - <: - i32) - zeta3 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta1 zeta2: i32) - = - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 2 ] - <: - i32) - zeta1 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 3 ] - <: - i32) - zeta1 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 6 ] - <: - i32) - zeta2 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 7 ] - <: - i32) - zeta2 - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - = - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 4 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 5 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 6 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t:i32 = - montgomery_multiply_fe_by_fer (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ - sz 7 ] - <: - i32) - zeta - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! t - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -let decompose_element (v_GAMMA2 r: i32) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((r >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) - (sz 1) - (let list = ["the representative is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [Core.Fmt.Rt.impl_1__new_display #i32 r <: Core.Fmt.Rt.t_Argument] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) - in - () - in - let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in - let v_ALPHA:i32 = v_GAMMA2 *! 2l in - let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in - let r1:i32 = - match v_ALPHA with - | 190464l -> - let result:i32 = - ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l - in - (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result - | 523776l -> - let result:i32 = - ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l - in - result &. 15l - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in - let r0:i32 = - r0 -! - (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! - 31l - <: - i32) &. - Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - <: - i32) - in - r0, r1 <: (i32 & i32) - -let infinity_norm_exceeds - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) - = - let exceeds:bool = false in - let exceeds:bool = - Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter - i32 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) - #FStar.Tactics.Typeclasses.solve - simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - <: - Core.Array.Iter.t_IntoIter i32 (sz 8)) - <: - Core.Array.Iter.t_IntoIter i32 (sz 8)) - exceeds - (fun exceeds coefficient -> - let exceeds:bool = exceeds in - let coefficient:i32 = coefficient in - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((coefficient >. - (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 - (sz 1) - (sz 1) - (let list = ["coefficient is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [ - Core.Fmt.Rt.impl_1__new_display #i32 coefficient - <: - Core.Fmt.Rt.t_Argument - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) - in - () - in - let sign:i32 = coefficient >>! 31l in - let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in - let exceeds:bool = exceeds |. (normalized >=. bound <: bool) in - exceeds) - in - exceeds - -let power2round_element (t: i32) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - if - ~.((t >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) - <: - bool) && - (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) - (sz 1) - (let list = ["t is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [Core.Fmt.Rt.impl_1__new_display #i32 t <: Core.Fmt.Rt.t_Argument] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) - in - () - in - let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in - let t1:i32 = - ((t -! 1l <: i32) +! - (1l <>! - Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T - in - let t0:i32 = t -! (t1 < - if r0 >. 0l - then if r1 =. 43l then 0l else r1 +! hint - else if r1 =. 0l then 43l else r1 -! hint - | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - -let serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - let coefficient0:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient1:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient2:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient3:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient4:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient5:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient6:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) - <: - i32) - <: - u8 - in - let coefficient7:u8 = - cast (v_ETA345140054 -! - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) - <: - i32) - <: - u8 - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 0) - (((coefficient2 <>! 2l <: u8) - <: - u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 2) - (((coefficient7 <>! 1l <: u8) - <: - u8) - in - serialized - -let serialize977980603 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let serialized:t_Array u8 (sz 13) = Rust_primitives.Hax.repeat 0uy (sz 13) in - let coefficient0:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] - <: - i32) - in - let coefficient1:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] - <: - i32) - in - let coefficient2:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] - <: - i32) - in - let coefficient3:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] - <: - i32) - in - let coefficient4:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] - <: - i32) - in - let coefficient5:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] - <: - i32) - in - let coefficient6:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] - <: - i32) - in - let coefficient7:i32 = - change_t0_interval (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] - <: - i32) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 0) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 1) - (cast (coefficient0 >>! 8l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 1) - ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 3) - (cast (coefficient1 >>! 11l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 3) - ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 4) - ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 6) - (cast (coefficient3 >>! 9l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 6) - ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 8) - (cast (coefficient4 >>! 12l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 8) - ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 9) - ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 11) - (cast (coefficient6 >>! 10l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 13) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 11) - ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) - in - serialized - -let montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (c: i32) - = - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit i -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i:usize = i in - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (montgomery_reduce_element ((cast (simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] - <: - i32) - <: - i64) *! - (cast (c <: i32) <: i64) - <: - i64) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - simd_unit - -let serialize_when_eta_is_4_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:u8 = - cast (v_ETA858068178 -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 - in - let coefficient1:u8 = - cast (v_ETA858068178 -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - i - ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit - | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - -let serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 0 ] <: i32) in - let coefficient1:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 1 ] <: i32) in - let coefficient2:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 2 ] <: i32) in - let coefficient3:i32 = v_GAMMA1331343739 -! (coefficients.[ sz 3 ] <: i32) in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 9 *! i <: usize) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 1 <: usize) - (cast (coefficient0 >>! 8l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 2 <: usize) - (cast (coefficient0 >>! 16l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 2 <: usize) - ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. - (cast (coefficient1 <>! 6l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 4 <: usize) - (cast (coefficient1 >>! 14l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 4 <: usize) - ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. - (cast (coefficient2 <>! 4l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 6 <: usize) - (cast (coefficient2 >>! 12l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 6 <: usize) - ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. - (cast (coefficient3 <>! 2l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 9 *! i <: usize) +! sz 8 <: usize) - (cast (coefficient3 >>! 10l <: i32) <: u8) - in - serialized) - in - serialized - -let serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let coefficient0:i32 = v_GAMMA1658756807 -! (coefficients.[ sz 0 ] <: i32) in - let coefficient1:i32 = v_GAMMA1658756807 -! (coefficients.[ sz 1 ] <: i32) in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 5 *! i <: usize) - (cast (coefficient0 <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 1 <: usize) - (cast (coefficient0 >>! 8l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - (cast (coefficient0 >>! 16l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. - (cast (coefficient1 <>! 4l <: i32) <: u8) - in - let serialized:t_Array u8 v_OUTPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 4 <: usize) - (cast (coefficient1 >>! 12l <: i32) <: u8) - in - serialized) - in - serialized - -let serialize526929060 - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - match cast (v_OUTPUT_SIZE <: usize) <: u8 with - | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit - | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - -let serialize300254843 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let serialized:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in - let serialized:t_Array u8 (sz 10) = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 10) = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized temp_1_ -> - let serialized:t_Array u8 (sz 10) = serialized in - let i, coefficients:(usize & t_Slice i32) = temp_1_ in - let serialized:t_Array u8 (sz 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - (sz 5 *! i <: usize) - (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) - in - let serialized:t_Array u8 (sz 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 1 <: usize) - (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) - <: - u8) - in - let serialized:t_Array u8 (sz 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 2 <: usize) - (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) - <: - u8) - in - let serialized:t_Array u8 (sz 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 3 <: usize) - (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) - <: - u8) - in - let serialized:t_Array u8 (sz 10) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized - ((sz 5 *! i <: usize) +! sz 4 <: usize) - (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) - in - serialized) - in - serialized - -let ntt_at_layer_0_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_0_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] - <: - i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let zeta_i:usize = zeta_i +! sz 4 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -let ntt_at_layer_1_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_1_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] - <: - i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let zeta_i:usize = zeta_i +! sz 2 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -let ntt_at_layer_2_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let (re, zeta_i), hax_temp_output:(t_Array - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_2_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -let rec add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun sum temp_1_ -> - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in - let _:usize = temp_1_ in - true) - sum - (fun sum i -> - let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in - let i:usize = i in - { - sum with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! - (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - sum - -and compute_hint - (v_GAMMA2: i32) - (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let one_hints_count:usize = sz 0 in - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun temp_0_ temp_1_ -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (hint, one_hints_count - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) - (fun temp_0_ i -> - let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - usize) = - temp_0_ - in - let i:usize = i in - let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - hint with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (compute_one_hint v_GAMMA2 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let one_hints_count:usize = - one_hints_count +! - (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - usize) - in - hint, one_hints_count - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) - in - one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -and decompose - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun temp_0_ temp_1_ -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (high, low - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - (fun temp_0_ i -> - let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let i:usize = i in - let low_part, high_part:(i32 & i32) = - decompose_element v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - in - let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - low with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - low_part - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - high with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - high_part - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - high, low - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - in - low, high - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -and montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun product temp_1_ -> - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in - let _:usize = temp_1_ in - true) - product - (fun product i -> - let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in - let i:usize = i in - { - product with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (montgomery_reduce_element ((cast (lhs - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] - <: - i32) - <: - i64) *! - (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i64) - <: - i64) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - product - -and power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - (fun temp_0_ temp_1_ -> - let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = - temp_0_ - in - let i, t:(usize & i32) = temp_1_ in - let t0, t1:(i32 & i32) = power2round_element t in - let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - t0_simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - t0 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - t1_simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - t1 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) - in - t0_simd_unit, t1_simd_unit - <: - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - -and shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun out temp_1_ -> - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in - let _:usize = temp_1_ in - true) - out - (fun out i -> - let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in - let i:usize = i in - { - out with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i - ] - <: - i32) < - let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in - let _:usize = temp_1_ in - true) - difference - (fun difference i -> - let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in - let i:usize = i in - { - difference with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! - (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - difference - -and use_hint - (v_GAMMA2: i32) - (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - = - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #i32 - (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) - <: - usize) - (fun result temp_1_ -> - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in - let i:usize = i in - { - result with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - i - (use_one_hint v_GAMMA2 - (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) - <: - i32) - <: - t_Array i32 (sz 8) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - result - -and deserialize_when_eta_is_2_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in - let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in - let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - (v_ETA832233724 -! (byte0 &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - (v_ETA832233724 -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - (v_ETA832233724 -! (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - (v_ETA832233724 -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - (v_ETA832233724 -! (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - (v_ETA832233724 -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit - -and deserialize_when_eta_is_4_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_enumerated_slice serialized - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, byte:(usize & u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2 *! i <: usize) - (v_ETA177254429 -! (cast (byte &. 15uy <: u8) <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 2 *! i <: usize) +! sz 1 <: usize) - (v_ETA177254429 -! (cast (byte >>! 4l <: u8) <: i32) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - simd_unit) - in - simd_unit - -and deserialize154437703 (v_ETA: usize) (serialized: t_Slice u8) = - match cast (v_ETA <: usize) <: u8 with - | 2uy -> deserialize_when_eta_is_2_ serialized - | 4uy -> deserialize_when_eta_is_4_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - -and deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) - serialized - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - (cast (bytes.[ sz 0 ] <: u8) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 *! i - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i - <: - usize) +! - sz 1 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 2 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i - <: - usize) +! - sz 2 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 3 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i - <: - usize) +! - sz 3 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 7 ] <: u8) <: i32) < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2 *! i <: usize) - (cast (bytes.[ sz 0 ] <: u8) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 *! i - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 2 *! i <: usize) +! sz 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 2 *! i - <: - usize) +! - sz 1 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized - | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - -and deserialize297775919 (serialized: t_Slice u8) = - let _:Prims.unit = - if true - then - let _:Prims.unit = - Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) - in - () - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_ZERO #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - #FStar.Tactics.Typeclasses.solve - () - in - let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in - let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in - let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in - let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in - let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in - let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in - let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in - let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in - let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in - let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in - let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in - let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in - let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - byte0 - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 0) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) |. - (byte1 <>! 5l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) |. - (byte2 <>! 2l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) |. - (byte4 <>! 7l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) |. - (byte5 <>! 4l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) |. - (byte7 <>! 1l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) |. - (byte9 <>! 6l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) |. - (byte10 <>! 3l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) |. - (byte12 < - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let _:usize = temp_1_ in - true) - simd_unit - (fun simd_unit temp_1_ -> - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in - let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in - let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in - let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in - let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - re - in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - re - in - let j:usize = j in - let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re.[ j +! step_by <: usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! step_by <: usize) - (subtract (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (add (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - re) - in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst deleted file mode 100644 index 9a392eeca..000000000 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fst +++ /dev/null @@ -1,26 +0,0 @@ -module Libcrux_ml_dsa.Simd.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY551832282 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY541533844 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY900481996 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY384609919 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {v_DUMMY450911580 as v_DUMMY} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {arithmetic as arithmetic} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {encoding as encoding} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {ntt as ntt} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {sample as sample} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {vector_type as vector_type} - -include Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 {impl as impl} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti similarity index 59% rename from libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti rename to libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti index ccc1ad686..4b05f75c3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -1,4 +1,4 @@ -module Libcrux_ml_dsa.Simd.Portable.Rec_bundle_437004224 +module Libcrux_ml_dsa.Simd.Portable #set-options "--fuel 0 --ifuel 1 --z3rlimit 100" open Core open FStar.Mul @@ -7,266 +7,8 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_dsa.Simd.Portable.Vector_type in - let open Libcrux_ml_dsa.Simd.Traits in () -let v_MONTGOMERY_SHIFT: u8 = 32uy - -val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val get_n_least_significant_bits (n: u8) (value: u64) - : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) - -let v_ETA832233724: i32 = 2l - -let v_ETA177254429: i32 = 4l - -let v_ETA345140054: i32 = 2l - -let v_ETA858068178: i32 = 4l - -let v_GAMMA1183990813: i32 = 1l < Prims.l_True) - -let v_BITS_IN_LOWER_PART_OF_T_MASK: i32 = - (1l < Prims.l_True) - -val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_fe_by_fer (fe fer: i32) - : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val invert_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_0_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_1_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta1 zeta2: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val simd_unit_ntt_at_layer_2_ - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (zeta: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val decompose_element (v_GAMMA2 r: i32) - : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) - -val infinity_norm_exceeds - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (bound: i32) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) - -val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize977980603 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (c: i32) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val serialize_when_eta_is_4_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize1006998023 - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize526929060 - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val serialize300254843 (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -val ntt_at_layer_0_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_1_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_at_layer_2_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val compute_hint - (v_GAMMA2: i32) - (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val decompose - (v_GAMMA2: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure - (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - Prims.l_True - (fun _ -> Prims.l_True) - -val shift_left_then_reduce - (v_SHIFT_BY: i32) - (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val use_hint - (v_GAMMA2: i32) - (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_when_eta_is_2_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_when_eta_is_4_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize154437703 (v_ETA: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize244287932 (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize297775919 (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val deserialize960784460 (serialized: t_Slice u8) - : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = @@ -322,7 +64,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - add lhs rhs); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); f_subtract_pre = (fun @@ -344,7 +86,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - subtract lhs rhs); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); f_montgomery_multiply_by_constant_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> true); @@ -359,7 +101,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_montgomery_multiply_by_constant = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> - montgomery_multiply_by_constant simd_unit c); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); f_montgomery_multiply_pre = (fun @@ -381,7 +123,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - montgomery_multiply lhs rhs); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); f_shift_left_then_reduce_pre = (fun @@ -403,7 +145,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - shift_left_then_reduce v_SHIFT_BY simd_unit); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); f_power2round_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); @@ -419,7 +161,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_power2round = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - power2round simd_unit); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); f_infinity_norm_exceeds_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> @@ -435,7 +177,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_infinity_norm_exceeds = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> - infinity_norm_exceeds simd_unit bound); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); f_decompose_pre = (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> @@ -453,7 +195,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_decompose = (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - decompose v_GAMMA2 simd_unit); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); f_compute_hint_pre = (fun @@ -478,7 +220,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - compute_hint v_GAMMA2 low high); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); f_use_hint_pre = (fun @@ -503,7 +245,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - use_hint v_GAMMA2 simd_unit hint); + Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); f_rejection_sample_less_than_field_modulus_pre = (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); @@ -573,7 +315,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - serialize526929060 v_OUTPUT_SIZE simd_unit); + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); f_gamma1_deserialize_post = @@ -586,7 +328,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_gamma1_deserialize = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> - deserialize244287932 v_GAMMA1_EXPONENT serialized); + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); f_commitment_serialize_pre = (fun @@ -630,7 +372,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - serialize1006998023 v_OUTPUT_SIZE simd_unit); + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); f_error_deserialize_post = @@ -642,7 +384,8 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = true); f_error_deserialize = - (fun (v_ETA: usize) (serialized: t_Slice u8) -> deserialize154437703 v_ETA serialized); + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); f_t0_serialize_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); @@ -656,7 +399,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_t0_serialize = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - serialize977980603 simd_unit); + Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); f_t0_deserialize_post = @@ -665,7 +408,10 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_t0_deserialize = (fun (serialized: t_Slice u8) -> deserialize297775919 serialized); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized + ); f_t1_serialize_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); @@ -679,7 +425,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_t1_serialize = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> - serialize300254843 simd_unit); + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); f_t1_deserialize_post = @@ -688,7 +434,10 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); - f_t1_deserialize = (fun (serialized: t_Slice u8) -> deserialize960784460 serialized); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized + ); f_ntt_pre = (fun @@ -707,7 +456,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) -> - ntt simd_units); + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); f_invert_ntt_at_layer_0_pre = (fun @@ -738,7 +487,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (zeta2: i32) (zeta3: i32) -> - invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); f_invert_ntt_at_layer_1_pre = (fun @@ -763,7 +512,7 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = (zeta0: i32) (zeta1: i32) -> - invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); f_invert_ntt_at_layer_2_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> @@ -779,13 +528,5 @@ Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = f_invert_ntt_at_layer_2_ = fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> - invert_ntt_at_layer_2_ simd_unit zeta + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta } - -val ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 80080945c..104931418 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -53,7 +53,7 @@ fn deserialize( result.simd_units[i] = SIMDUnit::error_deserialize::(&serialized_chunks.next().unwrap()); } - + result } diff --git a/libcrux-ml-dsa/src/simd.rs b/libcrux-ml-dsa/src/simd.rs index 476db6916..653246a60 100644 --- a/libcrux-ml-dsa/src/simd.rs +++ b/libcrux-ml-dsa/src/simd.rs @@ -4,6 +4,6 @@ pub(crate) mod avx2; pub(crate) mod portable; pub(crate) mod traits; -// #[cfg(test)] -// pub(crate) mod tests; +#[cfg(test)] +pub(crate) mod tests; diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 375f7eca1..e04bf4953 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,4 +1,4 @@ -use crate::simd::traits::{Operations, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; +use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; mod vector_type; mod arithmetic; diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 1b194c40d..b2b428d83 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,8 +1,8 @@ -use super::vector_type::{PortableSIMDUnit, FieldElement}; +use super::vector_type::{PortableSIMDUnit, FieldElement, ZERO}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, simd::traits::{ - FieldElementTimesMontgomeryR, Operations, FIELD_MODULUS, + FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, }, }; @@ -17,7 +17,7 @@ pub(crate) const MONTGOMERY_SHIFT: u8 = 32; #[inline(always)] pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut sum = PortableSIMDUnit::ZERO(); + let mut sum = ZERO(); for i in 0..sum.coefficients.len() { sum.coefficients[i] = lhs.coefficients[i] + rhs.coefficients[i]; @@ -28,7 +28,7 @@ pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { #[inline(always)] pub fn subtract(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut difference = PortableSIMDUnit::ZERO(); + let mut difference = ZERO(); for i in 0..difference.coefficients.len() { difference.coefficients[i] = lhs.coefficients[i] - rhs.coefficients[i]; @@ -81,7 +81,7 @@ pub(crate) fn montgomery_multiply( lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut product = PortableSIMDUnit::ZERO(); + let mut product = ZERO(); for i in 0..product.coefficients.len() { product.coefficients[i] = @@ -118,8 +118,8 @@ fn power2round_element(t: i32) -> (i32, i32) { } pub fn power2round(simd_unit: PortableSIMDUnit) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut t0_simd_unit = PortableSIMDUnit::ZERO(); - let mut t1_simd_unit = PortableSIMDUnit::ZERO(); + let mut t0_simd_unit = ZERO(); + let mut t1_simd_unit = ZERO(); for (i, t) in simd_unit.coefficients.into_iter().enumerate() { let (t0, t1) = power2round_element(t); @@ -177,7 +177,7 @@ fn reduce_element(fe: FieldElement) -> FieldElement { pub fn shift_left_then_reduce( simd_unit: PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut out = PortableSIMDUnit::ZERO(); + let mut out = ZERO(); for i in 0..simd_unit.coefficients.len() { out.coefficients[i] = reduce_element(simd_unit.coefficients[i] << SHIFT_BY); @@ -200,7 +200,7 @@ pub fn compute_hint( low: PortableSIMDUnit, high: PortableSIMDUnit, ) -> (usize, PortableSIMDUnit) { - let mut hint = PortableSIMDUnit::ZERO(); + let mut hint = ZERO(); let mut one_hints_count = 0; for i in 0..hint.coefficients.len() { @@ -314,8 +314,8 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { pub fn decompose( simd_unit: PortableSIMDUnit, ) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut low = PortableSIMDUnit::ZERO(); - let mut high = PortableSIMDUnit::ZERO(); + let mut low = ZERO(); + let mut high = ZERO(); for i in 0..low.coefficients.len() { let (low_part, high_part) = decompose_element::(simd_unit.coefficients[i]); @@ -331,7 +331,7 @@ pub fn use_hint( simd_unit: PortableSIMDUnit, hint: PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut result = PortableSIMDUnit::ZERO(); + let mut result = ZERO(); for i in 0..result.coefficients.len() { result.coefficients[i] = diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index 1ad003932..5581cc2a4 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,5 +1,4 @@ -use crate::simd::traits::Operations; -use super::super::vector_type::PortableSIMDUnit; +use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] fn serialize_when_eta_is_2( @@ -55,7 +54,7 @@ pub(crate) fn serialize( fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 3); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const ETA: i32 = 2; let byte0 = serialized[0] as i32; @@ -77,7 +76,7 @@ fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 4); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const ETA: i32 = 4; for (i, byte) in serialized.iter().enumerate() { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index cecefafc9..6409387af 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,5 +1,4 @@ -use crate::simd::traits::Operations; -use super::super::vector_type::PortableSIMDUnit; +use super::super::vector_type::{PortableSIMDUnit, ZERO}; // This function is marked public since it is called in the corresponding AVX2 code. #[inline(always)] pub fn serialize_when_gamma1_is_2_pow_17( @@ -81,7 +80,7 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 17; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(9).enumerate() { simd_unit.coefficients[4 * i] = bytes[0] as i32; @@ -121,7 +120,7 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 19; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(5).enumerate() { simd_unit.coefficients[2 * i] = bytes[0] as i32; diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index c8db3cf54..28aaf41e2 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -1,9 +1,6 @@ -use crate::{ - constants::BITS_IN_LOWER_PART_OF_T, - simd::traits::Operations, -}; +use crate::constants::BITS_IN_LOWER_PART_OF_T; -use super::super::vector_type::PortableSIMDUnit; +use super::super::vector_type::{PortableSIMDUnit, ZERO}; // If t0 is a signed representative, change it to an unsigned one and // vice versa. @@ -65,7 +62,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 13] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 13); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1 << (BITS_IN_LOWER_PART_OF_T as i32)) - 1; diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index 52edb0914..c0fc9de40 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -1,9 +1,6 @@ -use crate::{ - constants::BITS_IN_UPPER_PART_OF_T, - simd::traits::Operations, -}; +use crate::constants::BITS_IN_UPPER_PART_OF_T; -use super::super::vector_type::PortableSIMDUnit; +use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { @@ -27,7 +24,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 10); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); let mask = (1 << BITS_IN_UPPER_PART_OF_T) - 1; for (i, bytes) in serialized.chunks_exact(5).enumerate() { diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 78aaa7aad..1d994e241 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,8 +1,7 @@ -use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; +use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer}; use super::vector_type::PortableSIMDUnit; use crate::simd::traits::{ - montgomery_multiply_by_fer, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, - ZETAS_TIMES_MONTGOMERY_R, + COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, }; #[inline(always)] @@ -202,7 +201,7 @@ fn ntt_at_layer_3_plus( let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; for j in offset..offset + step_by { - let t = montgomery_multiply_by_fer(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); + let t = montgomery_multiply_by_constant(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); re[j + step_by] = arithmetic::subtract(&re[j], &t); re[j] = arithmetic::add(&re[j], &t); diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 824453132..699790752 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -1,16 +1,17 @@ +use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; /// Values having this type hold a representative 'x' of the Kyber field. /// We use 'fe' as a shorthand for this type. pub(crate) type FieldElement = i32; #[derive(Clone, Copy)] pub struct PortableSIMDUnit { - pub(crate) coefficients: [FieldElement; super::COEFFICIENTS_IN_SIMD_UNIT], + pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_SIMD_UNIT], } #[allow(non_snake_case)] pub(crate) fn ZERO() -> PortableSIMDUnit { PortableSIMDUnit { - coefficients: [0i32; super::COEFFICIENTS_IN_SIMD_UNIT], + coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], } } diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs new file mode 100644 index 000000000..a83f97aaa --- /dev/null +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -0,0 +1,95 @@ +use crate::simd::traits::*; + +fn test_decompose_generic() { + // When GAMMA2 = 95,232 + let input = SIMDUnit::from_coefficient_array(&[ + 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, + ]); + + let expected_low = SIMDUnit::from_coefficient_array(&[ + -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, + ]); + let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); + + let (low, high) = SIMDUnit::decompose::<95_232>(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); + + // When GAMMA2 = 261,888 + let input = SIMDUnit::from_coefficient_array(&[ + 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, + ]); + + let expected_low = SIMDUnit::from_coefficient_array(&[ + 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, + ]); + let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); + + let (low, high) = SIMDUnit::decompose::<261_888>(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); +} + +fn test_power2round_generic() { + let input = SIMDUnit::from_coefficient_array(&[ + 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, + ]); + + let expected_low = + SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); + let expected_high = + SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); + + let (low, high) = SIMDUnit::power2round(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); +} + +#[cfg(not(feature = "simd256"))] +mod portable { + use super::{test_decompose_generic, test_power2round_generic}; + + #[test] + fn test_decompose() { + test_decompose_generic::(); + } + #[test] + fn test_power2round() { + test_power2round_generic::(); + } +} + +#[cfg(feature = "simd256")] +mod avx2 { + use super::{test_decompose_generic, test_power2round_generic}; + + #[test] + fn test_decompose() { + test_decompose_generic::(); + } + #[test] + fn test_power2round() { + test_power2round_generic::(); + } +} diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 71d7455f1..c50ff8537 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -121,102 +121,3 @@ pub(crate) trait Operations: Copy + Clone { pub fn montgomery_multiply_by_fer(simd_unit: S, fer: i32) -> S { S::montgomery_multiply_by_constant(simd_unit, fer) } - -#[cfg(test)] -mod tests { - use super::*; - - fn test_decompose_generic() { - // When GAMMA2 = 95,232 - let input = SIMDUnit::from_coefficient_array(&[ - 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, - ]); - - let expected_low = SIMDUnit::from_coefficient_array(&[ - -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); - - let (low, high) = SIMDUnit::decompose::<95_232>(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - - // When GAMMA2 = 261,888 - let input = SIMDUnit::from_coefficient_array(&[ - 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, - ]); - - let expected_low = SIMDUnit::from_coefficient_array(&[ - 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); - - let (low, high) = SIMDUnit::decompose::<261_888>(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - } - - fn test_power2round_generic() { - let input = SIMDUnit::from_coefficient_array(&[ - 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, - ]); - - let expected_low = - SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); - let expected_high = - SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); - - let (low, high) = SIMDUnit::power2round(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - } - - #[cfg(not(feature = "simd256"))] - mod portable { - use super::{test_decompose_generic, test_power2round_generic}; - - #[test] - fn test_decompose() { - test_decompose_generic::(); - } - #[test] - fn test_power2round() { - test_power2round_generic::(); - } - } - - #[cfg(feature = "simd256")] - mod avx2 { - use super::{test_decompose_generic, test_power2round_generic}; - - #[test] - fn test_decompose() { - test_decompose_generic::(); - } - #[test] - fn test_power2round() { - test_power2round_generic::(); - } - } -} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti index b5a8cb0e2..d1bf77c74 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -3,6 +3,11 @@ module Libcrux_ml_kem.Hash_functions.Avx2 open Core open FStar.Mul +/// The state. +/// It\'s only used for SHAKE128. +/// All other functions don\'t actually use any members. +val t_Simd256Hash:Type0 + val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True @@ -30,11 +35,6 @@ val v_PRF (v_LEN: usize) (input: t_Slice u8) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True) -/// The state. -/// It\'s only used for SHAKE128. -/// All other functions don\'t actually use any members. -val t_Simd256Hash:Type0 - val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd256Hash Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti index 5294a8dc5..90a01aa64 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -3,6 +3,11 @@ module Libcrux_ml_kem.Hash_functions.Neon open Core open FStar.Mul +/// The state. +/// It\'s only used for SHAKE128. +/// All other functions don\'t actually use any members. +val t_Simd128Hash:Type0 + val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True @@ -30,11 +35,6 @@ val v_PRF (v_LEN: usize) (input: t_Slice u8) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True) -/// The state. -/// It\'s only used for SHAKE128. -/// All other functions don\'t actually use any members. -val t_Simd128Hash:Type0 - val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd128Hash Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti index 89c8300ff..bb72b8240 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -3,6 +3,11 @@ module Libcrux_ml_kem.Hash_functions.Portable open Core open FStar.Mul +/// The state. +/// It\'s only used for SHAKE128. +/// All other functions don\'t actually use any members. +val t_PortableHash (v_K: usize) : Type0 + val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True @@ -30,11 +35,6 @@ val v_PRF (v_LEN: usize) (input: t_Slice u8) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True) -/// The state. -/// It\'s only used for SHAKE128. -/// All other functions don\'t actually use any members. -val t_PortableHash (v_K: usize) : Type0 - val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure (t_PortableHash v_K) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index c5f3a6c69..c9a34f640 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -13,7 +13,7 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let validate_private_key +let validate_private_key_avx2 (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) @@ -25,7 +25,13 @@ let validate_private_key private_key ciphertext -let decapsulate +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = validate_private_key_avx2 v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE private_key ciphertext + +let decapsulate_avx2 (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) @@ -38,29 +44,64 @@ let decapsulate #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext + +let encapsulate_avx2 + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness + +let generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash #Libcrux_ml_kem.Variant.t_MlKem randomness -let validate_public_key +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + = + generate_keypair_avx2 v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + randomness + +let validate_public_key_avx2 (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = @@ -69,3 +110,8 @@ let validate_public_key v_PUBLIC_KEY_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector public_key + +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = validate_public_key_avx2 v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 2d0031d3b..39fede866 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -13,81 +13,73 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Portable private key validation +val validate_private_key_avx2 + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -/// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val encapsulate_avx2 + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. +val generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) -/// Portable public key validation +val validate_public_key_avx2 + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index 6b2e84009..feecb5229 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -14,114 +14,45 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let impl__serialized_public_key +let impl_2__private_key (v_K: usize) (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - = - Core.Convert.f_into #(t_Array u8 v_PUBLIC_KEY_SIZE) - #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #v_Vector - self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) - <: - t_Array u8 v_PUBLIC_KEY_SIZE) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_private_key -let impl__serialized_public_key_mut +let impl_2__public_key (v_K: usize) (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = - { - serialized with - Libcrux_ml_kem.Types.f_value - = - Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #v_Vector - self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) - serialized.Libcrux_ml_kem.Types.f_value - } - <: - Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE - in - serialized + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_public_key -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) +let impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not yet implemented" + <: + Rust_primitives.Hax.t_Never) + +let impl_2__new + (v_K: usize) + (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - (randomness: t_Array u8 (sz 32)) + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (_: Prims.unit) = - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) - in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (public_key.f_public_key_hash <: t_Slice u8) - <: - t_Slice u8) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - public_key.f_ind_cpa_public_key randomness pseudorandomness - in - let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let shared_secret_array:t_Array u8 (sz 32) = - Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret - in - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - #FStar.Tactics.Typeclasses.solve - ciphertext, - shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () let unpack_public_key (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -231,50 +162,93 @@ let unpack_public_key in unpacked_public_key -let impl_2__private_key - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - = self.f_private_key - -let impl_2__public_key - (v_K: usize) - (#v_Vector: Type0) +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - = self.f_public_key - -let impl_2__serialized_private_key - (v_K: usize) - (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + (randomness: t_Array u8 (sz 32)) = - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not yet implemented" - <: - Rust_primitives.Hax.t_Never) + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) + in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (public_key.f_public_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + public_key.f_ind_cpa_public_key randomness pseudorandomness + in + let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let shared_secret_array:t_Array u8 (sz 32) = + Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret + in + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + #FStar.Tactics.Typeclasses.solve + ciphertext, + shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) -let impl_2__serialized_public_key +let impl__serialized_public_key_mut (v_K: usize) (#v_Vector: Type0) (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = - impl__serialized_public_key v_K - #v_Vector - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - self.f_public_key + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = + { + serialized with + Libcrux_ml_kem.Types.f_value + = + Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + serialized.Libcrux_ml_kem.Types.f_value + } + <: + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE + in + serialized let impl_2__serialized_public_key_mut (v_K: usize) @@ -300,119 +274,41 @@ let impl_2__serialized_public_key_mut in serialized -let impl_2__new +let impl__serialized_public_key (v_K: usize) (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (_: Prims.unit) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) = - Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () + Core.Convert.f_into #(t_Array u8 v_PUBLIC_KEY_SIZE) + #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + <: + t_Array u8 v_PUBLIC_KEY_SIZE) -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) +let impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) = - let decrypted:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cpa.decrypt_unpacked v_K - v_CIPHERTEXT_SIZE - v_C1_SIZE - v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR - #v_Vector - key_pair.f_private_key.f_ind_cpa_private_key - ciphertext.Libcrux_ml_kem.Types.f_value - in - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) - in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (key_pair.f_public_key.f_public_key_hash <: t_Slice u8) - <: - t_Slice u8) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = - Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - (key_pair.f_private_key.f_implicit_rejection_value <: t_Slice u8) - in - let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Slice u8) - #FStar.Tactics.Typeclasses.solve - ciphertext - <: - t_Slice u8) - <: - t_Slice u8) - in - let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (sz 32) - (to_hash <: t_Slice u8) - in - let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - key_pair.f_public_key.f_ind_cpa_public_key decrypted pseudorandomness - in - let selector:u8 = - Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext - v_CIPHERTEXT_SIZE) - #(t_Slice u8) - #FStar.Tactics.Typeclasses.solve - ciphertext - <: - t_Slice u8) - (expected_ciphertext <: t_Slice u8) - in - Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret - (implicit_rejection_shared_secret <: t_Slice u8) - selector + impl__serialized_public_key v_K + #v_Vector + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + self.f_public_key let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: @@ -626,3 +522,107 @@ let generate_keypair t_MlKemKeyPairUnpacked v_K v_Vector in out + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + let decrypted:t_Array u8 (sz 32) = + Libcrux_ml_kem.Ind_cpa.decrypt_unpacked v_K + v_CIPHERTEXT_SIZE + v_C1_SIZE + v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR + #v_Vector + key_pair.f_private_key.f_ind_cpa_private_key + ciphertext.Libcrux_ml_kem.Types.f_value + in + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) + in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (key_pair.f_public_key.f_public_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = + Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + (key_pair.f_private_key.f_implicit_rejection_value <: t_Slice u8) + in + let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + ciphertext + <: + t_Slice u8) + <: + t_Slice u8) + in + let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (sz 32) + (to_hash <: t_Slice u8) + in + let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + key_pair.f_public_key.f_ind_cpa_public_key decrypted pseudorandomness + in + let selector:u8 = + Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext + v_CIPHERTEXT_SIZE) + #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + ciphertext + <: + t_Slice u8) + (expected_ciphertext <: t_Slice u8) + in + Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret + (implicit_rejection_shared_secret <: t_Slice u8) + selector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index b31715e29..8a8daa153 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -30,28 +30,37 @@ type t_MlKemPublicKeyUnpacked f_public_key_hash:t_Array u8 (sz 32) } +/// An unpacked ML-KEM KeyPair +type t_MlKemKeyPairUnpacked + (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + = { + f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector; + f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector +} + /// Get the serialized public key. -val impl__serialized_public_key +val impl_2__private_key (v_K: usize) (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Get the serialized public key. -val impl__serialized_public_key_mut +val impl_2__public_key (v_K: usize) (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized private key. +val impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_K) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1 @@ -80,83 +89,6 @@ let impl_1 t_MlKemPublicKeyUnpacked v_K v_Vector } -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Generate an unpacked key from a serialized key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Hasher #v_Vector: Type0) - {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// An unpacked ML-KEM KeyPair -type t_MlKemKeyPairUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector; - f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector -} - -/// Get the serialized public key. -val impl_2__private_key - (v_K: usize) - (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl_2__public_key - (v_K: usize) - (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Get the serialized private key. -val impl_2__serialized_private_key - (v_K: usize) - (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_K) Prims.l_True (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl_2__serialized_public_key - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl_2__serialized_public_key_mut - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3 (v_K: usize) @@ -203,15 +135,73 @@ val impl_2__new: Prims.unit -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +/// Generate an unpacked key from a serialized key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) /// Generate Unpacked Keys val generate_keypair @@ -224,3 +214,13 @@ val generate_keypair (randomness: t_Array u8 (sz 64)) (out: t_MlKemKeyPairUnpacked v_K v_Vector) : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 1a64404ca..84a0cd81c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -12,6 +12,38 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + let t:t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = sz 384 *! v_K <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let expected:t_Slice u8 = + private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + in + t =. expected + #push-options "--z3rlimit 150" let serialize_kem_secret_key @@ -162,6 +194,97 @@ let serialize_kem_secret_key #pop-options +#push-options "--z3rlimit 150" + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + let randomness:t_Array u8 (sz 32) = + Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + #v_Hasher + (randomness <: t_Slice u8) + in + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) + in + let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + let _:Prims.unit = + assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); + lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); + assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + pseudorandomness + in + let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + #FStar.Tactics.Typeclasses.solve + ciphertext + in + let shared_secret_array:t_Array u8 (sz 32) = + Libcrux_ml_kem.Variant.f_kdf #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + v_CIPHERTEXT_SIZE + #v_Hasher + shared_secret + ciphertext + in + ciphertext, shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + +#pop-options + let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) @@ -193,37 +316,64 @@ let validate_public_key in public_key =. public_key_serialized -let validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) + (randomness: t_Array u8 (sz 64)) = - let t:t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (private_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = sz 384 *! v_K <: usize; - Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let expected:t_Slice u8 = - private_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; - Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize + let ind_cpa_keypair_randomness:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE } <: Core.Ops.Range.t_Range usize ] in - t =. expected + let implicit_rejection_value:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + in + let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & + t_Array u8 v_PUBLIC_KEY_SIZE) = + Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme + ind_cpa_keypair_randomness + in + let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = + serialize_kem_secret_key v_K + v_PRIVATE_KEY_SIZE + #v_Hasher + (ind_cpa_private_key <: t_Slice u8) + (public_key <: t_Slice u8) + implicit_rejection_value + in + let (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux_ml_kem.Types.t_MlKemPrivateKey + v_PRIVATE_KEY_SIZE = + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) + #(t_Array u8 v_PRIVATE_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + secret_key_serialized + in + Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + private_key + (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + #(t_Array u8 v_PUBLIC_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + public_key + <: + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) #push-options "--z3rlimit 500" @@ -403,153 +553,3 @@ let decapsulate (implicit_rejection_shared_secret <: t_Slice u8) #pop-options - -#push-options "--z3rlimit 150" - -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - = - let randomness:t_Array u8 (sz 32) = - Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme - #FStar.Tactics.Typeclasses.solve - v_K - #v_Hasher - (randomness <: t_Slice u8) - in - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) - in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - let _:Prims.unit = - assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); - lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); - assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness - pseudorandomness - in - let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - #FStar.Tactics.Typeclasses.solve - ciphertext - in - let shared_secret_array:t_Array u8 (sz 32) = - Libcrux_ml_kem.Variant.f_kdf #v_Scheme - #FStar.Tactics.Typeclasses.solve - v_K - v_CIPHERTEXT_SIZE - #v_Hasher - shared_secret - ciphertext - in - ciphertext, shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - -#pop-options - -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (randomness: t_Array u8 (sz 64)) - = - let ind_cpa_keypair_randomness:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE - } - <: - Core.Ops.Range.t_Range usize ] - in - let implicit_rejection_value:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE - } - <: - Core.Ops.Range.t_RangeFrom usize ] - in - let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & - t_Array u8 v_PUBLIC_KEY_SIZE) = - Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme - ind_cpa_keypair_randomness - in - let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = - serialize_kem_secret_key v_K - v_PRIVATE_KEY_SIZE - #v_Hasher - (ind_cpa_private_key <: t_Slice u8) - (public_key <: t_Slice u8) - implicit_rejection_value - in - let (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux_ml_kem.Types.t_MlKemPrivateKey - v_PRIVATE_KEY_SIZE = - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) - #(t_Array u8 v_PRIVATE_KEY_SIZE) - #FStar.Tactics.Typeclasses.solve - secret_key_serialized - in - Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - private_key - (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - #(t_Array u8 v_PUBLIC_KEY_SIZE) - #FStar.Tactics.Typeclasses.solve - public_key - <: - Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index 0ae396fd2..cc03d69ee 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -20,42 +20,6 @@ let v_KEY_GENERATION_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -/// Serialize the secret key. -val serialize_kem_secret_key - (v_K v_SERIALIZED_KEY_LEN: usize) - (#v_Hasher: Type0) - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (private_key public_key implicit_rejection_value: t_Slice u8) - : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 v_SERIALIZED_KEY_LEN = result in - result == - Seq.append private_key - (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) - )) - -/// Validate an ML-KEM public key. -/// This implements the Modulus check in 7.2 2. -/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the -/// `public_key` type. -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) - /// Validate an ML-KEM private key. /// This implements the Hash check in 7.3 3. /// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` @@ -72,38 +36,25 @@ val validate_private_key v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) -/// This code verifies on some machines, runs out of memory on others -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) +/// Serialize the secret key. +val serialize_kem_secret_key + (v_K v_SERIALIZED_KEY_LEN: usize) + (#v_Hasher: Type0) + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key public_key implicit_rejection_value: t_Slice u8) + : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE) (ensures fun result -> - let result:t_Array u8 (sz 32) = result in - let expected, valid = - Spec.MLKEM.ind_cca_decapsulate v_K private_key.f_value ciphertext.f_value - in - valid ==> result == expected) + let result:t_Array u8 v_SERIALIZED_KEY_LEN = result in + result == + Seq.append private_key + (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) + )) val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -135,6 +86,22 @@ val encapsulate let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in valid ==> (result._1.f_value, result._2) == expected) +/// Validate an ML-KEM public key. +/// This implements the Modulus check in 7.2 2. +/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the +/// `public_key` type. +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + /// Packed API /// Generate a key pair. /// Depending on the `Vector` and `Hasher` used, this requires different hardware @@ -162,3 +129,36 @@ val generate_keypair in let expected, valid = Spec.MLKEM.ind_cca_generate_keypair v_K randomness in valid ==> (result.f_sk.f_value, result.f_pk.f_value) == expected) + +/// This code verifies on some machines, runs out of memory on others +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ + v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ + v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ + v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ + v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + let expected, valid = + Spec.MLKEM.ind_cca_decapsulate v_K private_key.f_value ciphertext.f_value + in + valid ==> result == expected) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti index a0ce84565..b7e0c4efc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti @@ -14,6 +14,15 @@ type t_IndCpaPrivateKeyUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K } +/// An unpacked ML-KEM IND-CPA Private Key +type t_IndCpaPublicKeyUnpacked + (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + = { + f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; + f_seed_for_A:t_Array u8 (sz 32); + f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K +} + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl (v_K: usize) @@ -40,15 +49,6 @@ let impl t_IndCpaPrivateKeyUnpacked v_K v_Vector } -/// An unpacked ML-KEM IND-CPA Private Key -type t_IndCpaPublicKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; - f_seed_for_A:t_Array u8 (sz 32); - f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K -} - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1 (v_K: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index 4821be2e5..ff00058a1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -12,6 +12,55 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let deserialize_secret_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: t_Slice u8) + = + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + secret_key + (fun secret_as_ntt temp_1_ -> + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + = + secret_as_ntt + in + let _:usize = temp_1_ in + true) + secret_as_ntt + (fun secret_as_ntt temp_1_ -> + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + = + secret_as_ntt + in + let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector + secret_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + secret_as_ntt + in + let _:Prims.unit = admit () (* Panic freedom *) in + result + let sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) (#v_Vector #v_Hasher: Type0) @@ -233,6 +282,112 @@ let sample_vector_cbd_then_ntt_out let _:Prims.unit = admit () (* Panic freedom *) in result +let generate_keypair_unpacked + (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) + (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + = + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + #v_Hasher + key_generation_seed + in + let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32) + in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) + true + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + in + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = + Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error + in + let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = + sample_vector_cbd_then_ntt v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + prf_input + 0uy + in + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector + in + let domain_separator:u8 = out in + let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8 + ) = + sample_vector_cbd_then_ntt_out v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + prf_input + domain_separator + in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Matrix.compute_As_plus_e v_K + #v_Vector + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + error_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + in + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + in + let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in + private_key, public_key + <: + (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + let compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) (#v_Vector: Type0) @@ -299,335 +454,24 @@ let compress_then_serialize_u let hax_temp_output:Prims.unit = result in out -let deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! - v_U_COMPRESSION_FACTOR - <: - usize) /! - sz 8 - <: - usize) - (ciphertext <: t_Slice u8) - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let _:usize = temp_1_ in - true) - u_as_ntt - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i, u_bytes:(usize & t_Slice u8) = temp_1_ in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR - #v_Vector - u_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR - #v_Vector - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - u_as_ntt) - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = u_as_ntt in - let _:Prims.unit = admit () (* Panic freedom *) in - result +#push-options "--z3rlimit 200" -let deserialize_secret_key - (v_K: usize) - (#v_Vector: Type0) +let encrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: t_Slice u8) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) = - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - secret_key - (fun secret_as_ntt temp_1_ -> - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - = - secret_as_ntt - in - let _:usize = temp_1_ in - true) - secret_as_ntt - (fun secret_as_ntt temp_1_ -> - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - = - secret_as_ntt - in - let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector - secret_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - secret_as_ntt - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--z3rlimit 200" - -let serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let out:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_enumerated_slice key - (fun out i -> - let out:t_Array u8 v_OUT_LEN = out in - let i:usize = i in - v i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) - out - (fun out temp_1_ -> - let out:t_Array u8 v_OUT_LEN = out in - let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_1_ - in - let out:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start - = - i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start - = - i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re - <: - t_Slice u8) - <: - t_Slice u8) - in - out) - in - let result:t_Array u8 v_OUT_LEN = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#pop-options - -let serialize_public_key_mut - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) - = - let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt - <: - t_Slice u8) - <: - t_Slice u8) - in - let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized - ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - seed_for_a - <: - t_Slice u8) - in - let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in - serialized - -let serialize_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - = - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE - in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - serialize_public_key_mut v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #v_Vector - tt_as_ntt - seed_for_a - public_key_serialized - in - let result:t_Array u8 v_PUBLIC_KEY_SIZE = public_key_serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext - in - let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR - #v_Vector - (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - in - let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Matrix.compute_message v_K - #v_Vector - v - secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - u_as_ntt - in - Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message - -let decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_secret_key v_K #v_Vector secret_key - in - let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector - in - let result:t_Array u8 (sz 32) = - decrypt_unpacked v_K - v_CIPHERTEXT_SIZE - v_VECTOR_U_ENCODED_SIZE - v_U_COMPRESSION_FACTOR - v_V_COMPRESSION_FACTOR - #v_Vector - secret_key_unpacked - ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--z3rlimit 200" - -let encrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) - = - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = - Libcrux_ml_kem.Utils.into_padded_array (sz 33) randomness + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = + Libcrux_ml_kem.Utils.into_padded_array (sz 33) randomness in let r_as_ntt, domain_separator:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & @@ -785,111 +629,267 @@ let encrypt let _:Prims.unit = admit () (* Panic freedom *) in result -let generate_keypair_unpacked - (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) +let deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (key_generation_seed: t_Slice u8) - (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) = - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme - #FStar.Tactics.Typeclasses.solve + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - #v_Hasher - key_generation_seed + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32) + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! + v_U_COMPRESSION_FACTOR + <: + usize) /! + sz 8 + <: + usize) + (ciphertext <: t_Slice u8) + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let _:usize = temp_1_ in + true) + u_as_ntt + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i, u_bytes:(usize & t_Slice u8) = temp_1_ in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR + #v_Vector + u_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR + #v_Vector + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + u_as_ntt) in - let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { - public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) - true - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = u_as_ntt in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext in - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = - Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error + let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR + #v_Vector + (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) in - let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = - sample_vector_cbd_then_ntt v_K - v_ETA1 - v_ETA1_RANDOMNESS_SIZE + let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Matrix.compute_message v_K #v_Vector - #v_Hasher - private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - prf_input - 0uy + v + secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + u_as_ntt in - let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 } + Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message + +let decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_secret_key v_K #v_Vector secret_key + in + let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector in - let domain_separator:u8 = out in - let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8 - ) = - sample_vector_cbd_then_ntt_out v_K - v_ETA1 - v_ETA1_RANDOMNESS_SIZE + let result:t_Array u8 (sz 32) = + decrypt_unpacked v_K + v_CIPHERTEXT_SIZE + v_VECTOR_U_ENCODED_SIZE + v_U_COMPRESSION_FACTOR + v_V_COMPRESSION_FACTOR #v_Vector - #v_Hasher - prf_input - domain_separator + secret_key_unpacked + ciphertext in - let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { - public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - = - Libcrux_ml_kem.Matrix.compute_As_plus_e v_K - #v_Vector - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - error_as_ntt - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + let _:Prims.unit = admit () (* Panic freedom *) in + result + +#push-options "--z3rlimit 200" + +let serialize_secret_key + (v_K v_OUT_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let out:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_enumerated_slice key + (fun out i -> + let out:t_Array u8 v_OUT_LEN = out in + let i:usize = i in + v i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) + out + (fun out temp_1_ -> + let out:t_Array u8 v_OUT_LEN = out in + let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in + let out:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start + = + i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re + <: + t_Slice u8) + <: + t_Slice u8) + in + out) in - let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { - public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A - = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector + let result:t_Array u8 v_OUT_LEN = out in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +#pop-options + +let serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + = + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt + <: + t_Slice u8) + <: + t_Slice u8) + in + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized + ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + seed_for_a + <: + t_Slice u8) in let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in - private_key, public_key - <: - (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + serialized + +let serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + = + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + tt_as_ntt + seed_for_a + public_key_serialized + in + let result:t_Array u8 v_PUBLIC_KEY_SIZE = public_key_serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index 34b5b8ade..f1df187af 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -12,6 +12,24 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +val deserialize_secret_key + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v (Core.Slice.impl__len #u8 secret_key) / + v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= + v v_K) + (ensures + fun res -> + let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == + Spec.MLKEM.vector_decode_12 #v_K secret_key) + /// Sample a vector of ring elements from a centered binomial distribution. val sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) @@ -78,6 +96,73 @@ val sample_vector_cbd_then_ntt_out (Seq.slice prf_input 0 32) (sz (v domain_separator))) +/// This function implements most of Algorithm 12 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. +/// We say \"most of\" since Algorithm 12 samples the required randomness within +/// the function itself, whereas this implementation expects it to be provided +/// through the `key_generation_seed` parameter. +/// Algorithm 12 is reproduced below: +/// ```plaintext +/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. +/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// d ←$ B +/// (ρ,σ) ← G(d) +/// N ← 0 +/// for (i ← 0; i < k; i++) +/// for(j ← 0; j < k; j++) +/// Â[i,j] ← SampleNTT(XOF(ρ, i, j)) +/// end for +/// end for +/// for(i ← 0; i < k; i++) +/// s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) +/// N ← N + 1 +/// end for +/// for(i ← 0; i < k; i++) +/// e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) +/// N ← N + 1 +/// end for +/// ŝ ← NTT(s) +/// ê ← NTT(e) +/// t\u{302} ← Â◦ŝ + ê +/// ekₚₖₑ ← ByteEncode₁₂(t\u{302}) ‖ ρ +/// dkₚₖₑ ← ByteEncode₁₂(ŝ) +/// ``` +/// The NIST FIPS 203 standard can be found at +/// . +val generate_keypair_unpacked + (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} + (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (requires + Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ + v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ + length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) + (ensures + fun temp_0_ -> + let private_key_future, public_key_future:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked + v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = + temp_0_ + in + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key_future + .f_secret_as_ntt + i)) /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key_future + .f_t_as_ntt + i))) + /// Call [`compress_then_serialize_ring_element_u`] on each ring element. val compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) @@ -100,160 +185,6 @@ val compress_then_serialize_u Spec.MLKEM.compress_then_encode_u #v_K (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector input)) -/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element -/// in the `ciphertext`. -val deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) - -/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -val deserialize_secret_key - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v (Core.Slice.impl__len #u8 secret_key) / - v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= - v v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.vector_decode_12 #v_K secret_key) - -/// Call [`serialize_uncompressed_ring_element`] for each ring element. -val serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i))) - (ensures - fun res -> - let res:t_Array u8 v_OUT_LEN = res in - res == - Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key_mut - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) - (ensures - fun serialized_future -> - let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in - serialized_future == - Seq.append (Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) - seed_for_a) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) - (ensures - fun res -> - let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in - res == - Seq.append (Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) - seed_for_a) - -/// This function implements Algorithm 14 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. -/// Algorithm 14 is reproduced below: -/// ```plaintext -/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. -/// Output: message m ∈ 𝔹^{32}. -/// c₁ ← c[0 : 32dᵤk] -/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] -/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) -/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) -/// ŝ ← ByteDecode₁₂(dkₚₖₑ) -/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) -/// m ← ByteEncode₁(Compress₁(w)) -/// return m -/// ``` -/// The NIST FIPS 203 standard can be found at -/// . -val decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) - (fun _ -> Prims.l_True) - -val decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) - /// This function implements Algorithm 13 of the /// NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. /// Algorithm 13 is reproduced below: @@ -340,72 +271,141 @@ val encrypt let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in valid ==> result == expected) -/// This function implements most of Algorithm 12 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. -/// We say \"most of\" since Algorithm 12 samples the required randomness within -/// the function itself, whereas this implementation expects it to be provided -/// through the `key_generation_seed` parameter. -/// Algorithm 12 is reproduced below: +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +val deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) + (ensures + fun res -> + let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == + Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) + +/// This function implements Algorithm 14 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. +/// Algorithm 14 is reproduced below: /// ```plaintext -/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. -/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// d ←$ B -/// (ρ,σ) ← G(d) -/// N ← 0 -/// for (i ← 0; i < k; i++) -/// for(j ← 0; j < k; j++) -/// Â[i,j] ← SampleNTT(XOF(ρ, i, j)) -/// end for -/// end for -/// for(i ← 0; i < k; i++) -/// s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) -/// N ← N + 1 -/// end for -/// for(i ← 0; i < k; i++) -/// e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) -/// N ← N + 1 -/// end for -/// ŝ ← NTT(s) -/// ê ← NTT(e) -/// t\u{302} ← Â◦ŝ + ê -/// ekₚₖₑ ← ByteEncode₁₂(t\u{302}) ‖ ρ -/// dkₚₖₑ ← ByteEncode₁₂(ŝ) +/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// Output: message m ∈ 𝔹^{32}. +/// c₁ ← c[0 : 32dᵤk] +/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] +/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) +/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) +/// ŝ ← ByteDecode₁₂(dkₚₖₑ) +/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) +/// m ← ByteEncode₁(Compress₁(w)) +/// return m /// ``` /// The NIST FIPS 203 standard can be found at /// . -val generate_keypair_unpacked - (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (key_generation_seed: t_Slice u8) - (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) +val decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) + (fun _ -> Prims.l_True) + +val decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) (ensures - fun temp_0_ -> - let private_key_future, public_key_future:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked - v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = - temp_0_ - in - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key_future - .f_secret_as_ntt - i)) /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key_future - .f_t_as_ntt - i))) + fun result -> + let result:t_Array u8 (sz 32) = result in + result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) + +/// Call [`serialize_uncompressed_ring_element`] for each ring element. +val serialize_secret_key + (v_K v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires + Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i))) + (ensures + fun res -> + let res:t_Array u8 v_OUT_LEN = res in + res == + Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) + (ensures + fun serialized_future -> + let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in + serialized_future == + Seq.append (Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) + seed_for_a) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ + (forall (i: nat). + i < v v_K ==> + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) + (ensures + fun res -> + let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in + res == + Seq.append (Spec.MLKEM.vector_encode_12 #v_K + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) + seed_for_a) val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index 227ecb785..0fe17e19e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -10,6 +10,133 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +let sample_matrix_A + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (seed: t_Array u8 (sz 34)) + (transpose: bool) + = + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun v_A_transpose temp_1_ -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let _:usize = temp_1_ in + true) + v_A_transpose + (fun v_A_transpose i -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let i:usize = i in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun seeds temp_1_ -> + let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in + let _:usize = temp_1_ in + true) + seeds + (fun seeds j -> + let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in + let j:usize = j in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] + <: + t_Array u8 (sz 34)) + (sz 32) + (cast (i <: usize) <: u8) + <: + t_Array u8 (sz 34)) + in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] + <: + t_Array u8 (sz 34)) + (sz 33) + (cast (j <: usize) <: u8) + <: + t_Array u8 (sz 34)) + in + seeds) + in + let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Libcrux_ml_kem.Sampling.sample_from_xof v_K #v_Vector #v_Hasher seeds + in + Rust_primitives.Hax.Folds.fold_enumerated_slice sampled + (fun v_A_transpose temp_1_ -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let _:usize = temp_1_ in + true) + v_A_transpose + (fun v_A_transpose temp_1_ -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in + if transpose + then + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j + ] + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + ) + i + sample + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + v_A_transpose + else + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i + ] + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + ) + j + sample + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + v_A_transpose)) + in + let result:Prims.unit = () <: Prims.unit in + let _:Prims.unit = admit () (* Panic freedom *) in + let hax_temp_output:Prims.unit = result in + v_A_transpose + let compute_As_plus_e (v_K: usize) (#v_Vector: Type0) @@ -107,6 +234,52 @@ let compute_As_plus_e #push-options "--admit_smt_queries true" +let compute_message + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun result temp_1_ -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + let i:usize = i in + let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product + in + result) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result + in + result + +#pop-options + +#push-options "--admit_smt_queries true" + let compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -254,176 +427,3 @@ let compute_vector_u result #pop-options - -#push-options "--admit_smt_queries true" - -let compute_message - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun result temp_1_ -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - let i:usize = i in - let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector - (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product - in - result) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result - in - result - -#pop-options - -let sample_matrix_A - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (v_A_transpose: - t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (seed: t_Array u8 (sz 34)) - (transpose: bool) - = - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun v_A_transpose temp_1_ -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let _:usize = temp_1_ in - true) - v_A_transpose - (fun v_A_transpose i -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let i:usize = i in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun seeds temp_1_ -> - let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in - let _:usize = temp_1_ in - true) - seeds - (fun seeds j -> - let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in - let j:usize = j in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds - j - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] - <: - t_Array u8 (sz 34)) - (sz 32) - (cast (i <: usize) <: u8) - <: - t_Array u8 (sz 34)) - in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds - j - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] - <: - t_Array u8 (sz 34)) - (sz 33) - (cast (j <: usize) <: u8) - <: - t_Array u8 (sz 34)) - in - seeds) - in - let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Sampling.sample_from_xof v_K #v_Vector #v_Hasher seeds - in - Rust_primitives.Hax.Folds.fold_enumerated_slice sampled - (fun v_A_transpose temp_1_ -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let _:usize = temp_1_ in - true) - v_A_transpose - (fun v_A_transpose temp_1_ -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_1_ - in - if transpose - then - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose - j - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j - ] - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - ) - i - sample - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - v_A_transpose - else - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose - i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i - ] - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - ) - j - sample - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - v_A_transpose)) - in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in - v_A_transpose diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 0520e4a48..58bcbe1b2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -10,6 +10,32 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +val sample_matrix_A + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (seed: t_Array u8 (sz 34)) + (transpose: bool) + : Prims.Pure + (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (requires Spec.MLKEM.is_rank v_K) + (ensures + fun v_A_transpose_future -> + let v_A_transpose_future:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose_future + in + let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in + valid ==> + (if transpose + then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A + else + Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == + Spec.MLKEM.matrix_transpose matrix_A)) + /// Compute  ◦ ŝ + ê val compute_As_plus_e (v_K: usize) @@ -34,6 +60,31 @@ val compute_As_plus_e (to_spec_vector_t s_as_ntt) (to_spec_vector_t error_as_ntt)) +/// The following functions compute various expressions involving +/// vectors and matrices. The computation of these expressions has been +/// abstracted away into these functions in order to save on loop iterations. +/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) +val compute_message + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires Spec.MLKEM.is_rank v_K) + (ensures + fun res -> + let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in + let open Libcrux_ml_kem.Polynomial in + let secret_spec = to_spec_vector_t secret_as_ntt in + let u_spec = to_spec_vector_t u_as_ntt in + let v_spec = to_spec_poly_t v in + to_spec_poly_t res == + Spec.MLKEM.(poly_sub v_spec + (poly_inv_ntt (vector_dot_product_ntt #v_K secret_spec u_spec))) /\ + Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + /// Compute InverseNTT(tᵀ ◦ r\u{302}) + e₂ + message val compute_ring_element_v (v_K: usize) @@ -79,54 +130,3 @@ val compute_vector_u (forall (i: nat). i < v v_K ==> Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i))) - -/// The following functions compute various expressions involving -/// vectors and matrices. The computation of these expressions has been -/// abstracted away into these functions in order to save on loop iterations. -/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) -val compute_message - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let secret_spec = to_spec_vector_t secret_as_ntt in - let u_spec = to_spec_vector_t u_as_ntt in - let v_spec = to_spec_poly_t v in - to_spec_poly_t res == - Spec.MLKEM.(poly_sub v_spec - (poly_inv_ntt (vector_dot_product_ntt #v_K secret_spec u_spec))) /\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) - -val sample_matrix_A - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (v_A_transpose: - t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (seed: t_Array u8 (sz 34)) - (transpose: bool) - : Prims.Pure - (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun v_A_transpose_future -> - let v_A_transpose_future:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose_future - in - let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in - valid ==> - (if transpose - then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A - else - Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == - Spec.MLKEM.matrix_transpose matrix_A)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 14065e04f..257bb1029 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -14,26 +14,6 @@ let get_zeta (i: usize) = let _:Prims.unit = admit () (* Panic freedom *) in result -let impl_2__ZERO - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (_: Prims.unit) - = - { - f_coefficients - = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector - #FStar.Tactics.Typeclasses.solve - () - <: - v_Vector) - (sz 16) - } - <: - t_PolynomialRingElement v_Vector - let impl_2__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -191,18 +171,17 @@ let impl_2__add_standard_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__add_to_ring_element +let impl_2__poly_barrett_reduce (#v_Vector: Type0) - (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self rhs: t_PolynomialRingElement v_Vector) + (self: t_PolynomialRingElement v_Vector) = let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize) + v_VECTORS_IN_RING_ELEMENT (fun self temp_1_ -> let self:t_PolynomialRingElement v_Vector = self in let _:usize = temp_1_ in @@ -217,10 +196,9 @@ let impl_2__add_to_ring_element = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) - (rhs.f_coefficients.[ i ] <: v_Vector) <: v_Vector) <: @@ -232,6 +210,76 @@ let impl_2__add_to_ring_element let hax_temp_output:Prims.unit = () <: Prims.unit in self +let impl_2__subtract_reduce + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self b: t_PolynomialRingElement v_Vector) + = + let _:Prims.unit = admit () in + let b:t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_VECTORS_IN_RING_ELEMENT + (fun b temp_1_ -> + let b:t_PolynomialRingElement v_Vector = b in + let _:usize = temp_1_ in + true) + b + (fun b i -> + let b:t_PolynomialRingElement v_Vector = b in + let i:usize = i in + let coefficient_normal_form:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector + #FStar.Tactics.Typeclasses.solve + (b.f_coefficients.[ i ] <: v_Vector) + 1441s + in + let b:t_PolynomialRingElement v_Vector = + { + b with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector + #FStar.Tactics.Typeclasses.solve + (self.f_coefficients.[ i ] <: v_Vector) + coefficient_normal_form + <: + v_Vector) + <: + v_Vector) + } + <: + t_PolynomialRingElement v_Vector + in + b) + in + b + +let impl_2__ZERO + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (_: Prims.unit) + = + { + f_coefficients + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector + #FStar.Tactics.Typeclasses.solve + () + <: + v_Vector) + (sz 16) + } + <: + t_PolynomialRingElement v_Vector + let impl_2__from_i16_array (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -321,17 +369,18 @@ let impl_2__ntt_multiply in out -let impl_2__poly_barrett_reduce +let impl_2__add_to_ring_element (#v_Vector: Type0) + (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_PolynomialRingElement v_Vector) + (self rhs: t_PolynomialRingElement v_Vector) = let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT + (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize) (fun self temp_1_ -> let self:t_PolynomialRingElement v_Vector = self in let _:usize = temp_1_ in @@ -346,9 +395,10 @@ let impl_2__poly_barrett_reduce = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) + (rhs.f_coefficients.[ i ] <: v_Vector) <: v_Vector) <: @@ -359,53 +409,3 @@ let impl_2__poly_barrett_reduce in let hax_temp_output:Prims.unit = () <: Prims.unit in self - -let impl_2__subtract_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self b: t_PolynomialRingElement v_Vector) - = - let _:Prims.unit = admit () in - let b:t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT - (fun b temp_1_ -> - let b:t_PolynomialRingElement v_Vector = b in - let _:usize = temp_1_ in - true) - b - (fun b i -> - let b:t_PolynomialRingElement v_Vector = b in - let i:usize = i in - let coefficient_normal_form:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector - #FStar.Tactics.Typeclasses.solve - (b.f_coefficients.[ i ] <: v_Vector) - 1441s - in - let b:t_PolynomialRingElement v_Vector = - { - b with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector - #FStar.Tactics.Typeclasses.solve - (self.f_coefficients.[ i ] <: v_Vector) - coefficient_normal_form - <: - v_Vector) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - b) - in - b diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index ca8ac5ed8..7956d29e4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -37,10 +37,6 @@ val get_zeta (i: usize) let result:i16 = result in Spec.Utils.is_i16b 1664 result) -let v_VECTORS_IN_RING_ELEMENT: usize = - Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! - Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - type t_PolynomialRingElement (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_coefficients:t_Array v_Vector (sz 16) } @@ -60,11 +56,9 @@ let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) -val impl_2__ZERO: - #v_Vector: Type0 -> - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> - Prims.unit - -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) +let v_VECTORS_IN_RING_ELEMENT: usize = + Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! + Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR val impl_2__add_error_reduce (#v_Vector: Type0) @@ -84,15 +78,24 @@ val impl_2__add_standard_error_reduce (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise -/// sum of their constituent coefficients. -val impl_2__add_to_ring_element +val impl_2__poly_barrett_reduce (#v_Vector: Type0) - (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self rhs: t_PolynomialRingElement v_Vector) + (self: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl_2__subtract_reduce + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self b: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) +val impl_2__ZERO: + #v_Vector: Type0 -> + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + val impl_2__from_i16_array (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -128,14 +131,11 @@ val impl_2__ntt_multiply (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__poly_barrett_reduce - (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val impl_2__subtract_reduce +/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise +/// sum of their constituent coefficients. +val impl_2__add_to_ring_element (#v_Vector: Type0) + (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self b: t_PolynomialRingElement v_Vector) + (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 0ed1d6ebd..3f7e351d4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -144,6 +144,104 @@ let sample_from_uniform_distribution_next <: (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) +#push-options "--admit_smt_queries true" + +let sample_from_xof + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (seeds: t_Array (t_Array u8 (sz 34)) v_K) + = + let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = + Rust_primitives.Hax.repeat (sz 0) v_K + in + let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K + in + let xof_state:v_Hasher = + Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb_final #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + seeds + in + let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_first_three_blocks #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + xof_state + in + let xof_state:v_Hasher = tmp0 in + let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = + sample_from_uniform_distribution_next #v_Vector v_K (sz 504) randomness sampled_coefficients out + in + let sampled_coefficients:t_Array usize v_K = tmp0 in + let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in + let done:bool = out1 in + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K & + v_Hasher) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K & + v_Hasher) = + temp_0_ + in + ~.done <: bool) + (done, out, sampled_coefficients, xof_state + <: + (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) + (fun temp_0_ -> + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K & + v_Hasher) = + temp_0_ + in + let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_next_block #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + xof_state + in + let xof_state:v_Hasher = tmp0 in + let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = + sample_from_uniform_distribution_next #v_Vector + v_K + (sz 168) + randomness + sampled_coefficients + out + in + let sampled_coefficients:t_Array usize v_K = tmp0 in + let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in + let done:bool = out1 in + done, out, sampled_coefficients, xof_state + <: + (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) + in + Core.Array.impl_23__map #(t_Array i16 (sz 272)) + v_K + #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + out + (fun s -> + let s:t_Array i16 (sz 272) = s in + Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector + (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + +#pop-options + #push-options "--z3rlimit 800" let sample_from_binomial_distribution_2_ @@ -324,101 +422,3 @@ let sample_from_binomial_distribution <: Rust_primitives.Hax.t_Never) - -#push-options "--admit_smt_queries true" - -let sample_from_xof - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (seeds: t_Array (t_Array u8 (sz 34)) v_K) - = - let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = - Rust_primitives.Hax.repeat (sz 0) v_K - in - let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K - in - let xof_state:v_Hasher = - Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb_final #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - seeds - in - let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_first_three_blocks #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - xof_state - in - let xof_state:v_Hasher = tmp0 in - let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in - let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = - sample_from_uniform_distribution_next #v_Vector v_K (sz 504) randomness sampled_coefficients out - in - let sampled_coefficients:t_Array usize v_K = tmp0 in - let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in - let done:bool = out1 in - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & - t_Array usize v_K & - v_Hasher) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & - t_Array usize v_K & - v_Hasher) = - temp_0_ - in - ~.done <: bool) - (done, out, sampled_coefficients, xof_state - <: - (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) - (fun temp_0_ -> - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & - t_Array usize v_K & - v_Hasher) = - temp_0_ - in - let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_next_block #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - xof_state - in - let xof_state:v_Hasher = tmp0 in - let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in - let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = - sample_from_uniform_distribution_next #v_Vector - v_K - (sz 168) - randomness - sampled_coefficients - out - in - let sampled_coefficients:t_Array usize v_K = tmp0 in - let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in - let done:bool = out1 in - done, out, sampled_coefficients, xof_state - <: - (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) - in - Core.Array.impl_23__map #(t_Array i16 (sz 272)) - v_K - #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - out - (fun s -> - let s:t_Array i16 (sz 272) = s in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector - (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti index 8d7df649d..7864f558f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti @@ -54,6 +54,16 @@ val sample_from_uniform_distribution_next Prims.l_True (fun _ -> Prims.l_True) +val sample_from_xof + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (seeds: t_Array (t_Array u8 (sz 34)) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True + (fun _ -> Prims.l_True) + /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets @@ -118,13 +128,3 @@ val sample_from_binomial_distribution (v_ETA =. sz 2 || v_ETA =. sz 3) && (Core.Slice.impl__len #u8 randomness <: usize) =. (v_ETA *! sz 64 <: usize)) (fun _ -> Prims.l_True) - -val sample_from_xof - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (seeds: t_Array (t_Array u8 (sz 34)) v_K) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index 3d527ad48..99fd067a1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -21,401 +21,259 @@ let to_unsigned_field_modulus let _:Prims.unit = admit () (* Panic freedom *) in result -let compress_then_serialize_10_ - (v_OUT_LEN: usize) +let deserialize_then_decompress_11_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) = - let _:Prims.unit = assert_norm (pow2 10 == 1024) in - let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) - serialized - (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - let _:Prims.unit = assert (20 * v i + 20 <= 320) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 10l - (to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 20) = - Libcrux_ml_kem.Vector.Traits.f_serialize_10_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 20 *! i <: usize; - Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 20 *! i <: usize; - Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) - in - serialized) + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) in - let result:t_Array u8 v_OUT_LEN = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--admit_smt_queries true" - -let compress_then_serialize_11_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - = - let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUT_LEN = serialized in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let _:usize = temp_1_ in true) - serialized - (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 11l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 22) = - Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector #FStar.Tactics.Typeclasses.solve - coefficient + bytes in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 22 *! i <: usize; - Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 22 *! i <: usize; - Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 11l + coefficient + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - serialized) + re) in - serialized - -#pop-options + re -let compress_then_serialize_4_ +let deserialize_then_decompress_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert_norm (pow2 4 == 16) in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> - let serialized:t_Slice u8 = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> - (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) serialized - (fun serialized i -> - let serialized:t_Slice u8 = serialized in - let i:usize = i in - let _:Prims.unit = assert (8 * v i + 8 <= 128) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 4l - (to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 8) = - Libcrux_ml_kem.Vector.Traits.f_serialize_4_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector #FStar.Tactics.Typeclasses.solve - coefficient + bytes in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 8 *! i <: usize; - Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 8 *! i <: usize; - Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 4l + coefficient + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - serialized) + re) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in - serialized - -#push-options "--admit_smt_queries true" + re -let compress_then_serialize_5_ +let deserialize_then_decompress_5_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let _:usize = temp_1_ in true) - serialized - (fun serialized i -> - let serialized:t_Slice u8 = serialized in - let i:usize = i in - let coefficients:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 5l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 10) = - Libcrux_ml_kem.Vector.Traits.f_serialize_5_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficients + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 10 *! i <: usize; - Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 10 *! i <: usize; - Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 5l + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - serialized) + re) in - let hax_temp_output:Prims.unit = () <: Prims.unit in - serialized - -#pop-options + re -let compress_then_serialize_message +let deserialize_then_decompress_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Array u8 (sz 32)) = - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let serialized:t_Array u8 (sz 32) = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun serialized i -> - let serialized:t_Array u8 (sz 32) = serialized in - let i:usize = i in - v i < 16 ==> coefficients_field_modulus_range re) - serialized - (fun serialized i -> - let serialized:t_Array u8 (sz 32) = serialized in + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i:usize = i in - let _:Prims.unit = assert (2 * v i + 2 <= 32) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - in let coefficient_compressed:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let bytes:t_Array u8 (sz 2) = - Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector #FStar.Tactics.Typeclasses.solve - coefficient_compressed - in - let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) + (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] <: t_Slice u8) in - serialized) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) in - let result:t_Array u8 (sz 32) = serialized in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let _:Prims.unit = admit () (* Panic freedom *) in result -let compress_then_serialize_ring_element_u - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) +let deserialize_then_decompress_ring_element_v + (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) = let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) + assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ + (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) in match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re - | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re + | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized + | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) -let compress_then_serialize_ring_element_v - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (out: t_Slice u8) - = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in - let out, hax_temp_output:(t_Slice u8 & Prims.unit) = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) - | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) - | _ -> - out, - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - <: - (t_Slice u8 & Prims.unit) - in - out - -let deserialize_then_decompress_10_ +let deserialize_to_reduced_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) - in + let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in - let v__coefficients_length:usize = - Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) serialized (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in @@ -426,7 +284,7 @@ let deserialize_then_decompress_10_ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector #FStar.Tactics.Typeclasses.solve bytes in @@ -438,9 +296,8 @@ let deserialize_then_decompress_10_ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector #FStar.Tactics.Typeclasses.solve - 10l coefficient <: v_Vector) @@ -450,74 +307,86 @@ let deserialize_then_decompress_10_ in re) in - re + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:Prims.unit = admit () (* Panic freedom *) in + result -let deserialize_then_decompress_11_ +let deserialize_ring_elements_reduced + (v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + public_key + (fun deserialized_pk temp_1_ -> + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + deserialized_pk + in let _:usize = temp_1_ in true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 11l - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + deserialized_pk + (fun deserialized_pk temp_1_ -> + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + deserialized_pk in - re) + let i, ring_element:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk + i + (deserialize_to_reduced_ring_element #v_Vector ring_element + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in - re + let hax_temp_output:Prims.unit = () <: Prims.unit in + deserialized_pk -let deserialize_then_decompress_4_ +let deserialize_ring_elements_reduced_out + (v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (public_key: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk + in + let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialized_pk in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let deserialize_to_uncompressed_ring_element + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) serialized (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in @@ -527,205 +396,421 @@ let deserialize_then_decompress_4_ (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i, bytes:(usize & t_Slice u8) = temp_1_ in + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + <: + v_Vector) + <: + t_Array v_Vector (sz 16) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + re + +let compress_then_serialize_10_ + (v_OUT_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + let _:Prims.unit = assert_norm (pow2 10 == 1024) in + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized i -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + serialized + (fun serialized i -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let i:usize = i in + let _:Prims.unit = assert (20 * v i + 20 <= 320) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve - bytes + 10l + (to_unsigned_field_modulus #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 4l - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + let bytes:t_Array u8 (sz 20) = + Libcrux_ml_kem.Vector.Traits.f_serialize_10_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient in - re) + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 20 *! i <: usize; + Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 20 *! i <: usize; + Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in - re + let result:t_Array u8 v_OUT_LEN = serialized in + let _:Prims.unit = admit () (* Panic freedom *) in + result -let deserialize_then_decompress_5_ +#push-options "--admit_smt_queries true" + +let compress_then_serialize_11_ + (v_OUT_LEN: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized i -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let i:usize = i in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector + #FStar.Tactics.Typeclasses.solve + 11l + (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + in + let bytes:t_Array u8 (sz 22) = + Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + in + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 22 *! i <: usize; + Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 22 *! i <: usize; + Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) + serialized + +#pop-options + +let compress_then_serialize_4_ + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) + = + let _:Prims.unit = assert_norm (pow2 4 == 16) in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized i -> + let serialized:t_Slice u8 = serialized in + let i:usize = i in + v i >= 0 /\ v i <= 16 /\ v i < 16 ==> + (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + (fun serialized i -> + let serialized:t_Slice u8 = serialized in + let i:usize = i in + let _:Prims.unit = assert (8 * v i + 8 <= 128) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector + #FStar.Tactics.Typeclasses.solve + 4l + (to_unsigned_field_modulus #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + in + let bytes:t_Array u8 (sz 8) = + Libcrux_ml_kem.Vector.Traits.f_serialize_4_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 8 *! i <: usize; + Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 8 *! i <: usize; + Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) + in + let result:Prims.unit = () <: Prims.unit in + let _:Prims.unit = admit () (* Panic freedom *) in + let hax_temp_output:Prims.unit = result in + serialized + +#push-options "--admit_smt_queries true" + +let compress_then_serialize_5_ + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) + = + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + serialized + (fun serialized i -> + let serialized:t_Slice u8 = serialized in + let i:usize = i in + let coefficients:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector + #FStar.Tactics.Typeclasses.solve + 5l + (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 5l - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + let bytes:t_Array u8 (sz 10) = + Libcrux_ml_kem.Vector.Traits.f_serialize_5_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficients in - re) + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 10 *! i <: usize; + Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 10 *! i <: usize; + Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in - re + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized -let deserialize_then_decompress_message +#pop-options + +let compress_then_serialize_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Array u8 (sz 32)) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re i -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + (fun serialized i -> + let serialized:t_Array u8 (sz 32) = serialized in + let i:usize = i in + v i < 16 ==> coefficients_field_modulus_range re) + serialized + (fun serialized i -> + let serialized:t_Array u8 (sz 32) = serialized in let i:usize = i in + let _:Prims.unit = assert (2 * v i + 2 <= 32) in + let _:Prims.unit = + reveal_opaque (`%coefficients_field_modulus_range) + (coefficients_field_modulus_range #v_Vector) + in + let coefficient:v_Vector = + to_unsigned_field_modulus #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + in let coefficient_compressed:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize ] + coefficient + in + let bytes:t_Array u8 (sz 2) = + Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient_compressed + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) <: t_Slice u8) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - re) + serialized) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let result:t_Array u8 (sz 32) = serialized in let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) +let compress_then_serialize_ring_element_u + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let _:Prims.unit = assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) + (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) in match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized - | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized + | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re + | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) -let deserialize_then_decompress_ring_element_v - (v_COMPRESSION_FACTOR: usize) +let compress_then_serialize_ring_element_v + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (out: t_Slice u8) = let _:Prims.unit = assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) + (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); + Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) in - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized - | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let out, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) + | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) + | _ -> + out, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + out -let deserialize_to_reduced_ring_element +let deserialize_then_decompress_10_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) + in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () in + let v__coefficients_length:usize = + Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) + in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) serialized (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in @@ -736,7 +821,7 @@ let deserialize_to_reduced_ring_element let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector #FStar.Tactics.Typeclasses.solve bytes in @@ -748,8 +833,9 @@ let deserialize_to_reduced_ring_element Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector #FStar.Tactics.Typeclasses.solve + 10l coefficient <: v_Vector) @@ -759,114 +845,28 @@ let deserialize_to_reduced_ring_element in re) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let deserialize_ring_elements_reduced - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: t_Slice u8) - (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - public_key - (fun deserialized_pk temp_1_ -> - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - deserialized_pk - in - let _:usize = temp_1_ in - true) - deserialized_pk - (fun deserialized_pk temp_1_ -> - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - deserialized_pk - in - let i, ring_element:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk - i - (deserialize_to_reduced_ring_element #v_Vector ring_element - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - deserialized_pk - -let deserialize_ring_elements_reduced_out - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: t_Slice u8) - = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialized_pk - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + re -let deserialize_to_uncompressed_ring_element +let deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - <: - v_Vector) - <: - t_Array v_Vector (sz 16) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + let _:Prims.unit = + assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ + (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) in - re + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized + | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) let serialize_uncompressed_ring_element (#v_Vector: Type0) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 129fd3ced..6b109d8e0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -38,89 +38,6 @@ val to_unsigned_field_modulus v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) -val compress_then_serialize_10_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) - -val compress_then_serialize_11_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) - -val compress_then_serialize_4_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) - -val compress_then_serialize_5_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) - -val compress_then_serialize_message - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 32)) - (requires coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) - -val compress_then_serialize_ring_element_u - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires - (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ - v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) - -val compress_then_serialize_ring_element_v - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (out: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires - (v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5) /\ - v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ Seq.length out == v v_OUT_LEN /\ - coefficients_field_modulus_range re) - (ensures - fun out_future -> - let out_future:t_Slice u8 = out_future in - Core.Slice.impl__len #u8 out_future == Core.Slice.impl__len #u8 out) - -val deserialize_then_decompress_10_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) - (fun _ -> Prims.l_True) - val deserialize_then_decompress_11_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -153,17 +70,6 @@ val deserialize_then_decompress_message Prims.l_True (fun _ -> Prims.l_True) -val deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && - (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) - (fun _ -> Prims.l_True) - val deserialize_then_decompress_ring_element_v (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) @@ -229,6 +135,100 @@ val deserialize_to_uncompressed_ring_element Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) (fun _ -> Prims.l_True) +val compress_then_serialize_10_ + (v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) + +val compress_then_serialize_11_ + (v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +val compress_then_serialize_4_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) + (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) + (ensures + fun serialized_future -> + let serialized_future:t_Slice u8 = serialized_future in + Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) + +val compress_then_serialize_5_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) + (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) + (ensures + fun serialized_future -> + let serialized_future:t_Slice u8 = serialized_future in + Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) + +val compress_then_serialize_message + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 (sz 32)) + (requires coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) + +val compress_then_serialize_ring_element_u + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) + (requires + (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) + (fun _ -> Prims.l_True) + +val compress_then_serialize_ring_element_v + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (out: t_Slice u8) + : Prims.Pure (t_Slice u8) + (requires + (v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5) /\ + v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ Seq.length out == v v_OUT_LEN /\ + coefficients_field_modulus_range re) + (ensures + fun out_future -> + let out_future:t_Slice u8 = out_future in + Core.Slice.impl__len #u8 out_future == Core.Slice.impl__len #u8 out) + +val deserialize_then_decompress_10_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) + (fun _ -> Prims.l_True) + +val deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires + (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && + (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + (fun _ -> Prims.l_True) + val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index 4435312b0..ca59dbe5c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -18,25 +18,6 @@ val impl_20__len: v_SIZE: usize -> Prims.unit ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); - f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); - f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8 - } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { @@ -78,25 +59,6 @@ val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) ///An ML-KEM Private key type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); - f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); - f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8 - } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { @@ -138,25 +100,6 @@ val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) ///An ML-KEM Public key type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); - f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); - f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8 - } - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { @@ -195,6 +138,122 @@ val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) let result:t_Array u8 v_SIZE = result in result == self.f_value) +/// An ML-KEM key pair +type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { + f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE; + f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE +} + +/// Create a new [`MlKemKeyPair`] from the secret and public key. +val impl_21__from + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) + (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Prims.l_True + (ensures + fun result -> + let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in + result.f_sk == sk /\ result.f_pk == pk) + +/// Separate this key into the public and private key. +val impl_21__into_parts + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Creates a new [`MlKemKeyPair`]. +val impl_21__new + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (sk: t_Array u8 v_PRIVATE_KEY_SIZE) + (pk: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get a reference to the raw public key bytes. +val impl_21__pk + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Get a reference to the [`MlKemPrivateKey`]. +val impl_21__private_key + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Get a reference to the [`MlKemPublicKey`]. +val impl_21__public_key + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Get a reference to the raw private key bytes. +val impl_21__sk + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); + f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); + f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); + f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); + f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); + f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); + f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8 + } + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { @@ -287,62 +346,3 @@ let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) ( <: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError } - -/// An ML-KEM key pair -type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { - f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE; - f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE -} - -/// Create a new [`MlKemKeyPair`] from the secret and public key. -val impl_21__from - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) - (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in - result.f_sk == sk /\ result.f_pk == pk) - -/// Separate this key into the public and private key. -val impl_21__into_parts - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Creates a new [`MlKemKeyPair`]. -val impl_21__new - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (sk: t_Array u8 v_PRIVATE_KEY_SIZE) - (pk: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get a reference to the raw public key bytes. -val impl_21__pk - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Get a reference to the [`MlKemPrivateKey`]. -val impl_21__private_key - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Get a reference to the [`MlKemPublicKey`]. -val impl_21__public_key - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Get a reference to the raw private key bytes. -val impl_21__sk - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst index e1c2e554d..14c6d47e2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst @@ -85,7 +85,7 @@ let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = in result -#push-options "--z3rlimit 200 --split_queries always" +#push-options "--z3rlimit 200" let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst index d65ff8ae2..8a9c2057c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst @@ -16,6 +16,13 @@ let vec_from_i16_array (array: t_Slice i16) = let _:Prims.unit = admit () (* Panic freedom *) in result +let vec_zero (_: Prims.unit) = + let result:t_SIMD256Vector = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector + in + let _:Prims.unit = admit () (* Panic freedom *) in + result + let vec_to_i16_array (v: t_SIMD256Vector) = let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in let output:t_Array i16 (sz 16) = @@ -24,10 +31,3 @@ let vec_to_i16_array (v: t_SIMD256Vector) = let result:t_Array i16 (sz 16) = output in let _:Prims.unit = admit () (* Panic freedom *) in result - -let vec_zero (_: Prims.unit) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index 57d1a48ac..b15ca262d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -23,6 +23,14 @@ val vec_from_i16_array (array: t_Slice i16) let result:t_SIMD256Vector = result in repr result == array) +val vec_zero: Prims.unit + -> Prims.Pure t_SIMD256Vector + Prims.l_True + (ensures + fun result -> + let result:t_SIMD256Vector = result in + repr result == Seq.create 16 0s) + val vec_to_i16_array (v: t_SIMD256Vector) : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True @@ -41,14 +49,6 @@ let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector = f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x } -val vec_zero: Prims.unit - -> Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == Seq.create 16 0s) - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = { diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst index 5c9bfdbfc..a36b00a94 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst @@ -3,50 +3,6 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic open Core open FStar.Mul -let barrett_reduce_int16x8_t (v: u8) = - let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in - let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in - let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in - let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in - let sub:u8 = - Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub - -let montgomery_reduce_int16x8_t (low high: u8) = - let k:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16 - (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8) - (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16) - <: - u8) - in - let c:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - <: - u8) - in - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c - -let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) = - let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in - let vv_high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8) - in - montgomery_reduce_int16x8_t vv_low vv_high - -let montgomery_multiply_int16x8_t (v c: u8) = - let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in - let vv_high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8) - in - montgomery_reduce_int16x8_t vv_low vv_high - let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { @@ -73,29 +29,6 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in lhs -let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = @@ -161,32 +94,6 @@ let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vect in v -let montgomery_multiply_by_constant - (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (c: i16) - = - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { @@ -263,3 +170,96 @@ let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in lhs + +let barrett_reduce_int16x8_t (v: u8) = + let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in + let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in + let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in + let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in + let sub:u8 = + Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient + Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + in + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub + +let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + +let montgomery_reduce_int16x8_t (low high: u8) = + let k:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16 + (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8) + (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16) + <: + u8) + in + let c:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k + Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) + in + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c + +let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) = + let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in + let vv_high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8) + in + montgomery_reduce_int16x8_t vv_low vv_high + +let montgomery_multiply_by_constant + (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (c: i16) + = + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + +let montgomery_multiply_int16x8_t (v c: u8) = + let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in + let vv_high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8) + in + montgomery_reduce_int16x8_t vv_low vv_high diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti index 9429a66de..b765f0915 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti @@ -5,53 +5,53 @@ open FStar.Mul let v_BARRETT_MULTIPLIER: i16 = 20159s -val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) - : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - val add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant - (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (c: i16) +val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) +val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst index 692b153dc..c6f54fd1c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst @@ -24,19 +24,6 @@ let mask_n_least_significant_bits (coefficient_bits: i16) = | 11s -> 2047s | x -> (1s < Prims.l_True) -val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) - : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True @@ -22,6 +19,9 @@ val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) +val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst index d3a6b63b2..d00b944c4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst @@ -3,6 +3,64 @@ module Libcrux_ml_kem.Vector.Neon.Ntt open Core open FStar.Mul +let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = + let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in + let b_minus_a:u8 = + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = + let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in + let t:u8 = + Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v + .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + zeta + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + let inv_ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -142,35 +200,6 @@ let inv_ntt_layer_2_step in v -let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = - let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in - let b_minus_a:u8 = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - let ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -306,35 +335,6 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) in v -let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = - let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in - let t:u8 = - Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v - .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - zeta - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - let ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti index 94a9867ce..a280dcc7a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti @@ -3,6 +3,16 @@ module Libcrux_ml_kem.Vector.Neon.Ntt open Core open FStar.Mul +val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + Prims.l_True + (fun _ -> Prims.l_True) + val inv_ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -17,11 +27,6 @@ val inv_ntt_layer_2_step Prims.l_True (fun _ -> Prims.l_True) -val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - Prims.l_True - (fun _ -> Prims.l_True) - val ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -34,11 +39,6 @@ val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) -val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - Prims.l_True - (fun _ -> Prims.l_True) - val ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst index 5fddc0daa..cadc20681 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst @@ -10,145 +10,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let deserialize_1_ (a: t_Slice u8) = - let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in - let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in - let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in - let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = - let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list - in - let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in - let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in - let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one; - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_12_ (v: t_Slice u8) = - let (indexes: t_Array u8 (sz 16)):t_Array u8 (sz 16) = - let list = - [0uy; 1uy; 1uy; 2uy; 3uy; 4uy; 4uy; 5uy; 6uy; 7uy; 7uy; 8uy; 9uy; 10uy; 10uy; 11uy] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - in - let index_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (indexes <: t_Slice u8) in - let (shifts: t_Array i16 (sz 8)):t_Array i16 (sz 8) = - let list = [0s; (-4s); 0s; (-4s); 0s; (-4s); 0s; (-4s)] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list - in - let shift_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifts <: t_Slice i16) in - let mask12:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u16 4095us in - let input0:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let input0:t_Array u8 (sz 16) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range input0 - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (input0.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (v.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let input_vec0:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input0 <: t_Slice u8) in - let input1:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let input1:t_Array u8 (sz 16) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range input1 - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (input1.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (v.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 24 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let input_vec1:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input1 <: t_Slice u8) in - let moved0:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 - input_vec0 - index_vec - <: - u8) - in - let shifted0:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved0 shift_vec in - let low:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 - shifted0 - mask12 - <: - u8) - in - let moved1:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 - input_vec1 - index_vec - <: - u8) - in - let shifted1:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved1 shift_vec in - let high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 - shifted1 - mask12 - <: - u8) - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = low; - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = - let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list - in - let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in - let low:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - shift - in - let high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - shift - in - let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in - let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in - let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - let serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let low0:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s16 @@ -499,6 +360,145 @@ let serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in result +let deserialize_1_ (a: t_Slice u8) = + let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in + let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in + let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in + let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one; + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_12_ (v: t_Slice u8) = + let (indexes: t_Array u8 (sz 16)):t_Array u8 (sz 16) = + let list = + [0uy; 1uy; 1uy; 2uy; 3uy; 4uy; 4uy; 5uy; 6uy; 7uy; 7uy; 8uy; 9uy; 10uy; 10uy; 11uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + in + let index_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (indexes <: t_Slice u8) in + let (shifts: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; (-4s); 0s; (-4s); 0s; (-4s); 0s; (-4s)] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifts <: t_Slice i16) in + let mask12:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u16 4095us in + let input0:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let input0:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range input0 + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (input0.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (v.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let input_vec0:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input0 <: t_Slice u8) in + let input1:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let input1:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range input1 + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (input1.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (v.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 24 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let input_vec1:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input1 <: t_Slice u8) in + let moved0:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 + input_vec0 + index_vec + <: + u8) + in + let shifted0:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved0 shift_vec in + let low:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 + shifted0 + mask12 + <: + u8) + in + let moved1:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 + input_vec1 + index_vec + <: + u8) + in + let shifted1:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved1 shift_vec in + let high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 + shifted1 + mask12 + <: + u8) + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = low; + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let low:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + shift + in + let high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + shift + in + let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in + let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in + let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti index 0edca8f25..3de7409f7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti @@ -10,6 +10,12 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True @@ -23,12 +29,6 @@ val deserialize_12_ (v: t_Slice u8) val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 064561e44..10098ed48 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -10,6 +10,22 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () +val deserialize_11_ (a: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) + (fun _ -> Prims.l_True) + +val deserialize_5_ (a: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10) + (fun _ -> Prims.l_True) + +val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = @@ -30,22 +46,6 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x } -val deserialize_11_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) - (fun _ -> Prims.l_True) - -val deserialize_5_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10) - (fun _ -> Prims.l_True) - -val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2) diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs index 35abf02ce..656b462a5 100644 --- a/libcrux-ml-kem/src/vector/portable/ntt.rs +++ b/libcrux-ml-kem/src/vector/portable/ntt.rs @@ -52,7 +52,7 @@ pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) #[inline(always)] #[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ +#[hax_lib ::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"))] #[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"))] diff --git a/libcrux-sha3/src/generic_keccak.rs b/libcrux-sha3/src/generic_keccak.rs index 8751d95d5..0e3e853c8 100644 --- a/libcrux-sha3/src/generic_keccak.rs +++ b/libcrux-sha3/src/generic_keccak.rs @@ -57,7 +57,7 @@ impl Self { Self { inner: KeccakState::new(), From a578e901fd3cfa14210c1f758c7a903550452ac4 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 25 Oct 2024 18:29:20 +0200 Subject: [PATCH 12/74] ml-dsa refresh --- Cargo.lock | 6 ++--- Cargo.toml | 2 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 23 +------------------ ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 10 +------- .../src/simd/portable/arithmetic.rs | 4 +--- .../src/simd/portable/vector_type.rs | 2 +- 6 files changed, 8 insertions(+), 39 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a36ef9e2c..8a8b2ea32 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -702,7 +702,7 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#24979addf0edca995599fddff6c5cf2720873506" +source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" dependencies = [ "hax-lib-macros", "num-bigint", @@ -712,7 +712,7 @@ dependencies = [ [[package]] name = "hax-lib-macros" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#24979addf0edca995599fddff6c5cf2720873506" +source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" dependencies = [ "hax-lib-macros-types", "paste", @@ -725,7 +725,7 @@ dependencies = [ [[package]] name = "hax-lib-macros-types" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#24979addf0edca995599fddff6c5cf2720873506" +source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index bcdb8b03f..aef7bc2b2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -80,7 +80,7 @@ getrandom = { version = "0.2", features = ["js"], optional = true } #[target.'cfg(hax)'.dependencies] [workspace.dependencies] hax-lib-macros = { git = "https://github.com/hacspec/hax", branch = "main" } -hax-lib = { git = "https://github.com/hacspec/hax/", branch = "main" } +hax-lib = { git = "https://github.com/hacspec/hax/", branch = "fstar-proof-lib-small-additions" } [dev-dependencies] libcrux = { path = ".", features = ["rand", "tests"] } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index 4d9c2f736..8136f15b4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -118,32 +118,11 @@ let infinity_norm_exceeds if true then let _:Prims.unit = - if - ~.((coefficient >. + Hax_lib.v_assert ((coefficient >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: bool) && (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 - (sz 1) - (sz 1) - (let list = ["coefficient is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [ - Core.Fmt.Rt.impl_1__new_display #i32 coefficient - <: - Core.Fmt.Rt.t_Argument - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) in () in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst index e0b0dba0d..338234407 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -23,15 +23,7 @@ let from_coefficient_array (array: t_Slice i32) = <: t_PortableSIMDUnit -let to_coefficient_array (x: t_PortableSIMDUnit) = - Core.Result.impl__unwrap #(t_Array i32 (sz 8)) - #Core.Convert.t_Infallible - (Core.Convert.f_try_into #(t_Array i32 (sz 8)) - #(t_Array i32 (sz 8)) - #FStar.Tactics.Typeclasses.solve - x.f_coefficients - <: - Core.Result.t_Result (t_Array i32 (sz 8)) Core.Convert.t_Infallible) +let to_coefficient_array (x: t_PortableSIMDUnit) = x.f_coefficients let v_ZERO (_: Prims.unit) = { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_PortableSIMDUnit diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index b2b428d83..4fc15213e 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -146,9 +146,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { // revisit if performance is impacted. for coefficient in simd_unit.coefficients.into_iter() { debug_assert!( - coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS, - "coefficient is {}", - coefficient + coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS ); // This norm is calculated using the absolute value of the // signed representative in the range: diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 699790752..47a736cbe 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -22,5 +22,5 @@ pub(crate) fn from_coefficient_array(array: &[i32]) -> PortableSIMDUnit { } pub(crate) fn to_coefficient_array(x:&PortableSIMDUnit) -> [i32; 8] { - x.coefficients.try_into().unwrap() + x.coefficients } \ No newline at end of file From 0b37cc16bacebcf3903412b1e8684566b3c25636 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Mon, 28 Oct 2024 11:21:38 +0100 Subject: [PATCH 13/74] ml-dsa lax-checks except for 3 modules --- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 40 ++-- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 10 +- .../extraction/Libcrux_ml_dsa.Polynomial.fst | 6 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 10 +- ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 40 +--- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 14 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 218 ++++++++++-------- libcrux-ml-dsa/src/ntt.rs | 3 + libcrux-ml-dsa/src/polynomial.rs | 2 +- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 3 + .../src/simd/portable/arithmetic.rs | 8 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 9 + 12 files changed, 183 insertions(+), 180 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 95d331653..e598421e9 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -533,17 +533,18 @@ let sign Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist36 -> + | Core.Result.Result_Ok d -> sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message - (Core.Option.Option_Some hoist36 + (Core.Option.Option_Some d <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -594,17 +595,18 @@ let sign_pre_hashed <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist39 -> + | Core.Result.Result_Ok d -> sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some hoist39 + (Core.Option.Option_Some d <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -789,16 +791,19 @@ let verify Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist41 -> + | Core.Result.Result_Ok d -> verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message - (Core.Option.Option_Some hoist41 + (Core.Option.Option_Some d <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError @@ -837,17 +842,20 @@ let verify_pre_hashed <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok hoist43 -> + | Core.Result.Result_Ok d -> verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some hoist43 + (Core.Option.Option_Some d <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index f096cc94a..b36669c58 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -83,9 +83,7 @@ let invert_ntt_at_layer_2_ (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let (re, zeta_i), hax_temp_output:((Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & - usize) & - Prims.unit) = + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) (fun temp_0_ temp_1_ -> @@ -121,6 +119,7 @@ let invert_ntt_at_layer_2_ in re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) let invert_ntt_at_layer_3_plus @@ -133,9 +132,7 @@ let invert_ntt_at_layer_3_plus (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = let step:usize = sz 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> @@ -216,6 +213,7 @@ let invert_ntt_at_layer_3_plus in re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) let invert_ntt_at_layer_0_ diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst index 029ce893b..d92cb4d77 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -29,15 +29,13 @@ let impl__infinity_norm_exceeds (fun exceeds simd_unit -> let exceeds:bool = exceeds in let simd_unit:v_SIMDUnit = simd_unit in - exceeds |. + exceeds || (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit #FStar.Tactics.Typeclasses.solve simd_unit bound <: - bool) - <: - bool) + bool)) in exceeds diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index 6eac6010b..73a72549a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -205,9 +205,7 @@ let ntt_at_layer_3_plus (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = let step:usize = sz 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> @@ -272,6 +270,7 @@ let ntt_at_layer_3_plus in re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = @@ -387,9 +386,7 @@ let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let (re, zeta_i), hax_temp_output:((t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & - usize) & - Prims.unit) = + let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) @@ -429,6 +426,7 @@ let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract let zeta_i:usize = zeta_i +! sz 1 in re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst index 8136f15b4..b8a8a4b00 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -37,26 +37,11 @@ let decompose_element (v_GAMMA2 r: i32) = if true then let _:Prims.unit = - if - ~.((r >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + Hax_lib.v_assert ((r >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: bool) && (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) - (sz 1) - (let list = ["the representative is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [Core.Fmt.Rt.impl_1__new_display #i32 r <: Core.Fmt.Rt.t_Argument] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) in () in @@ -128,7 +113,7 @@ let infinity_norm_exceeds in let sign:i32 = coefficient >>! 31l in let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in - let exceeds:bool = exceeds |. (normalized >=. bound <: bool) in + let exceeds:bool = exceeds || normalized >=. bound in exceeds) in exceeds @@ -138,26 +123,11 @@ let power2round_element (t: i32) = if true then let _:Prims.unit = - if - ~.((t >. (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + Hax_lib.v_assert ((t >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: bool) && (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) - then - Rust_primitives.Hax.never_to_any (Core.Panicking.panic_fmt (Core.Fmt.impl_2__new_v1 (sz 1) - (sz 1) - (let list = ["t is "] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - (let list = - [Core.Fmt.Rt.impl_1__new_display #i32 t <: Core.Fmt.Rt.t_Argument] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); - Rust_primitives.Hax.array_of_list 1 list) - <: - Core.Fmt.t_Arguments) - <: - Rust_primitives.Hax.t_Never) in () in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index 3fca93ccb..47babb998 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -1015,10 +1015,8 @@ let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let (re, zeta_i), hax_temp_output:((t_Array - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) & - Prims.unit) = + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) @@ -1057,6 +1055,7 @@ let ntt_at_layer_2_ <: (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) @@ -1066,10 +1065,8 @@ let ntt_at_layer_3_plus (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = let step:usize = sz 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> @@ -1150,6 +1147,7 @@ let ntt_at_layer_3_plus <: (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) in + let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 41b5994fa..dfe47172a 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -12,7 +12,7 @@ use crate::{ }, ntt::ntt, types::{SigningError, VerificationError, Signature}, - pre_hash::{DomainSeparationContext, PreHash}, + pre_hash::{DomainSeparationContext, DomainSeparationError, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4, simd::traits::Operations, @@ -120,32 +120,37 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash(message); - - sign_internal::< - SIMDUnit, - Shake128X4, - Shake256, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >( - &signing_key, - &pre_hashed_message, - Some(DomainSeparationContext::new(context, Some(&PH::oid()))?), - randomness, - ) + // TODO: Support implicit into() in ? so that this match becomes unnecessary + match DomainSeparationContext::new(context, Some(&PH::oid())) { + Ok(d) => + sign_internal::< + SIMDUnit, + Shake128X4, + Shake256, + Shake256X4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >( + &signing_key, + &pre_hashed_message, + Some(d), + randomness, + ), + + Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError) + } } #[allow(non_snake_case)] @@ -174,32 +179,37 @@ pub(crate) fn sign< context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { - sign_internal::< - SIMDUnit, - Shake128X4, - Shake256, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >( - &signing_key, - message, - Some(DomainSeparationContext::new(context, None)?), - randomness, - ) -} + // TODO: Support implicit into() in ? so that this match becomes unnecessary + match DomainSeparationContext::new(context, None) { + Ok(d) => + sign_internal::< + SIMDUnit, + Shake128X4, + Shake256, + Shake256X4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >( + &signing_key, + message, + Some(d), + randomness, + ), + Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError) + } +} /// The internal signing API. /// @@ -561,29 +571,34 @@ pub(crate) fn verify< context: &[u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { - verify_internal::< - SIMDUnit, - Shake128X4, - Shake256, - ROWS_IN_A, - COLUMNS_IN_A, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - message, - Some(DomainSeparationContext::new(context, None)?), - &signature_serialized, - ) + // TODO: Support implicit into() in ? so that this match becomes unnecessary + match DomainSeparationContext::new(context, None) { + Ok(d) => + verify_internal::< + SIMDUnit, + Shake128X4, + Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >( + &verification_key_serialized, + message, + Some(d), + &signature_serialized, + ), + Err(DomainSeparationError::ContextTooLongError) => Err(VerificationError::ContextTooLongError) + } } #[allow(non_snake_case)] @@ -614,27 +629,32 @@ pub(crate) fn verify_pre_hashed< ) -> Result<(), VerificationError> { let pre_hashed_message = PH::hash(message); - verify_internal::< - SIMDUnit, - Shake128X4, - Shake256, - ROWS_IN_A, - COLUMNS_IN_A, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - &pre_hashed_message, - Some(DomainSeparationContext::new(context, Some(&PH::oid()))?), - &signature_serialized, - ) + // TODO: Support implicit into() in ? so that this match becomes unnecessary + match DomainSeparationContext::new(context, Some(&PH::oid())) { + Ok(d) => + verify_internal::< + SIMDUnit, + Shake128X4, + Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >( + &verification_key_serialized, + &pre_hashed_message, + Some(d), + &signature_serialized, + ), + Err(DomainSeparationError::ContextTooLongError) => Err(VerificationError::ContextTooLongError) + } } diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index a1246393c..7094faaa5 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -94,6 +94,7 @@ fn invert_ntt_at_layer_2( ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); } + () } #[inline(always)] fn invert_ntt_at_layer_3_plus( @@ -114,7 +115,9 @@ fn invert_ntt_at_layer_3_plus( re.simd_units[j + step_by] = montgomery_multiply_by_fer(a_minus_b, ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } + () } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index acc135481..0cab00b27 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -44,7 +44,7 @@ impl PolynomialRingElement { let mut exceeds = false; for simd_unit in self.simd_units { - exceeds |= SIMDUnit::infinity_norm_exceeds(simd_unit, bound); + exceeds = exceeds || SIMDUnit::infinity_norm_exceeds(simd_unit, bound); } exceeds diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index c6f302155..4ae0fc6fa 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -214,6 +214,7 @@ fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEME *zeta_i += 1; } + () } #[inline(always)] @@ -238,7 +239,9 @@ fn ntt_at_layer_3_plus( re[j + step_by] = arithmetic::subtract(re[j], t); re[j] = arithmetic::add(re[j], t); } + () } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 4fc15213e..50744017b 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -101,7 +101,7 @@ pub(crate) fn montgomery_multiply( // to the standard unsigned range. #[inline(always)] fn power2round_element(t: i32) -> (i32, i32) { - debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS, "t is {}", t); + debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let t = t + ((t >> 31) & FIELD_MODULUS); @@ -158,7 +158,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { let sign = coefficient >> 31; let normalized = coefficient - (sign & (2 * coefficient)); - exceeds |= normalized >= bound; + exceeds = exceeds || normalized >= bound; } exceeds @@ -228,9 +228,7 @@ pub fn compute_hint( #[inline(always)] fn decompose_element(r: i32) -> (i32, i32) { debug_assert!( - r > -FIELD_MODULUS && r < FIELD_MODULUS, - "the representative is {}", - r + r > -FIELD_MODULUS && r < FIELD_MODULUS ); // Convert the signed representative to the standard unsigned one. diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 1d994e241..951215294 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -30,6 +30,7 @@ pub fn simd_unit_ntt_at_layer_0( simd_unit } + #[inline(always)] pub fn simd_unit_ntt_at_layer_1( mut simd_unit: PortableSIMDUnit, @@ -54,6 +55,7 @@ pub fn simd_unit_ntt_at_layer_1( simd_unit } + #[inline(always)] pub fn simd_unit_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[4], zeta); @@ -101,6 +103,7 @@ pub fn invert_ntt_at_layer_0( simd_unit } + #[inline(always)] pub fn invert_ntt_at_layer_1( mut simd_unit: PortableSIMDUnit, @@ -125,6 +128,7 @@ pub fn invert_ntt_at_layer_1( simd_unit } + #[inline(always)] pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { let a_minus_b = simd_unit.coefficients[4] - simd_unit.coefficients[0]; @@ -164,6 +168,7 @@ fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_ *zeta_i -= 1; } + #[inline(always)] fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { *zeta_i += 1; @@ -180,13 +185,16 @@ fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_ *zeta_i -= 1; } + #[inline(always)] fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { for round in 0..re.len() { *zeta_i += 1; re[round] = simd_unit_ntt_at_layer_2(re[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } + () } + #[inline(always)] fn ntt_at_layer_3_plus( zeta_i: &mut usize, @@ -207,6 +215,7 @@ fn ntt_at_layer_3_plus( re[j] = arithmetic::add(&re[j], &t); } } + () } #[inline(always)] From fbefc8db4679251d6ec2129170ece12c3af51e03 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 11:44:22 +0100 Subject: [PATCH 14/74] lax check succeeds --- .../extraction/Libcrux_ml_dsa.Samplex4.fst | 1053 +++-------------- .../extraction/Libcrux_ml_dsa.Samplex4.fsti | 15 + ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 540 +-------- ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 510 +------- libcrux-ml-dsa/src/samplex4.rs | 219 ++-- .../src/simd/portable/encoding/gamma1.rs | 67 +- .../src/simd/portable/encoding/t0.rs | 92 +- 7 files changed, 427 insertions(+), 2069 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst index c6103d0bf..ac648b477 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -14,6 +14,34 @@ let _ = let generate_domain_separator (row column: u8) = (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < Prims.l_True) +val update_matrix + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (m: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (i j: usize) + (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + val matrix_A_4_by_4_ (#v_SIMDUnit #v_Shake128X4: Type0) (v_ROWS_IN_A v_COLUMNS_IN_A: usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst index 5851c5998..ca1f48e87 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -26,324 +26,45 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = (fun simd_unit temp_1_ -> let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - (cast (bytes.[ sz 0 ] <: u8) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 *! i - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let coefficient0:i32 = + coefficient0 |. ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l in + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 4 ] <: u8) <: i32) <>! 4l in + let coefficient2:i32 = + coefficient2 |. ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let coefficient2:i32 = + coefficient2 &. deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_BITMASK in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 4 *! i <: usize) +! sz 3 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 4 *! i - <: - usize) +! - sz 3 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 7 ] <: u8) <: i32) <>! 6l in + let coefficient3:i32 = + coefficient3 |. ((cast (bytes.[ sz 7 ] <: u8) <: i32) < let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in let i, bytes:(usize & t_Slice u8) = temp_1_ in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2 *! i <: usize) - (cast (bytes.[ sz 0 ] <: u8) <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2 *! i <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 *! i - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + let coefficient0:i32 = + coefficient0 &. deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_BITMASK in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - ((sz 2 *! i <: usize) +! sz 1 <: usize) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ (sz 2 *! i - <: - usize) +! - sz 1 - <: - usize ] - <: - i32) |. - ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l in + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 5l in + let coefficient1:i32 = coefficient1 |. (byte2 <>! 2l in + let coefficient2:i32 = coefficient2 |. (byte4 <>! 7l in + let coefficient3:i32 = coefficient3 |. (byte5 <>! 4l in + let coefficient4:i32 = coefficient4 |. (byte7 <>! 1l in + let coefficient5:i32 = coefficient5 |. (byte9 <>! 6l in + let coefficient6:i32 = coefficient6 |. (byte10 <>! 3l in + let coefficient7:i32 = coefficient7 |. (byte12 <>! 5l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 1) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) |. - (byte2 <>! 2l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 2) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) |. - (byte4 <>! 7l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 3) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) |. - (byte5 <>! 4l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 4) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) |. - (byte7 <>! 1l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 5) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) |. - (byte9 <>! 6l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 6) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) |. - (byte10 <>! 3l <: i32) - } - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - in - let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - { - simd_unit with - Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit - .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients - (sz 7) - ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) |. - (byte12 < u16 { (column as u16) | ((row as u16) << 8) } +type Matrix = + [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; + +fn update_matrix( + m: &mut Matrix, + i: usize, j: usize, + v: PolynomialRingElement) { + m[i][j] = v; +} + #[allow(non_snake_case)] #[inline(always)] pub(crate) fn matrix_A_4_by_4< @@ -19,8 +29,9 @@ pub(crate) fn matrix_A_4_by_4< const COLUMNS_IN_A: usize, >( seed: [u8; 34], -) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; +) -> Matrix { + let mut A : Matrix:: = + [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; let four_ring_elements = sample_four_ring_elements::( seed, @@ -29,10 +40,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -41,10 +52,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(1, 2), generate_domain_separator(1, 3), ); - A[1][0] = four_ring_elements.0; - A[1][1] = four_ring_elements.1; - A[1][2] = four_ring_elements.2; - A[1][3] = four_ring_elements.3; + update_matrix(&mut A, 1, 0, four_ring_elements.0); + update_matrix(&mut A, 1, 1, four_ring_elements.1); + update_matrix(&mut A, 1, 2, four_ring_elements.2); + update_matrix(&mut A, 1, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -53,10 +64,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(2, 2), generate_domain_separator(2, 3), ); - A[2][0] = four_ring_elements.0; - A[2][1] = four_ring_elements.1; - A[2][2] = four_ring_elements.2; - A[2][3] = four_ring_elements.3; + update_matrix(&mut A, 2, 0, four_ring_elements.0); + update_matrix(&mut A, 2, 1, four_ring_elements.1); + update_matrix(&mut A, 2, 2, four_ring_elements.2); + update_matrix(&mut A, 2, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -65,10 +76,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(3, 2), generate_domain_separator(3, 3), ); - A[3][0] = four_ring_elements.0; - A[3][1] = four_ring_elements.1; - A[3][2] = four_ring_elements.2; - A[3][3] = four_ring_elements.3; + update_matrix(&mut A, 3, 0, four_ring_elements.0); + update_matrix(&mut A, 3, 1, four_ring_elements.1); + update_matrix(&mut A, 3, 2, four_ring_elements.2); + update_matrix(&mut A, 3, 3, four_ring_elements.3); A } @@ -92,10 +103,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -104,10 +115,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(1, 1), generate_domain_separator(1, 2), ); - A[0][4] = four_ring_elements.0; - A[1][0] = four_ring_elements.1; - A[1][1] = four_ring_elements.2; - A[1][2] = four_ring_elements.3; + update_matrix(&mut A, 0, 4, four_ring_elements.0); + update_matrix(&mut A, 1, 0, four_ring_elements.1); + update_matrix(&mut A, 1, 1, four_ring_elements.2); + update_matrix(&mut A, 1, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -116,10 +127,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(2, 0), generate_domain_separator(2, 1), ); - A[1][3] = four_ring_elements.0; - A[1][4] = four_ring_elements.1; - A[2][0] = four_ring_elements.2; - A[2][1] = four_ring_elements.3; + update_matrix(&mut A, 1, 3, four_ring_elements.0); + update_matrix(&mut A, 1, 4, four_ring_elements.1); + update_matrix(&mut A, 2, 0, four_ring_elements.2); + update_matrix(&mut A, 2, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -128,10 +139,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(2, 4), generate_domain_separator(3, 0), ); - A[2][2] = four_ring_elements.0; - A[2][3] = four_ring_elements.1; - A[2][4] = four_ring_elements.2; - A[3][0] = four_ring_elements.3; + update_matrix(&mut A, 2, 2, four_ring_elements.0); + update_matrix(&mut A, 2, 3, four_ring_elements.1); + update_matrix(&mut A, 2, 4, four_ring_elements.2); + update_matrix(&mut A, 3, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -140,10 +151,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(3, 3), generate_domain_separator(3, 4), ); - A[3][1] = four_ring_elements.0; - A[3][2] = four_ring_elements.1; - A[3][3] = four_ring_elements.2; - A[3][4] = four_ring_elements.3; + update_matrix(&mut A, 3, 1, four_ring_elements.0); + update_matrix(&mut A, 3, 2, four_ring_elements.1); + update_matrix(&mut A, 3, 3, four_ring_elements.2); + update_matrix(&mut A, 3, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -152,10 +163,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(4, 2), generate_domain_separator(4, 3), ); - A[4][0] = four_ring_elements.0; - A[4][1] = four_ring_elements.1; - A[4][2] = four_ring_elements.2; - A[4][3] = four_ring_elements.3; + update_matrix(&mut A, 4, 0, four_ring_elements.0); + update_matrix(&mut A, 4, 1, four_ring_elements.1); + update_matrix(&mut A, 4, 2, four_ring_elements.2); + update_matrix(&mut A, 4, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -164,10 +175,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(5, 1), generate_domain_separator(5, 2), ); - A[4][4] = four_ring_elements.0; - A[5][0] = four_ring_elements.1; - A[5][1] = four_ring_elements.2; - A[5][2] = four_ring_elements.3; + update_matrix(&mut A, 4, 4, four_ring_elements.0); + update_matrix(&mut A, 5, 0, four_ring_elements.1); + update_matrix(&mut A, 5, 1, four_ring_elements.2); + update_matrix(&mut A, 5, 2, four_ring_elements.3); // The the last 2 sampled ring elements are discarded here. let four_ring_elements = sample_four_ring_elements::( @@ -177,8 +188,8 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(5, 5), generate_domain_separator(5, 6), ); - A[5][3] = four_ring_elements.0; - A[5][4] = four_ring_elements.1; + update_matrix(&mut A, 5, 3, four_ring_elements.0); + update_matrix(&mut A, 5, 4, four_ring_elements.1); A } @@ -201,10 +212,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -213,10 +224,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(0, 6), generate_domain_separator(1, 0), ); - A[0][4] = four_ring_elements.0; - A[0][5] = four_ring_elements.1; - A[0][6] = four_ring_elements.2; - A[1][0] = four_ring_elements.3; + update_matrix(&mut A, 0, 4, four_ring_elements.0); + update_matrix(&mut A, 0, 5, four_ring_elements.1); + update_matrix(&mut A, 0, 6, four_ring_elements.2); + update_matrix(&mut A, 1, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -225,10 +236,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(1, 3), generate_domain_separator(1, 4), ); - A[1][1] = four_ring_elements.0; - A[1][2] = four_ring_elements.1; - A[1][3] = four_ring_elements.2; - A[1][4] = four_ring_elements.3; + update_matrix(&mut A, 1, 1, four_ring_elements.0); + update_matrix(&mut A, 1, 2, four_ring_elements.1); + update_matrix(&mut A, 1, 3, four_ring_elements.2); + update_matrix(&mut A, 1, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -237,10 +248,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(2, 0), generate_domain_separator(2, 1), ); - A[1][5] = four_ring_elements.0; - A[1][6] = four_ring_elements.1; - A[2][0] = four_ring_elements.2; - A[2][1] = four_ring_elements.3; + update_matrix(&mut A, 1, 5, four_ring_elements.0); + update_matrix(&mut A, 1, 6, four_ring_elements.1); + update_matrix(&mut A, 2, 0, four_ring_elements.2); + update_matrix(&mut A, 2, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -249,10 +260,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(2, 4), generate_domain_separator(2, 5), ); - A[2][2] = four_ring_elements.0; - A[2][3] = four_ring_elements.1; - A[2][4] = four_ring_elements.2; - A[2][5] = four_ring_elements.3; + update_matrix(&mut A, 2, 2, four_ring_elements.0); + update_matrix(&mut A, 2, 3, four_ring_elements.1); + update_matrix(&mut A, 2, 4, four_ring_elements.2); + update_matrix(&mut A, 2, 5, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -261,10 +272,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(3, 1), generate_domain_separator(3, 2), ); - A[2][6] = four_ring_elements.0; - A[3][0] = four_ring_elements.1; - A[3][1] = four_ring_elements.2; - A[3][2] = four_ring_elements.3; + update_matrix(&mut A, 2, 6, four_ring_elements.0); + update_matrix(&mut A, 3, 0, four_ring_elements.1); + update_matrix(&mut A, 3, 1, four_ring_elements.2); + update_matrix(&mut A, 3, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -273,10 +284,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(3, 5), generate_domain_separator(3, 6), ); - A[3][3] = four_ring_elements.0; - A[3][4] = four_ring_elements.1; - A[3][5] = four_ring_elements.2; - A[3][6] = four_ring_elements.3; + update_matrix(&mut A, 3, 3, four_ring_elements.0); + update_matrix(&mut A, 3, 4, four_ring_elements.1); + update_matrix(&mut A, 3, 5, four_ring_elements.2); + update_matrix(&mut A, 3, 6, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -285,10 +296,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(4, 2), generate_domain_separator(4, 3), ); - A[4][0] = four_ring_elements.0; - A[4][1] = four_ring_elements.1; - A[4][2] = four_ring_elements.2; - A[4][3] = four_ring_elements.3; + update_matrix(&mut A, 4, 0, four_ring_elements.0); + update_matrix(&mut A, 4, 1, four_ring_elements.1); + update_matrix(&mut A, 4, 2, four_ring_elements.2); + update_matrix(&mut A, 4, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -297,10 +308,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(4, 6), generate_domain_separator(5, 0), ); - A[4][4] = four_ring_elements.0; - A[4][5] = four_ring_elements.1; - A[4][6] = four_ring_elements.2; - A[5][0] = four_ring_elements.3; + update_matrix(&mut A, 4, 4, four_ring_elements.0); + update_matrix(&mut A, 4, 5, four_ring_elements.1); + update_matrix(&mut A, 4, 6, four_ring_elements.2); + update_matrix(&mut A, 5, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -309,10 +320,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(5, 3), generate_domain_separator(5, 4), ); - A[5][1] = four_ring_elements.0; - A[5][2] = four_ring_elements.1; - A[5][3] = four_ring_elements.2; - A[5][4] = four_ring_elements.3; + update_matrix(&mut A, 5, 1, four_ring_elements.0); + update_matrix(&mut A, 5, 2, four_ring_elements.1); + update_matrix(&mut A, 5, 3, four_ring_elements.2); + update_matrix(&mut A, 5, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -321,10 +332,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(6, 0), generate_domain_separator(6, 1), ); - A[5][5] = four_ring_elements.0; - A[5][6] = four_ring_elements.1; - A[6][0] = four_ring_elements.2; - A[6][1] = four_ring_elements.3; + update_matrix(&mut A, 5, 5, four_ring_elements.0); + update_matrix(&mut A, 5, 6, four_ring_elements.1); + update_matrix(&mut A, 6, 0, four_ring_elements.2); + update_matrix(&mut A, 6, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -333,10 +344,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(6, 4), generate_domain_separator(6, 5), ); - A[6][2] = four_ring_elements.0; - A[6][3] = four_ring_elements.1; - A[6][4] = four_ring_elements.2; - A[6][5] = four_ring_elements.3; + update_matrix(&mut A, 6, 2, four_ring_elements.0); + update_matrix(&mut A, 6, 3, four_ring_elements.1); + update_matrix(&mut A, 6, 4, four_ring_elements.2); + update_matrix(&mut A, 6, 5, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -345,10 +356,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(7, 1), generate_domain_separator(7, 2), ); - A[6][6] = four_ring_elements.0; - A[7][0] = four_ring_elements.1; - A[7][1] = four_ring_elements.2; - A[7][2] = four_ring_elements.3; + update_matrix(&mut A, 6, 6, four_ring_elements.0); + update_matrix(&mut A, 7, 0, four_ring_elements.1); + update_matrix(&mut A, 7, 1, four_ring_elements.2); + update_matrix(&mut A, 7, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -357,10 +368,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(7, 5), generate_domain_separator(7, 6), ); - A[7][3] = four_ring_elements.0; - A[7][4] = four_ring_elements.1; - A[7][5] = four_ring_elements.2; - A[7][6] = four_ring_elements.3; + update_matrix(&mut A, 7, 3, four_ring_elements.0); + update_matrix(&mut A, 7, 4, four_ring_elements.1); + update_matrix(&mut A, 7, 5, four_ring_elements.2); + update_matrix(&mut A, 7, 6, four_ring_elements.3); A } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index 6409387af..3dbb5f20a 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -36,6 +36,7 @@ pub fn serialize_when_gamma1_is_2_pow_17( serialized } + #[inline(always)] fn serialize_when_gamma1_is_2_pow_19( simd_unit: PortableSIMDUnit, @@ -83,30 +84,30 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(9).enumerate() { - simd_unit.coefficients[4 * i] = bytes[0] as i32; - simd_unit.coefficients[4 * i] |= (bytes[1] as i32) << 8; - simd_unit.coefficients[4 * i] |= (bytes[2] as i32) << 16; - simd_unit.coefficients[4 * i] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 1] = (bytes[2] as i32) >> 2; - simd_unit.coefficients[4 * i + 1] |= (bytes[3] as i32) << 6; - simd_unit.coefficients[4 * i + 1] |= (bytes[4] as i32) << 14; - simd_unit.coefficients[4 * i + 1] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 2] = (bytes[4] as i32) >> 4; - simd_unit.coefficients[4 * i + 2] |= (bytes[5] as i32) << 4; - simd_unit.coefficients[4 * i + 2] |= (bytes[6] as i32) << 12; - simd_unit.coefficients[4 * i + 2] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 3] = (bytes[6] as i32) >> 6; - simd_unit.coefficients[4 * i + 3] |= (bytes[7] as i32) << 2; - simd_unit.coefficients[4 * i + 3] |= (bytes[8] as i32) << 10; - simd_unit.coefficients[4 * i + 3] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i] = GAMMA1 - simd_unit.coefficients[4 * i]; - simd_unit.coefficients[4 * i + 1] = GAMMA1 - simd_unit.coefficients[4 * i + 1]; - simd_unit.coefficients[4 * i + 2] = GAMMA1 - simd_unit.coefficients[4 * i + 2]; - simd_unit.coefficients[4 * i + 3] = GAMMA1 - simd_unit.coefficients[4 * i + 3]; + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient1 = (bytes[2] as i32) >> 2; + coefficient1 |= (bytes[3] as i32) << 6; + coefficient1 |= (bytes[4] as i32) << 14; + coefficient1 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient2 = (bytes[4] as i32) >> 4; + coefficient2 |= (bytes[5] as i32) << 4; + coefficient2 |= (bytes[6] as i32) << 12; + coefficient2 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient3 = (bytes[6] as i32) >> 6; + coefficient3 |= (bytes[7] as i32) << 2; + coefficient3 |= (bytes[8] as i32) << 10; + coefficient3 &= GAMMA1_TIMES_2_BITMASK; + + simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1; + simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2; + simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3; } simd_unit @@ -123,17 +124,17 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(5).enumerate() { - simd_unit.coefficients[2 * i] = bytes[0] as i32; - simd_unit.coefficients[2 * i] |= (bytes[1] as i32) << 8; - simd_unit.coefficients[2 * i] |= (bytes[2] as i32) << 16; - simd_unit.coefficients[2 * i] &= GAMMA1_TIMES_2_BITMASK; + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; - simd_unit.coefficients[2 * i + 1] = (bytes[2] as i32) >> 4; - simd_unit.coefficients[2 * i + 1] |= (bytes[3] as i32) << 4; - simd_unit.coefficients[2 * i + 1] |= (bytes[4] as i32) << 12; + let mut coefficient1 = (bytes[2] as i32) >> 4; + coefficient1 |= (bytes[3] as i32) << 4; + coefficient1 |= (bytes[4] as i32) << 12; - simd_unit.coefficients[2 * i] = GAMMA1 - simd_unit.coefficients[2 * i]; - simd_unit.coefficients[2 * i + 1] = GAMMA1 - simd_unit.coefficients[2 * i + 1]; + simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1; } simd_unit diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index 28aaf41e2..626f14c43 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -62,8 +62,6 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 13] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 13); - let mut simd_unit = ZERO(); - const BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1 << (BITS_IN_LOWER_PART_OF_T as i32)) - 1; let byte0 = serialized[0] as i32; @@ -80,50 +78,52 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { let byte11 = serialized[11] as i32; let byte12 = serialized[12] as i32; - simd_unit.coefficients[0] = byte0; - simd_unit.coefficients[0] |= byte1 << 8; - simd_unit.coefficients[0] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[1] = byte1 >> 5; - simd_unit.coefficients[1] |= byte2 << 3; - simd_unit.coefficients[1] |= byte3 << 11; - simd_unit.coefficients[1] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[2] = byte3 >> 2; - simd_unit.coefficients[2] |= byte4 << 6; - simd_unit.coefficients[2] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[3] = byte4 >> 7; - simd_unit.coefficients[3] |= byte5 << 1; - simd_unit.coefficients[3] |= byte6 << 9; - simd_unit.coefficients[3] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[4] = byte6 >> 4; - simd_unit.coefficients[4] |= byte7 << 4; - simd_unit.coefficients[4] |= byte8 << 12; - simd_unit.coefficients[4] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[5] = byte8 >> 1; - simd_unit.coefficients[5] |= byte9 << 7; - simd_unit.coefficients[5] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[6] = byte9 >> 6; - simd_unit.coefficients[6] |= byte10 << 2; - simd_unit.coefficients[6] |= byte11 << 10; - simd_unit.coefficients[6] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[7] = byte11 >> 3; - simd_unit.coefficients[7] |= byte12 << 5; - simd_unit.coefficients[7] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[0] = change_t0_interval(simd_unit.coefficients[0]); - simd_unit.coefficients[1] = change_t0_interval(simd_unit.coefficients[1]); - simd_unit.coefficients[2] = change_t0_interval(simd_unit.coefficients[2]); - simd_unit.coefficients[3] = change_t0_interval(simd_unit.coefficients[3]); - simd_unit.coefficients[4] = change_t0_interval(simd_unit.coefficients[4]); - simd_unit.coefficients[5] = change_t0_interval(simd_unit.coefficients[5]); - simd_unit.coefficients[6] = change_t0_interval(simd_unit.coefficients[6]); - simd_unit.coefficients[7] = change_t0_interval(simd_unit.coefficients[7]); + let mut coefficient0 = byte0; + coefficient0 |= byte1 << 8; + coefficient0 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient1 = byte1 >> 5; + coefficient1 |= byte2 << 3; + coefficient1 |= byte3 << 11; + coefficient1 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient2 = byte3 >> 2; + coefficient2 |= byte4 << 6; + coefficient2 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient3 = byte4 >> 7; + coefficient3 |= byte5 << 1; + coefficient3 |= byte6 << 9; + coefficient3 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient4 = byte6 >> 4; + coefficient4 |= byte7 << 4; + coefficient4 |= byte8 << 12; + coefficient4 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient5 = byte8 >> 1; + coefficient5 |= byte9 << 7; + coefficient5 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient6 = byte9 >> 6; + coefficient6 |= byte10 << 2; + coefficient6 |= byte11 << 10; + coefficient6 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient7 = byte11 >> 3; + coefficient7 |= byte12 << 5; + coefficient7 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut simd_unit = ZERO(); + + simd_unit.coefficients[0] = change_t0_interval(coefficient0); + simd_unit.coefficients[1] = change_t0_interval(coefficient1); + simd_unit.coefficients[2] = change_t0_interval(coefficient2); + simd_unit.coefficients[3] = change_t0_interval(coefficient3); + simd_unit.coefficients[4] = change_t0_interval(coefficient4); + simd_unit.coefficients[5] = change_t0_interval(coefficient5); + simd_unit.coefficients[6] = change_t0_interval(coefficient6); + simd_unit.coefficients[7] = change_t0_interval(coefficient7); simd_unit } From 443ec96857840aa3050583cfda1a8dd6bb536671 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 11:44:38 +0100 Subject: [PATCH 15/74] fmt --- libcrux-ml-dsa/src/encoding/error.rs | 2 +- libcrux-ml-dsa/src/encoding/signature.rs | 4 +- libcrux-ml-dsa/src/hash_functions.rs | 54 +++--- libcrux-ml-dsa/src/ml_dsa_generic.rs | 179 +++++++++--------- .../src/ml_dsa_generic/instantiations.rs | 2 +- libcrux-ml-dsa/src/pre_hash.rs | 3 +- libcrux-ml-dsa/src/samplex4.rs | 12 +- libcrux-ml-dsa/src/simd.rs | 1 - libcrux-ml-dsa/src/simd/avx2.rs | 2 +- libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 2 +- libcrux-ml-dsa/src/simd/portable.rs | 2 +- .../src/simd/portable/arithmetic.rs | 14 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 5 +- .../src/simd/portable/vector_type.rs | 4 +- libcrux-ml-dsa/src/simd/tests.rs | 3 +- libcrux-ml-dsa/src/types.rs | 8 +- 16 files changed, 139 insertions(+), 158 deletions(-) diff --git a/libcrux-ml-dsa/src/encoding/error.rs b/libcrux-ml-dsa/src/encoding/error.rs index 104931418..80080945c 100644 --- a/libcrux-ml-dsa/src/encoding/error.rs +++ b/libcrux-ml-dsa/src/encoding/error.rs @@ -53,7 +53,7 @@ fn deserialize( result.simd_units[i] = SIMDUnit::error_deserialize::(&serialized_chunks.next().unwrap()); } - + result } diff --git a/libcrux-ml-dsa/src/encoding/signature.rs b/libcrux-ml-dsa/src/encoding/signature.rs index 867141959..cc94028ee 100644 --- a/libcrux-ml-dsa/src/encoding/signature.rs +++ b/libcrux-ml-dsa/src/encoding/signature.rs @@ -1,6 +1,6 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, encoding, types::Signature, - polynomial::PolynomialRingElement, simd::traits::Operations, VerificationError, + constants::COEFFICIENTS_IN_RING_ELEMENT, encoding, polynomial::PolynomialRingElement, + simd::traits::Operations, types::Signature, VerificationError, }; impl< diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 36d043c16..7274dfede 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -168,7 +168,7 @@ pub(crate) mod portable { [u8; shake128::BLOCK_SIZE], ) { squeeze_next_block(self) - } + } } /// Portable SHAKE 128 state @@ -177,7 +177,7 @@ pub(crate) mod portable { fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { libcrux_sha3::portable::shake128(out, input); } - + impl shake128::Xof for Shake128 { fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { shake128(input, out); @@ -190,7 +190,6 @@ pub(crate) mod portable { state: libcrux_sha3::portable::KeccakState, } - fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { libcrux_sha3::portable::shake256(out, input); } @@ -302,9 +301,7 @@ pub(crate) mod portable { (out0, out1, out2, out3) } - impl shake256::XofX4 for Shake256X4 { - fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { init_absorb_x4(input0, input1, input2, input3) } @@ -350,27 +347,31 @@ pub(crate) mod portable { #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256Absorb { - state: libcrux_sha3::portable::incremental::Shake256Absorb + state: libcrux_sha3::portable::incremental::Shake256Absorb, } - + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256Squeeze { - state: libcrux_sha3::portable::incremental::Shake256Squeeze + state: libcrux_sha3::portable::incremental::Shake256Squeeze, } use libcrux_sha3::portable::incremental::{XofAbsorb, XofSqueeze}; - pub(crate) fn shake256_init() -> Shake256Absorb { - Shake256Absorb {state: libcrux_sha3::portable::incremental::Shake256Absorb::new ()} + pub(crate) fn shake256_init() -> Shake256Absorb { + Shake256Absorb { + state: libcrux_sha3::portable::incremental::Shake256Absorb::new(), + } } - pub(crate) fn shake256_absorb(st:&mut Shake256Absorb, input:&[u8]) { - st.state.absorb (input) + pub(crate) fn shake256_absorb(st: &mut Shake256Absorb, input: &[u8]) { + st.state.absorb(input) } - pub(crate) fn shake256_absorb_final(st:Shake256Absorb, input:&[u8]) -> Shake256Squeeze { - Shake256Squeeze {state: st.state.absorb_final (input)} + pub(crate) fn shake256_absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze { + Shake256Squeeze { + state: st.state.absorb_final(input), + } } - pub(crate) fn shake256_squeeze(st:&mut Shake256Squeeze, out: &mut [u8]) { - st.state.squeeze (out) + pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) { + st.state.squeeze(out) } } @@ -378,10 +379,9 @@ pub(crate) mod portable { #[cfg(feature = "simd256")] pub(crate) mod simd256 { + use super::{shake128, shake256}; use libcrux_sha3::avx2::x4; use libcrux_sha3::portable; - use super::{shake128, shake256}; - /// AVX2 SHAKE 128 state /// @@ -406,13 +406,7 @@ pub(crate) mod simd256 { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x4::incremental::shake128_squeeze_first_five_blocks( - &mut x.state, - out0, - out1, - out2, - out3, - ); + x4::incremental::shake128_squeeze_first_five_blocks(&mut x.state, out0, out1, out2, out3); } fn squeeze_next_block( @@ -443,7 +437,7 @@ pub(crate) mod simd256 { fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { init_absorb(input0, input1, input2, input3) } - + fn squeeze_first_five_blocks( &mut self, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], @@ -471,7 +465,6 @@ pub(crate) mod simd256 { /// AVX2 SHAKE 256 state pub(crate) type Shake256 = super::portable::Shake256; - // impl shake256::Xof for Shake256 { // fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { @@ -570,11 +563,10 @@ pub(crate) mod simd256 { } impl shake256::XofX4 for Shake256x4 { - fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { init_absorb_x4(input0, input2, input2, input3) } - + fn squeeze_first_block_x4( &mut self, ) -> ( @@ -616,8 +608,8 @@ pub(crate) mod simd256 { #[cfg(feature = "simd128")] pub(crate) mod neon { - use libcrux_sha3::neon::x2; use super::{shake128, shake256}; + use libcrux_sha3::neon::x2; #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) type KeccakState = x2::incremental::KeccakState; @@ -705,7 +697,7 @@ pub(crate) mod neon { } fn squeeze_first_block_x4( - x:&mut Shake256x4, + x: &mut Shake256x4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index dfe47172a..b188342b7 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -4,18 +4,20 @@ use crate::{ }, constants::*, encoding, - hash_functions::{shake128, shake256, - portable::{shake256_init, shake256_absorb, shake256_absorb_final, shake256_squeeze}}, + hash_functions::{ + portable::{shake256_absorb, shake256_absorb_final, shake256_init, shake256_squeeze}, + shake128, shake256, + }, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, }, ntt::ntt, - types::{SigningError, VerificationError, Signature}, pre_hash::{DomainSeparationContext, DomainSeparationError, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4, simd::traits::Operations, + types::{Signature, SigningError, VerificationError}, utils::into_padded_array, MLDSASignature, }; @@ -23,7 +25,6 @@ use crate::{ pub(crate) mod instantiations; pub(crate) mod multiplexing; - /// Generate a key pair. pub(crate) fn generate_key_pair< SIMDUnit: Operations, @@ -122,34 +123,28 @@ pub(crate) fn sign_pre_hashed< let pre_hashed_message = PH::hash(message); // TODO: Support implicit into() in ? so that this match becomes unnecessary match DomainSeparationContext::new(context, Some(&PH::oid())) { - Ok(d) => - sign_internal::< - SIMDUnit, - Shake128X4, - Shake256, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >( - &signing_key, - &pre_hashed_message, - Some(d), - randomness, - ), - - Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError) + Ok(d) => sign_internal::< + SIMDUnit, + Shake128X4, + Shake256, + Shake256X4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, &pre_hashed_message, Some(d), randomness), + + Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError), } } @@ -181,35 +176,29 @@ pub(crate) fn sign< ) -> Result, SigningError> { // TODO: Support implicit into() in ? so that this match becomes unnecessary match DomainSeparationContext::new(context, None) { - Ok(d) => - sign_internal::< - SIMDUnit, - Shake128X4, - Shake256, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >( - &signing_key, - message, - Some(d), - randomness, - ), - Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError) + Ok(d) => sign_internal::< + SIMDUnit, + Shake128X4, + Shake256, + Shake256X4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, Some(d), randomness), + Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError), } -} +} /// The internal signing API. /// @@ -431,8 +420,14 @@ fn derive_message_representative( let mut shake = shake256_init(); shake256_absorb(&mut shake, &verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { - shake256_absorb(&mut shake, &[domain_separation_context.pre_hash_oid().is_some() as u8]); - shake256_absorb(&mut shake, &[domain_separation_context.context().len() as u8]); + shake256_absorb( + &mut shake, + &[domain_separation_context.pre_hash_oid().is_some() as u8], + ); + shake256_absorb( + &mut shake, + &[domain_separation_context.context().len() as u8], + ); shake256_absorb(&mut shake, domain_separation_context.context()); if let Some(pre_hash_oid) = domain_separation_context.pre_hash_oid() { shake256_absorb(&mut shake, pre_hash_oid) @@ -573,32 +568,33 @@ pub(crate) fn verify< ) -> Result<(), VerificationError> { // TODO: Support implicit into() in ? so that this match becomes unnecessary match DomainSeparationContext::new(context, None) { - Ok(d) => - verify_internal::< - SIMDUnit, - Shake128X4, - Shake256, - ROWS_IN_A, - COLUMNS_IN_A, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - message, - Some(d), - &signature_serialized, - ), - Err(DomainSeparationError::ContextTooLongError) => Err(VerificationError::ContextTooLongError) + Ok(d) => verify_internal::< + SIMDUnit, + Shake128X4, + Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >( + &verification_key_serialized, + message, + Some(d), + &signature_serialized, + ), + Err(DomainSeparationError::ContextTooLongError) => { + Err(VerificationError::ContextTooLongError) } + } } #[allow(non_snake_case)] @@ -631,8 +627,7 @@ pub(crate) fn verify_pre_hashed< // TODO: Support implicit into() in ? so that this match becomes unnecessary match DomainSeparationContext::new(context, Some(&PH::oid())) { - Ok(d) => - verify_internal::< + Ok(d) => verify_internal::< SIMDUnit, Shake128X4, Shake256, @@ -654,7 +649,9 @@ pub(crate) fn verify_pre_hashed< &pre_hashed_message, Some(d), &signature_serialized, - ), - Err(DomainSeparationError::ContextTooLongError) => Err(VerificationError::ContextTooLongError) + ), + Err(DomainSeparationError::ContextTooLongError) => { + Err(VerificationError::ContextTooLongError) + } } } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 89b8fe4cb..aa859d7d5 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -3,9 +3,9 @@ macro_rules! instantiate { pub mod $modp { use crate::{ constants::*, - types::{SigningError, VerificationError}, pre_hash::SHAKE128_PH, types::*, + types::{SigningError, VerificationError}, }; /// Generate key pair. diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index 677e24299..06855c0f9 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -5,7 +5,8 @@ //!/perform the pre-hash of the message. This module implements the //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. use crate::{ - constants::CONTEXT_MAX_LEN, hash_functions::shake128::Xof, + constants::CONTEXT_MAX_LEN, + hash_functions::shake128::Xof, types::{SigningError, VerificationError}, }; diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 774dab1f2..389da763d 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -10,13 +10,15 @@ fn generate_domain_separator(row: u8, column: u8) -> u16 { (column as u16) | ((row as u16) << 8) } -type Matrix = - [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; +type Matrix = + [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; fn update_matrix( m: &mut Matrix, - i: usize, j: usize, - v: PolynomialRingElement) { + i: usize, + j: usize, + v: PolynomialRingElement, +) { m[i][j] = v; } @@ -30,7 +32,7 @@ pub(crate) fn matrix_A_4_by_4< >( seed: [u8; 34], ) -> Matrix { - let mut A : Matrix:: = + let mut A: Matrix = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; let four_ring_elements = sample_four_ring_elements::( diff --git a/libcrux-ml-dsa/src/simd.rs b/libcrux-ml-dsa/src/simd.rs index 653246a60..376602844 100644 --- a/libcrux-ml-dsa/src/simd.rs +++ b/libcrux-ml-dsa/src/simd.rs @@ -6,4 +6,3 @@ pub(crate) mod traits; #[cfg(test)] pub(crate) mod tests; - diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index ed6d52177..f891d39be 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,10 +1,10 @@ use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; -mod vector_type; mod arithmetic; mod encoding; mod ntt; mod rejection_sample; +mod vector_type; pub(crate) use vector_type::AVX2SIMDUnit; diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs index 2fb5d62dd..13fa15372 100644 --- a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -22,4 +22,4 @@ pub(crate) fn to_coefficient_array(x: &AVX2SIMDUnit) -> [i32; 8] { let mut coefficient_array = [0i32; 8]; libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, x.coefficients); coefficient_array -} \ No newline at end of file +} diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index e04bf4953..d45daf829 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,7 +1,7 @@ use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; -mod vector_type; mod arithmetic; +mod vector_type; // Some of the portable implementations are used in lieu of vectorized ones in // the AVX2 module. pub(crate) mod encoding; diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 50744017b..a24847132 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,13 +1,11 @@ -use super::vector_type::{PortableSIMDUnit, FieldElement, ZERO}; +use super::vector_type::{FieldElement, PortableSIMDUnit, ZERO}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, simd::traits::{ - FieldElementTimesMontgomeryR, FIELD_MODULUS, - INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, + FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, }, }; - /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). /// We use 'mfe' as a shorthand for this type @@ -145,9 +143,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { // straightforward way to do so (returning false) will not go through hax; // revisit if performance is impacted. for coefficient in simd_unit.coefficients.into_iter() { - debug_assert!( - coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS - ); + debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); // This norm is calculated using the absolute value of the // signed representative in the range: // @@ -227,9 +223,7 @@ pub fn compute_hint( #[allow(non_snake_case)] #[inline(always)] fn decompose_element(r: i32) -> (i32, i32) { - debug_assert!( - r > -FIELD_MODULUS && r < FIELD_MODULUS - ); + debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let r = r + ((r >> 31) & FIELD_MODULUS); diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 951215294..df0db5a8a 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,7 +1,7 @@ use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer}; use super::vector_type::PortableSIMDUnit; use crate::simd::traits::{ - COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, + COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, }; #[inline(always)] @@ -209,7 +209,8 @@ fn ntt_at_layer_3_plus( let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; for j in offset..offset + step_by { - let t = montgomery_multiply_by_constant(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); + let t = + montgomery_multiply_by_constant(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); re[j + step_by] = arithmetic::subtract(&re[j], &t); re[j] = arithmetic::add(&re[j], &t); diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 47a736cbe..6cecdac4c 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -21,6 +21,6 @@ pub(crate) fn from_coefficient_array(array: &[i32]) -> PortableSIMDUnit { } } -pub(crate) fn to_coefficient_array(x:&PortableSIMDUnit) -> [i32; 8] { +pub(crate) fn to_coefficient_array(x: &PortableSIMDUnit) -> [i32; 8] { x.coefficients -} \ No newline at end of file +} diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs index a83f97aaa..acd67ac45 100644 --- a/libcrux-ml-dsa/src/simd/tests.rs +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -51,8 +51,7 @@ fn test_power2round_generic() { let expected_low = SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); - let expected_high = - SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); + let expected_high = SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); let (low, high) = SIMDUnit::power2round(input); diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index 12cc34779..d432b1e99 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -34,11 +34,7 @@ pub struct MLDSAKeyPair, } -use crate::{ - constants::*, - simd::traits::Operations, - polynomial::PolynomialRingElement, -}; +use crate::{constants::*, polynomial::PolynomialRingElement, simd::traits::Operations}; pub(crate) struct Signature< SIMDUnit: Operations, @@ -63,4 +59,4 @@ pub enum VerificationError { pub enum SigningError { RejectionSamplingError, ContextTooLongError, -} \ No newline at end of file +} From a17120e3399f8a0edfd81564b1c3c5450162be20 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 29 Oct 2024 14:46:57 +0100 Subject: [PATCH 16/74] Repair `hash_functions` --- libcrux-ml-dsa/src/hash_functions.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 7274dfede..2ac741058 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -564,7 +564,7 @@ pub(crate) mod simd256 { impl shake256::XofX4 for Shake256x4 { fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - init_absorb_x4(input0, input2, input2, input3) + init_absorb_x4(input0, input1, input2, input3) } fn squeeze_first_block_x4( From 44af02724ac882890473d760389b668423298436 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 29 Oct 2024 15:04:21 +0100 Subject: [PATCH 17/74] ML-DSA extraction on CI --- .github/workflows/hax.yml | 2 +- .../fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml index 2b578e8bb..e385b948e 100644 --- a/.github/workflows/hax.yml +++ b/.github/workflows/hax.yml @@ -68,7 +68,7 @@ jobs: - name: 🏃 Extract ML-DSA crate working-directory: libcrux-ml-dsa - run: cargo hax into fstar + run: ./hax.py extract - name: 🏃 Lax ML-DSA crate working-directory: libcrux-ml-dsa diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index 0359b18d6..3ff04ac43 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -170,7 +170,7 @@ let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = f_init_absorb_x4 = (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> - init_absorb_x4 input0 input2 input2 input3); + init_absorb_x4 input0 input1 input2 input3); f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); f_squeeze_first_block_x4_post = From c4fb85cebe4ce5a955f75c4230e7b7151ad45ae3 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 29 Oct 2024 15:11:54 +0100 Subject: [PATCH 18/74] Fix warnings --- libcrux-ml-dsa/Cargo.toml | 5 +++++ libcrux-ml-dsa/src/hash_functions.rs | 1 - 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index acf9bbc52..bd57d33c7 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -50,3 +50,8 @@ harness = false [[bench]] name = "ml-dsa" harness = false + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = [ + 'cfg(hax)', +] } diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 2ac741058..aa3cc1ab5 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -381,7 +381,6 @@ pub(crate) mod simd256 { use super::{shake128, shake256}; use libcrux_sha3::avx2::x4; - use libcrux_sha3::portable; /// AVX2 SHAKE 128 state /// From 9c3247c86d88bc1fe0286fd2e2c5c9d4dbd4cdbc Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 20:06:39 +0100 Subject: [PATCH 19/74] lax --- Cargo.lock | 47 +- libcrux-ml-kem/Cargo.toml | 10 +- .../c/internal/libcrux_mlkem_neon.h | 94 +- libcrux-ml-kem/cg/eurydice_glue.h | 2 - libcrux-ml-kem/hax.py | 7 - .../Libcrux_ml_kem.Constant_time_ops.fst | 165 +- .../Libcrux_ml_kem.Constant_time_ops.fsti | 44 +- .../extraction/Libcrux_ml_kem.Constants.fsti | 2 +- .../Libcrux_ml_kem.Hash_functions.Avx2.fsti | 80 +- .../Libcrux_ml_kem.Hash_functions.Neon.fsti | 80 +- ...ibcrux_ml_kem.Hash_functions.Portable.fsti | 80 +- .../Libcrux_ml_kem.Hash_functions.fsti | 50 +- ...m.Ind_cca.Instantiations.Avx2.Unpacked.fst | 89 + ....Ind_cca.Instantiations.Avx2.Unpacked.fsti | 56 + ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 76 +- ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 50 +- ...m.Ind_cca.Instantiations.Neon.Unpacked.fst | 89 + ....Ind_cca.Instantiations.Neon.Unpacked.fsti | 60 + ...rux_ml_kem.Ind_cca.Instantiations.Neon.fst | 34 +- ...ux_ml_kem.Ind_cca.Instantiations.Neon.fsti | 68 +- ...d_cca.Instantiations.Portable.Unpacked.fst | 89 + ..._cca.Instantiations.Portable.Unpacked.fsti | 60 + ...ml_kem.Ind_cca.Instantiations.Portable.fst | 34 +- ...l_kem.Ind_cca.Instantiations.Portable.fsti | 68 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fst | 18 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fsti | 56 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fst | 472 ++-- .../Libcrux_ml_kem.Ind_cca.Unpacked.fsti | 202 +- .../extraction/Libcrux_ml_kem.Ind_cca.fst | 427 ++-- .../extraction/Libcrux_ml_kem.Ind_cca.fsti | 144 +- .../Libcrux_ml_kem.Ind_cpa.Unpacked.fsti | 26 +- .../extraction/Libcrux_ml_kem.Ind_cpa.fst | 968 ++++---- .../extraction/Libcrux_ml_kem.Ind_cpa.fsti | 451 ++-- .../extraction/Libcrux_ml_kem.Invert_ntt.fst | 130 +- .../extraction/Libcrux_ml_kem.Invert_ntt.fsti | 67 +- .../extraction/Libcrux_ml_kem.Matrix.fst | 376 ++- .../extraction/Libcrux_ml_kem.Matrix.fsti | 131 +- ...Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst | 108 + ...ibcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti | 86 + .../Libcrux_ml_kem.Mlkem1024.Avx2.fst | 14 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fsti | 12 +- ...Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst | 108 + ...ibcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti | 94 + .../Libcrux_ml_kem.Mlkem1024.Neon.fst | 14 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fsti | 12 +- ...rux_ml_kem.Mlkem1024.Portable.Unpacked.fst | 108 + ...ux_ml_kem.Mlkem1024.Portable.Unpacked.fsti | 94 + .../Libcrux_ml_kem.Mlkem1024.Portable.fst | 14 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fsti | 12 +- .../Libcrux_ml_kem.Mlkem1024.Rand.fst | 51 + .../Libcrux_ml_kem.Mlkem1024.Rand.fsti | 39 + .../extraction/Libcrux_ml_kem.Mlkem1024.fst | 40 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fsti | 29 +- .../Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst | 104 + ...Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti | 84 + .../Libcrux_ml_kem.Mlkem512.Avx2.fst | 14 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fsti | 12 +- .../Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst | 104 + ...Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti | 92 + .../Libcrux_ml_kem.Mlkem512.Neon.fst | 14 +- .../Libcrux_ml_kem.Mlkem512.Neon.fsti | 12 +- ...crux_ml_kem.Mlkem512.Portable.Unpacked.fst | 105 + ...rux_ml_kem.Mlkem512.Portable.Unpacked.fsti | 92 + .../Libcrux_ml_kem.Mlkem512.Portable.fst | 14 +- .../Libcrux_ml_kem.Mlkem512.Portable.fsti | 12 +- .../Libcrux_ml_kem.Mlkem512.Rand.fst | 49 + .../Libcrux_ml_kem.Mlkem512.Rand.fsti | 39 + .../extraction/Libcrux_ml_kem.Mlkem512.fst | 40 +- .../extraction/Libcrux_ml_kem.Mlkem512.fsti | 88 +- .../Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst | 140 ++ ...Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti | 106 + .../Libcrux_ml_kem.Mlkem768.Avx2.fst | 14 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fsti | 12 +- .../Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst | 141 ++ ...Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti | 117 + .../Libcrux_ml_kem.Mlkem768.Neon.fst | 14 +- .../Libcrux_ml_kem.Mlkem768.Neon.fsti | 12 +- ...crux_ml_kem.Mlkem768.Portable.Unpacked.fst | 141 ++ ...rux_ml_kem.Mlkem768.Portable.Unpacked.fsti | 117 + .../Libcrux_ml_kem.Mlkem768.Portable.fst | 14 +- .../Libcrux_ml_kem.Mlkem768.Portable.fsti | 12 +- .../Libcrux_ml_kem.Mlkem768.Rand.fst | 51 + .../Libcrux_ml_kem.Mlkem768.Rand.fsti | 39 + .../extraction/Libcrux_ml_kem.Mlkem768.fst | 40 +- .../extraction/Libcrux_ml_kem.Mlkem768.fsti | 29 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fst | 188 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fsti | 118 +- .../extraction/Libcrux_ml_kem.Polynomial.fst | 204 +- .../extraction/Libcrux_ml_kem.Polynomial.fsti | 87 +- .../extraction/Libcrux_ml_kem.Sampling.fst | 242 +- .../extraction/Libcrux_ml_kem.Sampling.fsti | 26 +- .../extraction/Libcrux_ml_kem.Serialize.fst | 1195 +++++---- .../extraction/Libcrux_ml_kem.Serialize.fsti | 220 +- .../fstar/extraction/Libcrux_ml_kem.Types.fst | 32 +- .../extraction/Libcrux_ml_kem.Types.fsti | 288 ++- .../fstar/extraction/Libcrux_ml_kem.Utils.fst | 19 +- .../extraction/Libcrux_ml_kem.Utils.fsti | 8 +- .../extraction/Libcrux_ml_kem.Variant.fsti | 44 +- .../Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst | 441 +--- ...Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti | 137 +- .../Libcrux_ml_kem.Vector.Avx2.Compress.fst | 148 +- .../Libcrux_ml_kem.Vector.Avx2.Compress.fsti | 26 +- .../Libcrux_ml_kem.Vector.Avx2.Ntt.fst | 234 +- .../Libcrux_ml_kem.Vector.Avx2.Ntt.fsti | 65 +- .../Libcrux_ml_kem.Vector.Avx2.Sampling.fst | 39 +- .../Libcrux_ml_kem.Vector.Avx2.Sampling.fsti | 11 +- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 665 ++--- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 238 +- .../extraction/Libcrux_ml_kem.Vector.Avx2.fst | 32 +- .../Libcrux_ml_kem.Vector.Avx2.fsti | 346 +-- .../Libcrux_ml_kem.Vector.Neon.Arithmetic.fst | 188 +- ...Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti | 38 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fst | 28 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fsti | 8 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fst | 118 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fsti | 22 +- .../Libcrux_ml_kem.Vector.Neon.Serialize.fst | 281 ++- .../Libcrux_ml_kem.Vector.Neon.Serialize.fsti | 15 +- ...Libcrux_ml_kem.Vector.Neon.Vector_type.fst | 72 +- ...ibcrux_ml_kem.Vector.Neon.Vector_type.fsti | 26 +- .../extraction/Libcrux_ml_kem.Vector.Neon.fst | 3 +- .../Libcrux_ml_kem.Vector.Neon.fsti | 34 +- ...crux_ml_kem.Vector.Portable.Arithmetic.fst | 580 ++--- ...rux_ml_kem.Vector.Portable.Arithmetic.fsti | 162 +- ...ibcrux_ml_kem.Vector.Portable.Compress.fst | 186 +- ...bcrux_ml_kem.Vector.Portable.Compress.fsti | 31 +- .../Libcrux_ml_kem.Vector.Portable.Ntt.fst | 600 ++--- .../Libcrux_ml_kem.Vector.Portable.Ntt.fsti | 169 +- ...ibcrux_ml_kem.Vector.Portable.Sampling.fst | 6 +- ...bcrux_ml_kem.Vector.Portable.Sampling.fsti | 11 +- ...bcrux_ml_kem.Vector.Portable.Serialize.fst | 2154 ++++++++++++----- ...crux_ml_kem.Vector.Portable.Serialize.fsti | 116 +- ...rux_ml_kem.Vector.Portable.Vector_type.fst | 2 +- ...ux_ml_kem.Vector.Portable.Vector_type.fsti | 24 +- .../Libcrux_ml_kem.Vector.Portable.fsti | 354 +-- ...ibcrux_ml_kem.Vector.Rej_sample_table.fsti | 2 +- .../Libcrux_ml_kem.Vector.Traits.fst | 44 +- .../Libcrux_ml_kem.Vector.Traits.fsti | 356 +-- .../fstar/extraction/ML.KEM.fst.config.json | 2 - .../proofs/fstar/extraction/Makefile | 205 +- libcrux-ml-kem/src/constant_time_ops.rs | 141 +- libcrux-ml-kem/src/hash_functions.rs | 166 +- libcrux-ml-kem/src/ind_cca.rs | 133 +- libcrux-ml-kem/src/ind_cca/instantiations.rs | 53 +- libcrux-ml-kem/src/ind_cca/multiplexing.rs | 58 +- libcrux-ml-kem/src/ind_cpa.rs | 170 +- libcrux-ml-kem/src/invert_ntt.rs | 106 +- libcrux-ml-kem/src/matrix.rs | 53 - libcrux-ml-kem/src/mlkem1024.rs | 16 - libcrux-ml-kem/src/mlkem512.rs | 45 +- libcrux-ml-kem/src/mlkem768.rs | 16 - libcrux-ml-kem/src/ntt.rs | 182 +- libcrux-ml-kem/src/polynomial.rs | 48 +- libcrux-ml-kem/src/sampling.rs | 44 +- libcrux-ml-kem/src/serialize.rs | 176 +- libcrux-ml-kem/src/types.rs | 4 - libcrux-ml-kem/src/utils.rs | 7 - libcrux-ml-kem/src/variant.rs | 12 - libcrux-ml-kem/src/vector/avx2.rs | 142 +- libcrux-ml-kem/src/vector/avx2/arithmetic.rs | 277 +-- libcrux-ml-kem/src/vector/avx2/compress.rs | 3 - libcrux-ml-kem/src/vector/avx2/ntt.rs | 8 - libcrux-ml-kem/src/vector/avx2/sampling.rs | 13 - libcrux-ml-kem/src/vector/avx2/serialize.rs | 856 +++---- libcrux-ml-kem/src/vector/neon.rs | 12 - libcrux-ml-kem/src/vector/neon/vector_type.rs | 26 +- libcrux-ml-kem/src/vector/portable.rs | 197 +- .../src/vector/portable/arithmetic.rs | 307 +-- .../src/vector/portable/compress.rs | 59 +- libcrux-ml-kem/src/vector/portable/ntt.rs | 414 +--- .../src/vector/portable/sampling.rs | 5 - .../src/vector/portable/serialize.rs | 829 ++----- .../src/vector/portable/vector_type.rs | 15 +- libcrux-ml-kem/src/vector/traits.rs | 191 +- 174 files changed, 10177 insertions(+), 13108 deletions(-) create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti diff --git a/Cargo.lock b/Cargo.lock index 8a8b2ea32..9c1fcd717 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -704,7 +704,17 @@ name = "hax-lib" version = "0.1.0-alpha.1" source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" dependencies = [ - "hax-lib-macros", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", + "num-bigint", + "num-traits", +] + +[[package]] +name = "hax-lib" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#001a27e20755b65d6a780243a125076fe90e6d0b" +dependencies = [ + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "num-bigint", "num-traits", ] @@ -714,7 +724,20 @@ name = "hax-lib-macros" version = "0.1.0-alpha.1" source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" dependencies = [ - "hax-lib-macros-types", + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", + "paste", + "proc-macro-error", + "proc-macro2", + "quote", + "syn 2.0.82", +] + +[[package]] +name = "hax-lib-macros" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#001a27e20755b65d6a780243a125076fe90e6d0b" +dependencies = [ + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "paste", "proc-macro-error", "proc-macro2", @@ -734,6 +757,18 @@ dependencies = [ "uuid", ] +[[package]] +name = "hax-lib-macros-types" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#001a27e20755b65d6a780243a125076fe90e6d0b" +dependencies = [ + "proc-macro2", + "quote", + "serde", + "serde_json", + "uuid", +] + [[package]] name = "heck" version = "0.5.0" @@ -972,7 +1007,7 @@ dependencies = [ name = "libcrux-intrinsics" version = "0.0.2-beta.2" dependencies = [ - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", ] [[package]] @@ -992,7 +1027,7 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1008,7 +1043,7 @@ name = "libcrux-ml-kem" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1054,7 +1089,7 @@ version = "0.0.2-beta.2" dependencies = [ "cavp", "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", "hex", "libcrux-intrinsics", "libcrux-platform", diff --git a/libcrux-ml-kem/Cargo.toml b/libcrux-ml-kem/Cargo.toml index 87e585f3c..3c230e0e8 100644 --- a/libcrux-ml-kem/Cargo.toml +++ b/libcrux-ml-kem/Cargo.toml @@ -27,7 +27,10 @@ libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } -hax-lib.workspace = true +# This is only required for verification. +# The hax config is set by the hax toolchain. +[target.'cfg(hax)'.dependencies] +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] # By default all variants and std are enabled. @@ -44,9 +47,6 @@ mlkem512 = [] mlkem768 = [] mlkem1024 = [] -# Enable the unpacked API -unpacked = [] - # Enable Round 3 Kyber in addition to ML-KEM kyber = [] @@ -83,7 +83,7 @@ name = "keygen" required-features = ["mlkem768"] [package.metadata."docs.rs"] -features = ["pre-verification", "kyber", "unpacked"] +features = ["pre-verification", "kyber"] rustdoc-args = ["--cfg", "doc_cfg"] [lints.rust] diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h index f88ca141f..03c96041e 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_neon.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3f6d1c304e0e5bef1e9e2ea65aec703661b05f39 - * Eurydice: 392674166bac86e60f5fffa861181a398fdc3896 - * Karamel: fc56fce6a58754766809845f88fc62063b2c6b92 - * F*: 04413e808445c4f78fe89cd15b85ff549ed3be62 - * Libcrux: 1ecfc745f64e318b06fd59a787d07818640c56cc + * Charon: 53530427db2941ce784201e64086766504bc5642 + * Eurydice: 7834acbb41b06c34f198a1cb6b88241cc10b9aeb + * Karamel: bdf06956e6ee025d4819bf2f8cc92651e572ad85 + * F*: e5cef6f266ece8a8b55ef4cd9b61cdf103520d38 + * Libcrux: d5574e8f6c62bf622ab6b61c291abeb66c1b7221 */ #ifndef __internal_libcrux_mlkem_neon_H @@ -31,12 +31,11 @@ with const generics - RANKED_BYTES_PER_RING_ELEMENT= 768 - PUBLIC_KEY_SIZE= 800 */ -bool libcrux_ml_kem_ind_cca_validate_public_key_991(uint8_t *public_key); +bool libcrux_ml_kem_ind_cca_validate_public_key_7e1(uint8_t *public_key); /** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair_unpacked with types -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, +A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair_unpacked +with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 2 - CPA_PRIVATE_KEY_SIZE= 768 @@ -47,8 +46,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_a51( - uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b41(uint8_t randomness[64U]); /** Packed API @@ -66,15 +64,15 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- RANKED_BYTES_PER_RING_ELEMENT= 768 +- BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ libcrux_ml_kem_types_MlKemKeyPair_cb -libcrux_ml_kem_ind_cca_generate_keypair_ec1(uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_generate_keypair_721(uint8_t randomness[64U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 2 @@ -91,7 +89,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_cf1( +tuple_ec libcrux_ml_kem_ind_cca_encapsulate_unpacked_471( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_66 *public_key, uint8_t randomness[32U]); @@ -108,18 +106,18 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- C1_BLOCK_SIZE= 320 +- VECTOR_U_BLOCK_LEN= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_ec libcrux_ml_kem_ind_cca_encapsulate_ff1( +tuple_ec libcrux_ml_kem_ind_cca_encapsulate_281( libcrux_ml_kem_types_MlKemPublicKey_be *public_key, uint8_t randomness[32U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 2 @@ -139,7 +137,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_dc1( +void libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec1( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_66 *key_pair, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -165,7 +163,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 800 */ -void libcrux_ml_kem_ind_cca_decapsulate_9c1( +void libcrux_ml_kem_ind_cca_decapsulate_821( libcrux_ml_kem_types_MlKemPrivateKey_5e *private_key, libcrux_ml_kem_types_MlKemCiphertext_e8 *ciphertext, uint8_t ret[32U]); @@ -177,12 +175,11 @@ with const generics - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ -bool libcrux_ml_kem_ind_cca_validate_public_key_990(uint8_t *public_key); +bool libcrux_ml_kem_ind_cca_validate_public_key_7e0(uint8_t *public_key); /** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair_unpacked with types -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, +A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair_unpacked +with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 3 - CPA_PRIVATE_KEY_SIZE= 1152 @@ -193,8 +190,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_a50( - uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b40(uint8_t randomness[64U]); /** Packed API @@ -212,15 +208,15 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- RANKED_BYTES_PER_RING_ELEMENT= 1152 +- BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_mlkem768_MlKem768KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_ec0(uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_generate_keypair_720(uint8_t randomness[64U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 3 @@ -237,7 +233,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_cf0( +tuple_3c libcrux_ml_kem_ind_cca_encapsulate_unpacked_470( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_fd *public_key, uint8_t randomness[32U]); @@ -254,18 +250,18 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- C1_BLOCK_SIZE= 320 +- VECTOR_U_BLOCK_LEN= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_3c libcrux_ml_kem_ind_cca_encapsulate_ff0( +tuple_3c libcrux_ml_kem_ind_cca_encapsulate_280( libcrux_ml_kem_types_MlKemPublicKey_15 *public_key, uint8_t randomness[32U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 3 @@ -285,7 +281,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_dc0( +void libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec0( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_fd *key_pair, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -311,7 +307,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1120 */ -void libcrux_ml_kem_ind_cca_decapsulate_9c0( +void libcrux_ml_kem_ind_cca_decapsulate_820( libcrux_ml_kem_types_MlKemPrivateKey_55 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext, uint8_t ret[32U]); @@ -323,12 +319,11 @@ with const generics - RANKED_BYTES_PER_RING_ELEMENT= 1536 - PUBLIC_KEY_SIZE= 1568 */ -bool libcrux_ml_kem_ind_cca_validate_public_key_99(uint8_t *public_key); +bool libcrux_ml_kem_ind_cca_validate_public_key_7e(uint8_t *public_key); /** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair_unpacked with types -libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, +A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair_unpacked +with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 4 - CPA_PRIVATE_KEY_SIZE= 1536 @@ -339,8 +334,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_unpacked_a5( - uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_generate_keypair_unpacked_b4(uint8_t randomness[64U]); /** Packed API @@ -358,15 +352,15 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- RANKED_BYTES_PER_RING_ELEMENT= 1536 +- BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ libcrux_ml_kem_mlkem1024_MlKem1024KeyPair -libcrux_ml_kem_ind_cca_generate_keypair_ec(uint8_t randomness[64U]); +libcrux_ml_kem_ind_cca_generate_keypair_72(uint8_t randomness[64U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.encapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.encapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 4 @@ -383,7 +377,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_unpacked_encapsulate_unpacked_cf( +tuple_21 libcrux_ml_kem_ind_cca_encapsulate_unpacked_47( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_2c *public_key, uint8_t randomness[32U]); @@ -400,18 +394,18 @@ with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- C1_BLOCK_SIZE= 352 +- VECTOR_U_BLOCK_LEN= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 - ETA2_RANDOMNESS_SIZE= 128 */ -tuple_21 libcrux_ml_kem_ind_cca_encapsulate_ff( +tuple_21 libcrux_ml_kem_ind_cca_encapsulate_28( libcrux_ml_kem_types_MlKemPublicKey_1f *public_key, uint8_t randomness[32U]); /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.decapsulate_unpacked +A monomorphic instance of libcrux_ml_kem.ind_cca.decapsulate_unpacked with types libcrux_ml_kem_vector_neon_vector_type_SIMD128Vector, libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - K= 4 @@ -431,7 +425,7 @@ libcrux_ml_kem_hash_functions_neon_Simd128Hash with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_unpacked_decapsulate_unpacked_dc( +void libcrux_ml_kem_ind_cca_decapsulate_unpacked_ec( libcrux_ml_kem_ind_cca_unpacked_MlKemKeyPairUnpacked_2c *key_pair, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); @@ -457,7 +451,7 @@ with const generics - ETA2_RANDOMNESS_SIZE= 128 - IMPLICIT_REJECTION_HASH_INPUT_SIZE= 1600 */ -void libcrux_ml_kem_ind_cca_decapsulate_9c( +void libcrux_ml_kem_ind_cca_decapsulate_82( libcrux_ml_kem_types_MlKemPrivateKey_95 *private_key, libcrux_ml_kem_mlkem1024_MlKem1024Ciphertext *ciphertext, uint8_t ret[32U]); diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index 1e2772eba..cdd27af77 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -19,8 +19,6 @@ extern "C" { #include "karamel/target.h" -#define LowStar_Ignore_ignore(e, t, _ret_t) ((void)e) - // SLICES, ARRAYS, ETC. // The MSVC C++ compiler does not support compound literals. diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index d5f025639..b95b864ab 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -40,8 +40,6 @@ def __call__(self, parser, args, values, option_string=None) -> None: "-i", include_str, "fstar", - "--z3rlimit", - "80", "--interfaces", interface_include, ] @@ -66,8 +64,6 @@ def __call__(self, parser, args, values, option_string=None) -> None: "-i", include_str, "fstar", - "--z3rlimit", - "80", "--interfaces", interface_include, ] @@ -98,12 +94,9 @@ def __call__(self, parser, args, values, option_string=None) -> None: "simd128,simd256,pre-verification", ";", "into", - "-vv", "-i", include_str, "fstar", - "--z3rlimit", - "100", "--interfaces", interface_include, ] diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 1bff53934..018593ecd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -1,46 +1,15 @@ module Libcrux_ml_kem.Constant_time_ops -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let inz (value: u8) = - let v__orig_value:u8 = value in let value:u16 = cast (value <: u8) <: u16 in - let result:u8 = - cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) <: u8 + let result:u16 = + ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. + 1us in - let res:u8 = result &. 1uy in - let _:Prims.unit = - if v v__orig_value = 0 - then - (assert (value == zero); - lognot_lemma value; - assert ((~.value +. 1us) == zero); - assert ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) == zero); - logor_lemma value zero; - assert ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) == - value); - assert (v result == v ((value >>! 8l))); - assert ((v value / pow2 8) == 0); - assert (result == 0uy); - logand_lemma 1uy result; - assert (res == 0uy)) - else - (assert (v value <> 0); - lognot_lemma value; - assert (v (~.value) = pow2 16 - 1 - v value); - assert (v (~.value) + 1 = pow2 16 - v value); - assert (v (value) <= pow2 8 - 1); - assert ((v (~.value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v value)); - assert ((v (~.value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v value)); - assert ((v (~.value) + 1) / pow2 8 = (pow2 8 - 1)); - assert (v ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l) = - pow2 8 - 1); - assert (result = ones); - logand_lemma 1uy result; - assert (res = 1uy)) - in - res + cast (result <: u16) <: u8 let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8) @@ -49,143 +18,43 @@ let compare (lhs rhs: t_Slice u8) = let r:u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #u8 lhs <: usize) - (fun r i -> + (fun r temp_1_ -> let r:u8 = r in - let i:usize = i in - v i <= Seq.length lhs /\ - (if (Seq.slice lhs 0 (v i) = Seq.slice rhs 0 (v i)) then r == 0uy else ~(r == 0uy))) + let _:usize = temp_1_ in + true) r (fun r i -> let r:u8 = r in let i:usize = i in - let nr:u8 = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) in - let _:Prims.unit = - if r =. 0uy - then - (if (Seq.index lhs (v i) = Seq.index rhs (v i)) - then - (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); - assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) = zero); - logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (nr = r); - assert (forall j. Seq.index (Seq.slice lhs 0 (v i)) j == Seq.index lhs j); - assert (forall j. Seq.index (Seq.slice rhs 0 (v i)) j == Seq.index rhs j); - eq_intro (Seq.slice lhs 0 ((v i) + 1)) (Seq.slice rhs 0 ((v i) + 1))) - else - (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); - assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <> zero); - logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (v nr > 0); - assert (Seq.index (Seq.slice lhs 0 ((v i) + 1)) (v i) <> - Seq.index (Seq.slice rhs 0 ((v i) + 1)) (v i)); - assert (Seq.slice lhs 0 ((v i) + 1) <> Seq.slice rhs 0 ((v i) + 1)))) - else - (logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (v nr >= v r); - assert (Seq.slice lhs 0 (v i) <> Seq.slice rhs 0 (v i)); - if (Seq.slice lhs 0 ((v i) + 1) = Seq.slice rhs 0 ((v i) + 1)) - then - (assert (forall j. - j < (v i) + 1 ==> - Seq.index (Seq.slice lhs 0 ((v i) + 1)) j == - Seq.index (Seq.slice rhs 0 ((v i) + 1)) j); - eq_intro (Seq.slice lhs 0 (v i)) (Seq.slice rhs 0 (v i)); - assert (False))) - in - let r:u8 = nr in - r) + r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8) in is_non_zero r let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = Core.Hint.black_box #u8 (compare lhs rhs <: u8) -#push-options "--ifuel 0 --z3rlimit 50" - let select_ct (lhs rhs: t_Slice u8) (selector: u8) = let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in - let _:Prims.unit = - assert (if selector = 0uy then mask = ones else mask = zero); - lognot_lemma mask; - assert (if selector = 0uy then ~.mask = zero else ~.mask = ones) - in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - (fun out i -> + (fun out temp_1_ -> let out:t_Array u8 (sz 32) = out in - let i:usize = i in - v i <= v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /\ - (forall j. - j < v i ==> - (if (selector =. 0uy) - then Seq.index out j == Seq.index lhs j - else Seq.index out j == Seq.index rhs j)) /\ - (forall j. j >= v i ==> Seq.index out j == 0uy)) + let _:usize = temp_1_ in + true) out (fun out i -> let out:t_Array u8 (sz 32) = out in let i:usize = i in - let _:Prims.unit = assert ((out.[ i ] <: u8) = 0uy) in - let outi:u8 = - ((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - in - let _:Prims.unit = - if (selector = 0uy) - then - (logand_lemma (lhs.[ i ] <: u8) mask; - assert (((lhs.[ i ] <: u8) &. mask <: u8) == (lhs.[ i ] <: u8)); - logand_lemma (rhs.[ i ] <: u8) (~.mask); - assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == zero); - logor_lemma ((lhs.[ i ] <: u8) &. mask <: u8) - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8); - assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) == - (lhs.[ i ] <: u8)); - logor_lemma (out.[ i ] <: u8) (lhs.[ i ] <: u8); - assert (((out.[ i ] <: u8) |. - (((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) - <: - u8) == - (lhs.[ i ] <: u8)); - assert (outi = (lhs.[ i ] <: u8))) - else - (logand_lemma (lhs.[ i ] <: u8) mask; - assert (((lhs.[ i ] <: u8) &. mask <: u8) == zero); - logand_lemma (rhs.[ i ] <: u8) (~.mask); - assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == (rhs.[ i ] <: u8)); - logor_lemma (rhs.[ i ] <: u8) zero; - assert ((logor zero (rhs.[ i ] <: u8)) == (rhs.[ i ] <: u8)); - assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)) == - (rhs.[ i ] <: u8)); - logor_lemma (out.[ i ] <: u8) (rhs.[ i ] <: u8); - assert (((out.[ i ] <: u8) |. - (((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) - <: - u8) == - (rhs.[ i ] <: u8)); - assert (outi = (rhs.[ i ] <: u8))) - in - let out:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i outi - in - out) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) + <: + t_Array u8 (sz 32)) in - let _:Prims.unit = if (selector =. 0uy) then (eq_intro out lhs) else (eq_intro out rhs) in out -#pop-options - let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index dc6fd2b46..0d28bb910 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -1,42 +1,24 @@ module Libcrux_ml_kem.Constant_time_ops -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// Return 1 if `value` is not zero and 0 otherwise. -val inz (value: u8) - : Prims.Pure u8 - Prims.l_True - (ensures - fun result -> - let result:u8 = result in - (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) +val inz (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val is_non_zero (value: u8) - : Prims.Pure u8 - Prims.l_True - (ensures - fun result -> - let result:u8 = result in - (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) +val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. val compare (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + (fun _ -> Prims.l_True) val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + (fun _ -> Prims.l_True) /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. @@ -45,20 +27,14 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) + (fun _ -> Prims.l_True) val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) + (fun _ -> Prims.l_True) val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s rhs_s: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) @@ -66,8 +42,4 @@ val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s (Core.Slice.impl__len #u8 lhs_c <: usize) =. (Core.Slice.impl__len #u8 rhs_c <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. (Core.Slice.impl__len #u8 rhs_s <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - let selector = if lhs_c =. rhs_c then 0uy else 1uy in - ((selector == 0uy ==> result == lhs_s) /\ (selector =!= 0uy ==> result == rhs_s))) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti index 812c7717d..76d143aad 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Constants -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti index d1bf77c74..637523b1a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -1,50 +1,33 @@ module Libcrux_ml_kem.Hash_functions.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -/// The state. -/// It\'s only used for SHAKE128. -/// All other functions don\'t actually use any members. -val t_Simd256Hash:Type0 +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) - -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +/// The state. +/// It\'s only used for SHAKE128. +/// All other functions don\'t actually use any members. +val t_Simd256Hash:Type0 + +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd256Hash Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd256Hash) - : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_Simd256Hash) + : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) - : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd256Hash) + : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -52,16 +35,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true); f_PRFxN_post @@ -75,35 +55,35 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd256Hash) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_Simd256Hash) -> let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_Simd256Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_Simd256Hash) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_block_post = (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_Simd256Hash) -> let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_Simd256Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti index 90a01aa64..d3285aaba 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -1,50 +1,33 @@ module Libcrux_ml_kem.Hash_functions.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -/// The state. -/// It\'s only used for SHAKE128. -/// All other functions don\'t actually use any members. -val t_Simd128Hash:Type0 +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) - -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +/// The state. +/// It\'s only used for SHAKE128. +/// All other functions don\'t actually use any members. +val t_Simd128Hash:Type0 + +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd128Hash Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd128Hash) - : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_Simd128Hash) + : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) - : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd128Hash) + : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -52,16 +35,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true); f_PRFxN_post @@ -75,35 +55,35 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd128Hash) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_Simd128Hash) -> let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_Simd128Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_Simd128Hash) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_block_post = (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_Simd128Hash) -> let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_Simd128Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti index bb72b8240..88cba2292 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -1,50 +1,33 @@ module Libcrux_ml_kem.Hash_functions.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -/// The state. -/// It\'s only used for SHAKE128. -/// All other functions don\'t actually use any members. -val t_PortableHash (v_K: usize) : Type0 +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) - -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +/// The state. +/// It\'s only used for SHAKE128. +/// All other functions don\'t actually use any members. +val t_PortableHash (v_K: usize) : Type0 + +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure (t_PortableHash v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_PortableHash v_K) - : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_PortableHash v_K) + : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) - : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_PortableHash v_K) + : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -52,16 +35,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> true); f_PRFxN_post @@ -75,43 +55,43 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_PortableHash v_K) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_PortableHash v_K) (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_PortableHash v_K) -> let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_PortableHash v_K = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_PortableHash v_K) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_block_post = (fun (self: t_PortableHash v_K) (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_PortableHash v_K) -> let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_PortableHash v_K = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti index 076ee08eb..c8582760b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,48 +10,44 @@ open FStar.Mul /// - NEON /// - Portable class t_Hash (v_Self: Type0) (v_K: usize) = { - f_G_pre:input: t_Slice u8 -> pred: Type0{true ==> pred}; - f_G_post:input: t_Slice u8 -> result: t_Array u8 (sz 64) - -> pred: Type0{pred ==> result == Spec.Utils.v_G input}; + f_G_pre:t_Slice u8 -> Type0; + f_G_post:t_Slice u8 -> t_Array u8 (sz 64) -> Type0; f_G:x0: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 64)) (f_G_pre x0) (fun result -> f_G_post x0 result); - f_H_pre:input: t_Slice u8 -> pred: Type0{true ==> pred}; - f_H_post:input: t_Slice u8 -> result: t_Array u8 (sz 32) - -> pred: Type0{pred ==> result == Spec.Utils.v_H input}; + f_H_pre:t_Slice u8 -> Type0; + f_H_post:t_Slice u8 -> t_Array u8 (sz 32) -> Type0; f_H:x0: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 32)) (f_H_pre x0) (fun result -> f_H_post x0 result); - f_PRF_pre:v_LEN: usize -> input: t_Slice u8 -> pred: Type0{v v_LEN < pow2 32 ==> pred}; - f_PRF_post:v_LEN: usize -> input: t_Slice u8 -> result: t_Array u8 v_LEN - -> pred: Type0{pred ==> v v_LEN < pow2 32 ==> result == Spec.Utils.v_PRF v_LEN input}; + f_PRF_pre:v_LEN: usize -> t_Slice u8 -> Type0; + f_PRF_post:v_LEN: usize -> t_Slice u8 -> t_Array u8 v_LEN -> Type0; f_PRF:v_LEN: usize -> x0: t_Slice u8 -> Prims.Pure (t_Array u8 v_LEN) (f_PRF_pre v_LEN x0) (fun result -> f_PRF_post v_LEN x0 result); - f_PRFxN_pre:v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K -> pred: Type0{true ==> pred}; + f_PRFxN_pre:v_LEN: usize -> t_Array (t_Array u8 (sz 33)) v_K -> Type0; f_PRFxN_post:v_LEN: usize -> t_Array (t_Array u8 (sz 33)) v_K -> t_Array (t_Array u8 v_LEN) v_K -> Type0; f_PRFxN:v_LEN: usize -> x0: t_Array (t_Array u8 (sz 33)) v_K -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) (f_PRFxN_pre v_LEN x0) (fun result -> f_PRFxN_post v_LEN x0 result); - f_shake128_init_absorb_final_pre:input: t_Array (t_Array u8 (sz 34)) v_K - -> pred: Type0{true ==> pred}; - f_shake128_init_absorb_final_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0; - f_shake128_init_absorb_final:x0: t_Array (t_Array u8 (sz 34)) v_K + f_shake128_init_absorb_pre:t_Array (t_Array u8 (sz 34)) v_K -> Type0; + f_shake128_init_absorb_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0; + f_shake128_init_absorb:x0: t_Array (t_Array u8 (sz 34)) v_K -> Prims.Pure v_Self - (f_shake128_init_absorb_final_pre x0) - (fun result -> f_shake128_init_absorb_final_post x0 result); - f_shake128_squeeze_first_three_blocks_pre:self___: v_Self -> pred: Type0{true ==> pred}; - f_shake128_squeeze_first_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) + (f_shake128_init_absorb_pre x0) + (fun result -> f_shake128_init_absorb_post x0 result); + f_shake128_squeeze_three_blocks_pre:v_Self -> Type0; + f_shake128_squeeze_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) -> Type0; - f_shake128_squeeze_first_three_blocks:x0: v_Self + f_shake128_squeeze_three_blocks:x0: v_Self -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 504)) v_K) - (f_shake128_squeeze_first_three_blocks_pre x0) - (fun result -> f_shake128_squeeze_first_three_blocks_post x0 result); - f_shake128_squeeze_next_block_pre:self___: v_Self -> pred: Type0{true ==> pred}; - f_shake128_squeeze_next_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0; - f_shake128_squeeze_next_block:x0: v_Self + (f_shake128_squeeze_three_blocks_pre x0) + (fun result -> f_shake128_squeeze_three_blocks_post x0 result); + f_shake128_squeeze_block_pre:v_Self -> Type0; + f_shake128_squeeze_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0; + f_shake128_squeeze_block:x0: v_Self -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 168)) v_K) - (f_shake128_squeeze_next_block_pre x0) - (fun result -> f_shake128_squeeze_next_block_post x0 result) + (f_shake128_squeeze_block_pre x0) + (fun result -> f_shake128_squeeze_block_post x0 result) } /// The SHA3 block size. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst new file mode 100644 index 000000000..cecdf9ad1 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst @@ -0,0 +1,89 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti new file mode 100644 index 000000000..609428969 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti @@ -0,0 +1,56 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index c9a34f640..9f5044e59 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -1,19 +1,17 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in - let open Libcrux_ml_kem.Vector.Traits in () -let validate_private_key_avx2 +let validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) @@ -25,13 +23,17 @@ let validate_private_key_avx2 private_key ciphertext -let validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = validate_private_key_avx2 v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE private_key ciphertext +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + public_key -let decapsulate_avx2 +let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) @@ -44,18 +46,7 @@ let decapsulate_avx2 #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash #Libcrux_ml_kem.Variant.t_MlKem private_key ciphertext -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE private_key ciphertext - -let encapsulate_avx2 +let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -67,17 +58,7 @@ let encapsulate_avx2 #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - = - encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness - -let generate_keypair_avx2 +let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) @@ -86,32 +67,3 @@ let generate_keypair_avx2 v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash #Libcrux_ml_kem.Variant.t_MlKem randomness - -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - = - generate_keypair_avx2 v_K - v_CPA_PRIVATE_KEY_SIZE - v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - v_BYTES_PER_RING_ELEMENT - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - randomness - -let validate_public_key_avx2 - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - public_key - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = validate_public_key_avx2 v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 39fede866..c87425a91 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -1,37 +1,30 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in - let open Libcrux_ml_kem.Vector.Traits in () -val validate_private_key_avx2 - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - +/// Portable private key validation val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -val decapsulate_avx2 - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -39,15 +32,6 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val encapsulate_avx2 - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) @@ -58,14 +42,6 @@ val encapsulate (fun _ -> Prims.l_True) /// Portable generate key pair. -val generate_keypair_avx2 - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) @@ -73,13 +49,3 @@ val generate_keypair : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -val validate_public_key_avx2 - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) - -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst new file mode 100644 index 000000000..91614ab24 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst @@ -0,0 +1,89 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Vector.Neon in + () + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti new file mode 100644 index 000000000..e602961e3 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti @@ -0,0 +1,60 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index dca261dd4..b9ce4c8b5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -1,16 +1,14 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in - let open Libcrux_ml_kem.Vector.Traits in () let validate_private_key @@ -25,6 +23,16 @@ let validate_private_key private_key ciphertext +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + public_key + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -40,34 +48,24 @@ let decapsulate ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index e244a6ece..566639b4a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -1,16 +1,14 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in - let open Libcrux_ml_kem.Vector.Traits in () /// Portable private key validation @@ -18,11 +16,13 @@ val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) /// Portable decapsulate val decapsulate @@ -30,64 +30,22 @@ val decapsulate usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst new file mode 100644 index 000000000..3d5ed41ba --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst @@ -0,0 +1,89 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Vector.Portable in + () + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti new file mode 100644 index 000000000..ef16fb9d1 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti @@ -0,0 +1,60 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Vector.Portable in + () + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 333f8fbbd..3ec3de8dc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -1,16 +1,14 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Traits in () let validate_private_key @@ -25,6 +23,16 @@ let validate_private_key private_key ciphertext +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -40,35 +48,25 @@ let decapsulate private_key ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index b62f5b8f2..5b75149d8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -1,16 +1,14 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Traits in () /// Portable private key validation @@ -18,11 +16,13 @@ val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) /// Portable decapsulate val decapsulate @@ -30,64 +30,22 @@ val decapsulate usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index 2fbb2ea3d..f945524c6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -52,7 +52,7 @@ let decapsulate private_key ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) @@ -61,23 +61,23 @@ let encapsulate then Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness else if Libcrux_platform.Platform.simd128_support () then Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness else Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = @@ -87,7 +87,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness @@ -98,7 +98,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness @@ -107,7 +107,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index 4e231ea63..8323134a3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,73 +7,33 @@ val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index feecb5229..d06fe9daa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,49 +10,117 @@ let _ = let open Libcrux_ml_kem.Ind_cpa.Unpacked in let open Libcrux_ml_kem.Polynomial in let open Libcrux_ml_kem.Types in - let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () -let impl_2__private_key +let impl__serialized_public_key (v_K: usize) (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - = self.f_private_key + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + = + Core.Convert.f_into #(t_Array u8 v_PUBLIC_KEY_SIZE) + #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + <: + t_Array u8 v_PUBLIC_KEY_SIZE) -let impl_2__public_key +let impl__serialized_public_key_mut (v_K: usize) (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - = self.f_public_key + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = + { + serialized with + Libcrux_ml_kem.Types.f_value + = + Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) + serialized.Libcrux_ml_kem.Types.f_value + } + <: + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE + in + serialized -let impl_2__serialized_private_key - (v_K: usize) - (#v_Vector: Type0) +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - = - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not yet implemented" - <: - Rust_primitives.Hax.t_Never) - -let impl_2__new - (v_K: usize) - (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (_: Prims.unit) + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + (randomness: t_Array u8 (sz 32)) = - Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) + in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (public_key.f_public_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + public_key.f_ind_cpa_public_key randomness pseudorandomness + in + let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let shared_secret_array:t_Array u8 (sz 32) = + Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret + in + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + #FStar.Tactics.Typeclasses.solve + ciphertext, + shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) let unpack_public_key (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -75,7 +143,8 @@ let unpack_public_key unpacked_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE + v_K #v_Vector (public_key.Libcrux_ml_kem.Types.f_value.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE @@ -155,100 +224,57 @@ let unpack_public_key Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) } <: t_MlKemPublicKeyUnpacked v_K v_Vector in unpacked_public_key -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) +let impl_2__private_key + (v_K: usize) + (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_private_key + +let impl_2__public_key + (v_K: usize) + (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - (randomness: t_Array u8 (sz 32)) + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + = self.f_public_key + +let impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) = - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) - in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (public_key.f_public_key_hash <: t_Slice u8) - <: - t_Slice u8) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - public_key.f_ind_cpa_public_key randomness pseudorandomness - in - let shared_secret_array:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let shared_secret_array:t_Array u8 (sz 32) = - Core.Slice.impl__copy_from_slice #u8 shared_secret_array shared_secret - in - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - #FStar.Tactics.Typeclasses.solve - ciphertext, - shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "not yet implemented" + <: + Rust_primitives.Hax.t_Never) -let impl__serialized_public_key_mut +let impl_2__serialized_public_key (v_K: usize) (#v_Vector: Type0) (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (self: t_MlKemKeyPairUnpacked v_K v_Vector) = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE = - { - serialized with - Libcrux_ml_kem.Types.f_value - = - Libcrux_ml_kem.Ind_cpa.serialize_public_key_mut v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #v_Vector - self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) - serialized.Libcrux_ml_kem.Types.f_value - } - <: - Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE - in - serialized + impl__serialized_public_key v_K + #v_Vector + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + self.f_public_key let impl_2__serialized_public_key_mut (v_K: usize) @@ -274,53 +300,130 @@ let impl_2__serialized_public_key_mut in serialized -let impl__serialized_public_key +let impl_2__new (v_K: usize) (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (_: Prims.unit) = - Core.Convert.f_into #(t_Array u8 v_PUBLIC_KEY_SIZE) - #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Ind_cpa.serialize_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #v_Vector - self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - (self.f_ind_cpa_public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A <: t_Slice u8) - <: - t_Array u8 v_PUBLIC_KEY_SIZE) + Core.Default.f_default #(t_MlKemKeyPairUnpacked v_K v_Vector) #FStar.Tactics.Typeclasses.solve () -let impl_2__serialized_public_key - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - impl__serialized_public_key v_K - #v_Vector - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - self.f_public_key + let decrypted:t_Array u8 (sz 32) = + Libcrux_ml_kem.Ind_cpa.decrypt_unpacked v_K + v_CIPHERTEXT_SIZE + v_C1_SIZE + v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR + #v_Vector + key_pair.f_private_key.f_ind_cpa_private_key + ciphertext.Libcrux_ml_kem.Types.f_value + in + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) + in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (key_pair.f_public_key.f_public_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 + v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = + Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + (key_pair.f_private_key.f_implicit_rejection_value <: t_Slice u8) + in + let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + ciphertext + <: + t_Slice u8) + <: + t_Slice u8) + in + let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (sz 32) + (to_hash <: t_Slice u8) + in + let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + key_pair.f_public_key.f_ind_cpa_public_key decrypted pseudorandomness + in + let selector:u8 = + Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext + v_CIPHERTEXT_SIZE) + #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + ciphertext + <: + t_Slice u8) + (expected_ciphertext <: t_Slice u8) + in + Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret + (implicit_rejection_shared_secret <: t_Slice u8) + selector let generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) + (#v_Vector #v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: + i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) (randomness: t_Array u8 (sz 64)) (out: t_MlKemKeyPairUnpacked v_K v_Vector) = @@ -346,7 +449,6 @@ let generate_keypair v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher - #v_Scheme ind_cpa_keypair_randomness out.f_private_key.f_ind_cpa_private_key out.f_public_key.f_ind_cpa_public_key @@ -383,7 +485,7 @@ let generate_keypair v_K (fun v__j -> let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -522,107 +624,3 @@ let generate_keypair t_MlKemKeyPairUnpacked v_K v_Vector in out - -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - let decrypted:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cpa.decrypt_unpacked v_K - v_CIPHERTEXT_SIZE - v_C1_SIZE - v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR - #v_Vector - key_pair.f_private_key.f_ind_cpa_private_key - ciphertext.Libcrux_ml_kem.Types.f_value - in - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) - in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (key_pair.f_public_key.f_public_key_hash <: t_Slice u8) - <: - t_Slice u8) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = - Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - (key_pair.f_private_key.f_implicit_rejection_value <: t_Slice u8) - in - let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Slice u8) - #FStar.Tactics.Typeclasses.solve - ciphertext - <: - t_Slice u8) - <: - t_Slice u8) - in - let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (sz 32) - (to_hash <: t_Slice u8) - in - let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE - v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - key_pair.f_public_key.f_ind_cpa_public_key decrypted pseudorandomness - in - let selector:u8 = - Libcrux_ml_kem.Constant_time_ops.compare_ciphertexts_in_constant_time (Core.Convert.f_as_ref #(Libcrux_ml_kem.Types.t_MlKemCiphertext - v_CIPHERTEXT_SIZE) - #(t_Slice u8) - #FStar.Tactics.Typeclasses.solve - ciphertext - <: - t_Slice u8) - (expected_ciphertext <: t_Slice u8) - in - Libcrux_ml_kem.Constant_time_ops.select_shared_secret_in_constant_time shared_secret - (implicit_rejection_shared_secret <: t_Slice u8) - selector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index 8a8daa153..fbd5de788 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,7 +10,6 @@ let _ = let open Libcrux_ml_kem.Ind_cpa.Unpacked in let open Libcrux_ml_kem.Polynomial in let open Libcrux_ml_kem.Types in - let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Traits in () @@ -30,37 +29,28 @@ type t_MlKemPublicKeyUnpacked f_public_key_hash:t_Array u8 (sz 32) } -/// An unpacked ML-KEM KeyPair -type t_MlKemKeyPairUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector; - f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector -} - /// Get the serialized public key. -val impl_2__private_key +val impl__serialized_public_key (v_K: usize) (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) /// Get the serialized public key. -val impl_2__public_key - (v_K: usize) - (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Get the serialized private key. -val impl_2__serialized_private_key +val impl__serialized_public_key_mut (v_K: usize) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_K) Prims.l_True (fun _ -> Prims.l_True) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemPublicKeyUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1 @@ -89,6 +79,83 @@ let impl_1 t_MlKemPublicKeyUnpacked v_K v_Vector } +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an unpacked key from a serialized key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Hasher #v_Vector: Type0) + {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// An unpacked ML-KEM KeyPair +type t_MlKemKeyPairUnpacked + (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + = { + f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector; + f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector +} + +/// Get the serialized public key. +val impl_2__private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPrivateKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__public_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized private key. +val impl_2__serialized_private_key + (v_K: usize) + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPrivateKey v_K) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val impl_2__serialized_public_key_mut + (v_K: usize) + (#v_Vector: Type0) + (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self: t_MlKemKeyPairUnpacked v_K v_Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_3 (v_K: usize) @@ -135,92 +202,23 @@ val impl_2__new: Prims.unit -> Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Generate an unpacked key from a serialized key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Hasher #v_Vector: Type0) - {| i2: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemPublicKeyUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (public_key: t_MlKemPublicKeyUnpacked v_K v_Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl__serialized_public_key_mut - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl_2__serialized_public_key_mut - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl__serialized_public_key - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemPublicKeyUnpacked v_K v_Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val impl_2__serialized_public_key - (v_K: usize) - (#v_Vector: Type0) - (v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) + (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Generate Unpacked Keys val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (randomness: t_Array u8 (sz 64)) - (out: t_MlKemKeyPairUnpacked v_K v_Vector) - : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) (#v_Vector #v_Hasher: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (key_pair: t_MlKemKeyPairUnpacked v_K v_Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + (randomness: t_Array u8 (sz 64)) + (out: t_MlKemKeyPairUnpacked v_K v_Vector) + : Prims.Pure (t_MlKemKeyPairUnpacked v_K v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 84a0cd81c..b8a238385 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -12,40 +12,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let validate_private_key - (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) - (#v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - let t:t_Array u8 (sz 32) = - Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (private_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = sz 384 *! v_K <: usize; - Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let expected:t_Slice u8 = - private_key.Libcrux_ml_kem.Types.f_value.[ { - Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; - Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - in - t =. expected - -#push-options "--z3rlimit 150" - let serialize_kem_secret_key (v_K v_SERIALIZED_KEY_LEN: usize) (#v_Hasher: Type0) @@ -156,135 +122,8 @@ let serialize_kem_secret_key <: t_Slice u8) in - let _:Prims.unit = - let open Spec.Utils in - assert ((Seq.slice out 0 (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K))) - `Seq.equal` - private_key); - assert ((Seq.slice out - (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K))) - `Seq.equal` - public_key); - assert ((Seq.slice out - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))) - `Seq.equal` - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key)); - assert (Seq.slice out - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +! - Spec.MLKEM.v_SHARED_SECRET_SIZE)) == - implicit_rejection_value); - lemma_slice_append_4 out - private_key - public_key - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key) - implicit_rejection_value - in out -#pop-options - -#push-options "--z3rlimit 150" - -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (randomness: t_Array u8 (sz 32)) - = - let randomness:t_Array u8 (sz 32) = - Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme - #FStar.Tactics.Typeclasses.solve - v_K - #v_Hasher - (randomness <: t_Slice u8) - in - let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = - Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) - in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in - let to_hash:t_Array u8 (sz 64) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash - ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) - <: - t_Slice u8) - <: - t_Slice u8) - in - let _:Prims.unit = - assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); - lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); - assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) - in - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Hash_functions.f_G #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - (to_hash <: t_Slice u8) - in - let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 - (hashed <: t_Slice u8) - Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - in - let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = - Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness - pseudorandomness - in - let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - #(t_Array u8 v_CIPHERTEXT_SIZE) - #FStar.Tactics.Typeclasses.solve - ciphertext - in - let shared_secret_array:t_Array u8 (sz 32) = - Libcrux_ml_kem.Variant.f_kdf #v_Scheme - #FStar.Tactics.Typeclasses.solve - v_K - v_CIPHERTEXT_SIZE - #v_Hasher - shared_secret - ciphertext - in - ciphertext, shared_secret_array - <: - (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - -#pop-options - let validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (#v_Vector: Type0) @@ -294,7 +133,8 @@ let validate_public_key (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_PUBLIC_KEY_SIZE + v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: @@ -316,66 +156,37 @@ let validate_public_key in public_key =. public_key_serialized -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) +let validate_private_key + (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) + (#v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: + i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (randomness: t_Array u8 (sz 64)) + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - let ind_cpa_keypair_randomness:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE - } - <: - Core.Ops.Range.t_Range usize ] + let t:t_Array u8 (sz 32) = + Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = sz 384 *! v_K <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 32 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) in - let implicit_rejection_value:t_Slice u8 = - randomness.[ { - Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE + let expected:t_Slice u8 = + private_key.Libcrux_ml_kem.Types.f_value.[ { + Core.Ops.Range.f_start = (sz 768 *! v_K <: usize) +! sz 32 <: usize; + Core.Ops.Range.f_end = (sz 768 *! v_K <: usize) +! sz 64 <: usize } <: - Core.Ops.Range.t_RangeFrom usize ] - in - let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & - t_Array u8 v_PUBLIC_KEY_SIZE) = - Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme - ind_cpa_keypair_randomness - in - let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = - serialize_kem_secret_key v_K - v_PRIVATE_KEY_SIZE - #v_Hasher - (ind_cpa_private_key <: t_Slice u8) - (public_key <: t_Slice u8) - implicit_rejection_value - in - let (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux_ml_kem.Types.t_MlKemPrivateKey - v_PRIVATE_KEY_SIZE = - Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) - #(t_Array u8 v_PRIVATE_KEY_SIZE) - #FStar.Tactics.Typeclasses.solve - secret_key_serialized + Core.Ops.Range.t_Range usize ] in - Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE - private_key - (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - #(t_Array u8 v_PUBLIC_KEY_SIZE) - #FStar.Tactics.Typeclasses.solve - public_key - <: - Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - -#push-options "--z3rlimit 500" + t =. expected let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: @@ -391,10 +202,6 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - let _:Prims.unit = - assert (v v_CIPHERTEXT_SIZE == - v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - in let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8) @@ -406,20 +213,6 @@ let decapsulate let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in - let _:Prims.unit = - assert (ind_cpa_secret_key == slice private_key.f_value (sz 0) v_CPA_SECRET_KEY_SIZE); - assert (ind_cpa_public_key == - slice private_key.f_value v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) - ); - assert (ind_cpa_public_key_hash == - slice private_key.f_value - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); - assert (implicit_rejection_value == - slice private_key.f_value - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) - (length private_key.f_value)) - in let decrypted:t_Array u8 (sz 32) = Libcrux_ml_kem.Ind_cpa.decrypt v_K v_CIPHERTEXT_SIZE @@ -433,7 +226,6 @@ let decapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) decrypted in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -449,11 +241,6 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = - lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; - assert (decrypted == Spec.MLKEM.ind_cpa_decrypt v_K ind_cpa_secret_key ciphertext.f_value); - assert (to_hash == concat decrypted ind_cpa_public_key_hash) - in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -465,21 +252,11 @@ let decapsulate (hashed <: t_Slice u8) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE in - let _:Prims.unit = - assert ((shared_secret, pseudorandomness) == - split hashed Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE); - assert (length implicit_rejection_value = - v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE); - assert (length implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); - assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - in let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE implicit_rejection_value in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) implicit_rejection_value in let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -500,12 +277,6 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = - assert_norm (pow2 32 == 0x100000000); - assert (v (sz 32) < pow2 32); - assert (i4.f_PRF_pre (sz 32) to_hash); - lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value - in let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher #v_K @@ -513,10 +284,6 @@ let decapsulate (sz 32) (to_hash <: t_Slice u8) in - let _:Prims.unit = - assert (implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) to_hash); - assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE) - in let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 @@ -552,4 +319,142 @@ let decapsulate (shared_secret <: t_Slice u8) (implicit_rejection_shared_secret <: t_Slice u8) -#pop-options +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (randomness: t_Array u8 (sz 32)) + = + let randomness:t_Array u8 (sz 32) = + Libcrux_ml_kem.Variant.f_entropy_preprocess #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + #v_Hasher + (randomness <: t_Slice u8) + in + let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = + Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) + in + let to_hash:t_Array u8 (sz 64) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash + ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (to_hash.[ { Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) + in + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Hash_functions.f_G #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + (to_hash <: t_Slice u8) + in + let shared_secret, pseudorandomness:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (hashed <: t_Slice u8) + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE + in + let ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = + Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + pseudorandomness + in + let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + #(t_Array u8 v_CIPHERTEXT_SIZE) + #FStar.Tactics.Typeclasses.solve + ciphertext + in + let shared_secret_array:t_Array u8 (sz 32) = + Libcrux_ml_kem.Variant.f_kdf #v_Scheme + #FStar.Tactics.Typeclasses.solve + v_K + v_CIPHERTEXT_SIZE + #v_Hasher + shared_secret + ciphertext + in + ciphertext, shared_secret_array + <: + (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) + (randomness: t_Array u8 (sz 64)) + = + let ind_cpa_keypair_randomness:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE + } + <: + Core.Ops.Range.t_Range usize ] + in + let implicit_rejection_value:t_Slice u8 = + randomness.[ { + Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE + } + <: + Core.Ops.Range.t_RangeFrom usize ] + in + let ind_cpa_private_key, public_key:(t_Array u8 v_CPA_PRIVATE_KEY_SIZE & + t_Array u8 v_PUBLIC_KEY_SIZE) = + Libcrux_ml_kem.Ind_cpa.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher #v_Scheme + ind_cpa_keypair_randomness + in + let secret_key_serialized:t_Array u8 v_PRIVATE_KEY_SIZE = + serialize_kem_secret_key v_K + v_PRIVATE_KEY_SIZE + #v_Hasher + (ind_cpa_private_key <: t_Slice u8) + (public_key <: t_Slice u8) + implicit_rejection_value + in + let (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE):Libcrux_ml_kem.Types.t_MlKemPrivateKey + v_PRIVATE_KEY_SIZE = + Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) + #(t_Array u8 v_PRIVATE_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + secret_key_serialized + in + Libcrux_ml_kem.Types.impl__from v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + private_key + (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + #(t_Array u8 v_PUBLIC_KEY_SIZE) + #FStar.Tactics.Typeclasses.solve + public_key + <: + Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index cc03d69ee..5d53cee40 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -20,6 +20,25 @@ let v_KEY_GENERATION_SEED_SIZE: usize = Libcrux_ml_kem.Constants.v_CPA_PKE_KEY_GENERATION_SEED_SIZE +! Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +/// Serialize the secret key. +val serialize_kem_secret_key + (v_K v_SERIALIZED_KEY_LEN: usize) + (#v_Hasher: Type0) + {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (private_key public_key implicit_rejection_value: t_Slice u8) + : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) + +/// Validate an ML-KEM public key. +/// This implements the Modulus check in 7.2 2. +/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the +/// `public_key` type. +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Validate an ML-KEM private key. /// This implements the Hash check in 7.3 3. /// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` @@ -30,34 +49,21 @@ val validate_private_key {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -/// Serialize the secret key. -val serialize_kem_secret_key - (v_K v_SERIALIZED_KEY_LEN: usize) - (#v_Hasher: Type0) - {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (private_key public_key implicit_rejection_value: t_Slice u8) - : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 v_SERIALIZED_KEY_LEN = result in - result == - Seq.append private_key - (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) - )) +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (#v_Vector #v_Hasher #v_Scheme: Type0) + {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} + (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher #v_Scheme: Type0) {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -66,40 +72,7 @@ val encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) - (ensures - fun result -> - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - = - result - in - let expected, valid = Spec.MLKEM.ind_cca_encapsulate v_K public_key.f_value randomness in - valid ==> (result._1.f_value, result._2) == expected) - -/// Validate an ML-KEM public key. -/// This implements the Modulus check in 7.2 2. -/// Note that the size check in 7.2 1 is covered by the `PUBLIC_KEY_SIZE` in the -/// `public_key` type. -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Packed API @@ -107,7 +80,7 @@ val validate_public_key /// Depending on the `Vector` and `Hasher` used, this requires different hardware /// features val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher #v_Scheme: Type0) {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} @@ -115,50 +88,5 @@ val generate_keypair {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (ensures - fun result -> - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = - result - in - let expected, valid = Spec.MLKEM.ind_cca_generate_keypair v_K randomness in - valid ==> (result.f_sk.f_value, result.f_pk.f_value) == expected) - -/// This code verifies on some machines, runs out of memory on others -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - let expected, valid = - Spec.MLKEM.ind_cca_decapsulate v_K private_key.f_value ciphertext.f_value - in - valid ==> result == expected) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti index b7e0c4efc..11603e5ef 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,15 +14,6 @@ type t_IndCpaPrivateKeyUnpacked (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K } -/// An unpacked ML-KEM IND-CPA Private Key -type t_IndCpaPublicKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; - f_seed_for_A:t_Array u8 (sz 32); - f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K -} - [@@ FStar.Tactics.Typeclasses.tcinstance] let impl (v_K: usize) @@ -40,7 +31,7 @@ let impl { f_secret_as_ntt = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K @@ -49,6 +40,15 @@ let impl t_IndCpaPrivateKeyUnpacked v_K v_Vector } +/// An unpacked ML-KEM IND-CPA Private Key +type t_IndCpaPublicKeyUnpacked + (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + = { + f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; + f_seed_for_A:t_Array u8 (sz 32); + f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K +} + [@@ FStar.Tactics.Typeclasses.tcinstance] let impl_1 (v_K: usize) @@ -66,14 +66,14 @@ let impl_1 { f_t_as_ntt = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32); f_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index ff00058a1..e905c5190 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -12,55 +12,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let deserialize_secret_key - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: t_Slice u8) - = - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - secret_key - (fun secret_as_ntt temp_1_ -> - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - = - secret_as_ntt - in - let _:usize = temp_1_ in - true) - secret_as_ntt - (fun secret_as_ntt temp_1_ -> - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - = - secret_as_ntt - in - let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector - secret_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - secret_as_ntt - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - let sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) (#v_Vector #v_Hasher: Type0) @@ -78,19 +29,18 @@ let sample_ring_element_cbd v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in - let v__domain_separator_init:u8 = domain_separator in let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = Rust_primitives.Hax.Folds.fold_range (sz 0) v_K - (fun temp_0_ i -> + (fun temp_0_ temp_1_ -> let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in - let i:usize = i in - v domain_separator == v v__domain_separator_init + v i) + let _:usize = temp_1_ in + true) (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K)) (fun temp_0_ i -> let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in @@ -142,15 +92,9 @@ let sample_ring_element_cbd <: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in - let result:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = - error_1_, domain_separator - <: - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--admit_smt_queries true" + error_1_, domain_separator + <: + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) let sample_vector_cbd_then_ntt (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) @@ -166,14 +110,13 @@ let sample_vector_cbd_then_ntt (domain_separator: u8) = let prf_inputs:t_Array (t_Array u8 (sz 33)) v_K = Rust_primitives.Hax.repeat prf_input v_K in - let v__domain_separator_init:u8 = domain_separator in let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = Rust_primitives.Hax.Folds.fold_range (sz 0) v_K - (fun temp_0_ i -> + (fun temp_0_ temp_1_ -> let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in - let i:usize = i in - v domain_separator == v v__domain_separator_init + v i) + let _:usize = temp_1_ in + true) (domain_separator, prf_inputs <: (u8 & t_Array (t_Array u8 (sz 33)) v_K)) (fun temp_0_ i -> let domain_separator, prf_inputs:(u8 & t_Array (t_Array u8 (sz 33)) v_K) = temp_0_ in @@ -239,8 +182,6 @@ let sample_vector_cbd_then_ntt <: (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) -#pop-options - let sample_vector_cbd_then_ntt_out (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) (#v_Vector #v_Hasher: Type0) @@ -258,7 +199,7 @@ let sample_vector_cbd_then_ntt_out v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -274,119 +215,9 @@ let sample_vector_cbd_then_ntt_out in let re_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = tmp0 in let domain_separator:u8 = out in - let result:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = - re_as_ntt, domain_separator - <: - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let generate_keypair_unpacked - (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i4: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (#[FStar.Tactics.Typeclasses.tcresolve ()] i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme) - (key_generation_seed: t_Slice u8) - (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - = - let hashed:t_Array u8 (sz 64) = - Libcrux_ml_kem.Variant.f_cpa_keygen_seed #v_Scheme - #FStar.Tactics.Typeclasses.solve - v_K - #v_Hasher - key_generation_seed - in - let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = - Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32) - in - let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { - public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - = - Libcrux_ml_kem.Matrix.sample_matrix_A v_K - #v_Vector - #v_Hasher - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) - true - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector - in - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = - Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error - in - let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = - sample_vector_cbd_then_ntt v_K - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - #v_Vector - #v_Hasher - private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - prf_input - 0uy - in - let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector - in - let domain_separator:u8 = out in - let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8 - ) = - sample_vector_cbd_then_ntt_out v_K - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - #v_Vector - #v_Hasher - prf_input - domain_separator - in - let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { - public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - = - Libcrux_ml_kem.Matrix.compute_As_plus_e v_K - #v_Vector - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt - public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A - private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - error_as_ntt - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector - in - let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = - { - public_key with - Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A - = - Core.Result.impl__unwrap #(t_Array u8 (sz 32)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 32)) - #FStar.Tactics.Typeclasses.solve - seed_for_A - <: - Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) - } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector - in - let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in - private_key, public_key + re_as_ntt, domain_separator <: - (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) let compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) @@ -397,94 +228,369 @@ let compress_then_serialize_u (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (out: t_Slice u8) = - let _:Prims.unit = - assert ((v Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT * v v_COMPRESSION_FACTOR) / 8 == - 320 \/ - (v Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT * v v_COMPRESSION_FACTOR) / 8 == - 352) - in let out:t_Slice u8 = Rust_primitives.Hax.Folds.fold_enumerated_slice input - (fun out i -> + (fun out temp_1_ -> let out:t_Slice u8 = out in - let i:usize = i in - v i < v v_K ==> - (Seq.length out == v v_OUT_LEN /\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input (v i)))) + let _:usize = temp_1_ in + true) out (fun out temp_1_ -> let out:t_Slice u8 = out in let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = temp_1_ in - let out:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_u v_COMPRESSION_FACTOR - v_BLOCK_LEN - #v_Vector - re + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; + Core.Ops.Range.f_end = (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = i *! (v_OUT_LEN /! v_K <: usize) <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! (v_OUT_LEN /! v_K <: usize) <: usize + } <: - t_Slice u8) - <: - t_Slice u8) - in - out) + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Serialize.compress_then_serialize_ring_element_u v_COMPRESSION_FACTOR + v_BLOCK_LEN + #v_Vector + re + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Slice u8) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in + let hax_temp_output:Prims.unit = () <: Prims.unit in out -#push-options "--z3rlimit 200" - -let encrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (#v_Vector #v_Hasher: Type0) +let deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: + i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - (message: t_Array u8 (sz 32)) - (randomness: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) = - let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = - Libcrux_ml_kem.Utils.into_padded_array (sz 33) randomness + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in - let r_as_ntt, domain_separator:(t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - sample_vector_cbd_then_ntt_out v_K - v_ETA1 - v_ETA1_RANDOMNESS_SIZE - #v_Vector - #v_Hasher - prf_input - 0uy + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! + v_U_COMPRESSION_FACTOR + <: + usize) /! + sz 8 + <: + usize) + (ciphertext <: t_Slice u8) + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let _:usize = temp_1_ in + true) + u_as_ntt + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i, u_bytes:(usize & t_Slice u8) = temp_1_ in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR + #v_Vector + u_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR + #v_Vector + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + u_as_ntt) in - let error_1_, domain_separator:(t_Array + u_as_ntt + +let deserialize_secret_key + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: t_Slice u8) + = + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + secret_key + (fun secret_as_ntt temp_1_ -> + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + = + secret_as_ntt + in + let _:usize = temp_1_ in + true) + secret_as_ntt + (fun secret_as_ntt temp_1_ -> + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + = + secret_as_ntt + in + let i, secret_bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize secret_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_to_uncompressed_ring_element #v_Vector + secret_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + secret_as_ntt + +let serialize_secret_key + (v_K v_OUT_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let out:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_enumerated_slice key + (fun out temp_1_ -> + let out:t_Array u8 v_OUT_LEN = out in + let _:usize = temp_1_ in + true) + out + (fun out temp_1_ -> + let out:t_Array u8 v_OUT_LEN = out in + let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start + = + i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUT_LEN) + in + out + +let serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + = + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt + <: + t_Slice u8) + <: + t_Slice u8) + in + let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized + ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + seed_for_a + <: + t_Slice u8) + in + serialized + +let serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + = + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE + in + let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = + serialize_public_key_mut v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #v_Vector + tt_as_ntt + seed_for_a + public_key_serialized + in + public_key_serialized + +let decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext + in + let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR + #v_Vector + (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + in + let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Matrix.compute_message v_K + #v_Vector + v + secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + u_as_ntt + in + Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message + +let decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_secret_key v_K #v_Vector secret_key + in + let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector + in + decrypt_unpacked v_K + v_CIPHERTEXT_SIZE + v_VECTOR_U_ENCODED_SIZE + v_U_COMPRESSION_FACTOR + v_V_COMPRESSION_FACTOR + #v_Vector + secret_key_unpacked + ciphertext + +let encrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + (message: t_Array u8 (sz 32)) + (randomness: t_Slice u8) + = + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = + Libcrux_ml_kem.Utils.into_padded_array (sz 33) randomness + in + let r_as_ntt, domain_separator:(t_Array + (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & + u8) = + sample_vector_cbd_then_ntt_out v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + #v_Vector + #v_Hasher + prf_input + 0uy + in + let error_1_, domain_separator:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = sample_ring_element_cbd v_K @@ -563,8 +669,6 @@ let encrypt_unpacked in ciphertext -#pop-options - let encrypt (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) @@ -589,7 +693,8 @@ let encrypt unpacked_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE + v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } <: @@ -621,275 +726,113 @@ let encrypt <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let result:t_Array u8 v_CIPHERTEXT_SIZE = - encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN - v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + encrypt_unpacked v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN + v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness -let deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) +let generate_keypair_unpacked + (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: + i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + let hashed:t_Array u8 (sz 64) = + Libcrux_ml_kem.Variant.f_cpa_keygen_seed #Libcrux_ml_kem.Variant.t_MlKem + #FStar.Tactics.Typeclasses.solve v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + #v_Hasher + key_generation_seed in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! - v_U_COMPRESSION_FACTOR - <: - usize) /! - sz 8 - <: - usize) - (ciphertext <: t_Slice u8) - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let _:usize = temp_1_ in - true) - u_as_ntt - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i, u_bytes:(usize & t_Slice u8) = temp_1_ in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR - #v_Vector - u_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR - #v_Vector - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - u_as_ntt) + let seed_for_A, seed_for_secret_and_error:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 (hashed <: t_Slice u8) (sz 32) in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = u_as_ntt in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + = + Libcrux_ml_kem.Matrix.sample_matrix_A v_K + #v_Vector + #v_Hasher + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + (Libcrux_ml_kem.Utils.into_padded_array (sz 34) seed_for_A <: t_Array u8 (sz 34)) + true + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR - #v_Vector - (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) + let (prf_input: t_Array u8 (sz 33)):t_Array u8 (sz 33) = + Libcrux_ml_kem.Utils.into_padded_array (sz 33) seed_for_secret_and_error in - let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Matrix.compute_message v_K + let tmp0, out:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) = + sample_vector_cbd_then_ntt v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE #v_Vector - v - secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - u_as_ntt - in - Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message - -let decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_secret_key v_K #v_Vector secret_key + #v_Hasher + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + prf_input + 0uy in - let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } + let private_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { private_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = tmp0 } <: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector in - let result:t_Array u8 (sz 32) = - decrypt_unpacked v_K - v_CIPHERTEXT_SIZE - v_VECTOR_U_ENCODED_SIZE - v_U_COMPRESSION_FACTOR - v_V_COMPRESSION_FACTOR + let domain_separator:u8 = out in + let error_as_ntt, _:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8 + ) = + sample_vector_cbd_then_ntt_out v_K + v_ETA1 + v_ETA1_RANDOMNESS_SIZE #v_Vector - secret_key_unpacked - ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--z3rlimit 200" - -let serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let out:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let out:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_enumerated_slice key - (fun out i -> - let out:t_Array u8 v_OUT_LEN = out in - let i:usize = i in - v i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key (v i))) - out - (fun out temp_1_ -> - let out:t_Array u8 v_OUT_LEN = out in - let i, re:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_1_ - in - let out:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range out - ({ - Core.Ops.Range.f_start - = - i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (out.[ { - Core.Ops.Range.f_start - = - i *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <: usize; - Core.Ops.Range.f_end - = - (i +! sz 1 <: usize) *! Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - <: - usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (Libcrux_ml_kem.Serialize.serialize_uncompressed_ring_element #v_Vector re - <: - t_Slice u8) - <: - t_Slice u8) - in - out) - in - let result:t_Array u8 v_OUT_LEN = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#pop-options - -let serialize_public_key_mut - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) - = - let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (serialize_secret_key v_K v_RANKED_BYTES_PER_RING_ELEMENT #v_Vector tt_as_ntt - <: - t_Slice u8) - <: - t_Slice u8) - in - let serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from serialized - ({ Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { Core.Ops.Range.f_start = v_RANKED_BYTES_PER_RING_ELEMENT } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - seed_for_a - <: - t_Slice u8) + #v_Hasher + prf_input + domain_separator in - let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in - serialized - -let serialize_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - = - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - Rust_primitives.Hax.repeat 0uy v_PUBLIC_KEY_SIZE + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + = + Libcrux_ml_kem.Matrix.compute_As_plus_e v_K + #v_Vector + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt + public_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_A + private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + error_as_ntt + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let public_key_serialized:t_Array u8 v_PUBLIC_KEY_SIZE = - serialize_public_key_mut v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #v_Vector - tt_as_ntt - seed_for_a - public_key_serialized + let public_key:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector = + { + public_key with + Libcrux_ml_kem.Ind_cpa.Unpacked.f_seed_for_A + = + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError) + } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector in - let result:t_Array u8 v_PUBLIC_KEY_SIZE = public_key_serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result + private_key, public_key + <: + (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) let generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: @@ -922,7 +865,6 @@ let generate_keypair v_ETA1_RANDOMNESS_SIZE #v_Vector #v_Hasher - #v_Scheme key_generation_seed private_key public_key @@ -944,10 +886,6 @@ let generate_keypair #v_Vector private_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt in - let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = - secret_key_serialized, public_key_serialized - <: - (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + secret_key_serialized, public_key_serialized + <: + (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index f1df187af..90653fb7b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -12,24 +12,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -val deserialize_secret_key - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v (Core.Slice.impl__len #u8 secret_key) / - v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT <= - v v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.vector_decode_12 #v_K secret_key) - /// Sample a vector of ring elements from a centered binomial distribution. val sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) @@ -39,9 +21,7 @@ val sample_ring_element_cbd (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ range (v domain_separator + v v_K) u8_inttype) + Prims.l_True (fun _ -> Prims.l_True) /// Sample a vector of ring elements from a centered binomial distribution and @@ -55,22 +35,8 @@ val sample_vector_cbd_then_ntt (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA == Spec.MLKEM.v_ETA1 v_K /\ v domain_separator < 2 * v v_K /\ - range (v domain_separator + v v_K) u8_inttype) - (ensures - fun temp_0_ -> - let re_as_ntt_future, ds:(t_Array - (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & - u8) = - temp_0_ - in - v ds == v domain_separator + v v_K /\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re_as_ntt_future == - Spec.MLKEM.sample_vector_cbd_then_ntt #v_K - (Seq.slice prf_input 0 32) - (sz (v domain_separator))) + Prims.l_True + (fun _ -> Prims.l_True) val sample_vector_cbd_then_ntt_out (v_K v_ETA v_ETA_RANDOMNESS_SIZE: usize) @@ -80,88 +46,8 @@ val sample_vector_cbd_then_ntt_out (prf_input: t_Array u8 (sz 33)) (domain_separator: u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA == Spec.MLKEM.v_ETA1 v_K /\ v domain_separator < 2 * v v_K /\ - range (v domain_separator + v v_K) u8_inttype) - (ensures - fun temp_0_ -> - let re, ds:(t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K & u8) - = - temp_0_ - in - v ds == v domain_separator + v v_K /\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector re == - Spec.MLKEM.sample_vector_cbd_then_ntt #v_K - (Seq.slice prf_input 0 32) - (sz (v domain_separator))) - -/// This function implements most of Algorithm 12 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. -/// We say \"most of\" since Algorithm 12 samples the required randomness within -/// the function itself, whereas this implementation expects it to be provided -/// through the `key_generation_seed` parameter. -/// Algorithm 12 is reproduced below: -/// ```plaintext -/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. -/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// d ←$ B -/// (ρ,σ) ← G(d) -/// N ← 0 -/// for (i ← 0; i < k; i++) -/// for(j ← 0; j < k; j++) -/// Â[i,j] ← SampleNTT(XOF(ρ, i, j)) -/// end for -/// end for -/// for(i ← 0; i < k; i++) -/// s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) -/// N ← N + 1 -/// end for -/// for(i ← 0; i < k; i++) -/// e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) -/// N ← N + 1 -/// end for -/// ŝ ← NTT(s) -/// ê ← NTT(e) -/// t\u{302} ← Â◦ŝ + ê -/// ekₚₖₑ ← ByteEncode₁₂(t\u{302}) ‖ ρ -/// dkₚₖₑ ← ByteEncode₁₂(ŝ) -/// ``` -/// The NIST FIPS 203 standard can be found at -/// . -val generate_keypair_unpacked - (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (#v_Vector #v_Hasher #v_Scheme: Type0) - {| i3: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} - (key_generation_seed: t_Slice u8) - (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) - (ensures - fun temp_0_ -> - let private_key_future, public_key_future:(Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked - v_K v_Vector & - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) = - temp_0_ - in - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index private_key_future - .f_secret_as_ntt - i)) /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index public_key_future - .f_t_as_ntt - i))) + Prims.l_True + (fun _ -> Prims.l_True) /// Call [`compress_then_serialize_ring_element_u`] on each ring element. val compress_then_serialize_u @@ -170,20 +56,91 @@ val compress_then_serialize_u {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (input: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (out: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires - Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ - v_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ Core.Slice.impl__len #u8 out == v_OUT_LEN /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index input i))) - (ensures - fun out_future -> - let out_future:t_Slice u8 = out_future in - out_future == - Spec.MLKEM.compress_then_encode_u #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector input)) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +val deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. +val deserialize_secret_key + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Call [`serialize_uncompressed_ring_element`] for each ring element. +val serialize_secret_key + (v_K v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key_mut + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Concatenate `t` and `ρ` into the public key. +val serialize_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (seed_for_a: t_Slice u8) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// This function implements Algorithm 14 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. +/// Algorithm 14 is reproduced below: +/// ```plaintext +/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// Output: message m ∈ 𝔹^{32}. +/// c₁ ← c[0 : 32dᵤk] +/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] +/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) +/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) +/// ŝ ← ByteDecode₁₂(dkₚₖₑ) +/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) +/// m ← ByteEncode₁(Compress₁(w)) +/// return m +/// ``` +/// The NIST FIPS 203 standard can be found at +/// . +val decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// This function implements Algorithm 13 of the /// NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. @@ -194,7 +151,7 @@ val compress_then_serialize_u /// Input: encryption randomness r ∈ 𝔹^{32}. /// Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. /// N ← 0 -/// t\u{302} ← ByteDecode₁₂(ekₚₖₑ[0:384k]) +/// t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) /// ρ ← ekₚₖₑ[384k: 384k + 32] /// for (i ← 0; i < k; i++) /// for(j ← 0; j < k; j++) @@ -210,10 +167,10 @@ val compress_then_serialize_u /// N ← N + 1 /// end for /// e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) -/// r\u{302} ← NTT(r) -/// u ← NTT-¹(Âᵀ ◦ r\u{302}) + e₁ +/// r̂ ← NTT(r) +/// u ← NTT-¹(Âᵀ ◦ r̂) + e₁ /// μ ← Decompress₁(ByteDecode₁(m))) -/// v ← NTT-¹(t\u{302}ᵀ ◦ rˆ) + e₂ + μ +/// v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ /// c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) /// c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) /// return c ← (c₁ ‖ c₂) @@ -229,19 +186,7 @@ val encrypt_unpacked (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) (message: t_Array u8 (sz 32)) (randomness: t_Slice u8) - : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_C1_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_LEN == Spec.MLKEM.v_C2_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - length randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) val encrypt (v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_LEN v_C2_LEN v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -252,161 +197,55 @@ val encrypt (public_key: t_Slice u8) (message: t_Array u8 (sz 32)) (randomness: t_Slice u8) - : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_ETA1 = Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 = Spec.MLKEM.v_ETA2 v_K /\ v_BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ - v_ETA2_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - length public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - length randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_LEN == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_LEN == Spec.MLKEM.v_C2_SIZE v_K) - (ensures - fun result -> - let result:t_Array u8 v_CIPHERTEXT_SIZE = result in - let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in - valid ==> result == expected) + : Prims.Pure (t_Array u8 v_CIPHERTEXT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element -/// in the `ciphertext`. -val deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) - -/// This function implements Algorithm 14 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. -/// Algorithm 14 is reproduced below: +/// This function implements most of Algorithm 12 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation algorithm. +/// We say "most of" since Algorithm 12 samples the required randomness within +/// the function itself, whereas this implementation expects it to be provided +/// through the `key_generation_seed` parameter. +/// Algorithm 12 is reproduced below: /// ```plaintext -/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. -/// Output: message m ∈ 𝔹^{32}. -/// c₁ ← c[0 : 32dᵤk] -/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] -/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) -/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) -/// ŝ ← ByteDecode₁₂(dkₚₖₑ) -/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) -/// m ← ByteEncode₁(Compress₁(w)) -/// return m +/// Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. +/// Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// d ←$ B +/// (ρ,σ) ← G(d) +/// N ← 0 +/// for (i ← 0; i < k; i++) +/// for(j ← 0; j < k; j++) +/// Â[i,j] ← SampleNTT(XOF(ρ, i, j)) +/// end for +/// end for +/// for(i ← 0; i < k; i++) +/// s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) +/// N ← N + 1 +/// end for +/// for(i ← 0; i < k; i++) +/// e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) +/// N ← N + 1 +/// end for +/// ŝ ← NTT(s) +/// ê ← NTT(e) +/// t̂ ← Â◦ŝ + ê +/// ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ +/// dkₚₖₑ ← ByteEncode₁₂(ŝ) /// ``` /// The NIST FIPS 203 standard can be found at /// . -val decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) +val generate_keypair_unpacked + (v_K v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (key_generation_seed: t_Slice u8) + (private_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (public_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector & + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPublicKeyUnpacked v_K v_Vector) + Prims.l_True (fun _ -> Prims.l_True) -val decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) - -/// Call [`serialize_uncompressed_ring_element`] for each ring element. -val serialize_secret_key - (v_K v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (key: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index key i))) - (ensures - fun res -> - let res:t_Array u8 v_OUT_LEN = res in - res == - Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector key)) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key_mut - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - (serialized: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) - (ensures - fun serialized_future -> - let serialized_future:t_Array u8 v_PUBLIC_KEY_SIZE = serialized_future in - serialized_future == - Seq.append (Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) - seed_for_a) - -/// Concatenate `t` and `ρ` into the public key. -val serialize_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (tt_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (seed_for_a: t_Slice u8) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ length seed_for_a == sz 32 /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index tt_as_ntt i))) - (ensures - fun res -> - let res:t_Array u8 v_PUBLIC_KEY_SIZE = res in - res == - Seq.append (Spec.MLKEM.vector_encode_12 #v_K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector tt_as_ntt)) - seed_for_a) - val generate_keypair (v_K v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) @@ -416,15 +255,5 @@ val generate_keypair {| i5: Libcrux_ml_kem.Variant.t_Variant v_Scheme |} (key_generation_seed: t_Slice u8) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - length key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE) - (ensures - fun result -> - let result:(t_Array u8 v_PRIVATE_KEY_SIZE & t_Array u8 v_PUBLIC_KEY_SIZE) = result in - let expected, valid = Spec.MLKEM.ind_cpa_generate_keypair v_K key_generation_seed in - valid ==> result == expected) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst index 7293e04c6..c8c456676 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Invert_ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -38,27 +38,15 @@ let invert_ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round * 4 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -66,11 +54,6 @@ let invert_ntt_at_layer_1_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -82,10 +65,19 @@ let invert_ntt_at_layer_1_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_1_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 1 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 2 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 3 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize + ] + <: + i16) <: v_Vector) } @@ -93,15 +85,6 @@ let invert_ntt_at_layer_1_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i -! sz 3 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -116,26 +99,15 @@ let invert_ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round * 2 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -143,11 +115,6 @@ let invert_ntt_at_layer_2_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -159,8 +126,11 @@ let invert_ntt_at_layer_2_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_2_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 1 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) <: v_Vector) } @@ -168,15 +138,6 @@ let invert_ntt_at_layer_2_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -191,26 +152,15 @@ let invert_ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -218,11 +168,6 @@ let invert_ntt_at_layer_3_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -234,29 +179,18 @@ let invert_ntt_at_layer_3_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_3_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#push-options "--admit_smt_queries true" - let invert_ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -305,7 +239,7 @@ let invert_ntt_at_layer_4_plus (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -340,8 +274,6 @@ let invert_ntt_at_layer_4_plus let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - let invert_ntt_montgomery (v_K: usize) (#v_Vector: Type0) @@ -395,7 +327,7 @@ let invert_ntt_montgomery let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti index d83521180..ffe255831 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Invert_ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,36 +14,7 @@ val inv_ntt_layer_int_vec_step_reduce {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a b: v_Vector) (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\ - Spec.Utils.is_i16b_array 28296 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b))) - (fun _ -> Prims.l_True) - -[@@ "opaque_to_smt"] - let invert_ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) - -[@@ "opaque_to_smt"] - let invert_ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_1_ (#v_Vector: Type0) @@ -52,14 +23,8 @@ val invert_ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 128 /\ invert_ntt_re_range_1 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 64) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_2_ (#v_Vector: Type0) @@ -68,14 +33,8 @@ val invert_ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 64 /\ invert_ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 32) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_3_ (#v_Vector: Type0) @@ -84,14 +43,8 @@ val invert_ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 32 /\ invert_ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 16) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_4_plus (#v_Vector: Type0) @@ -100,7 +53,7 @@ val invert_ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v layer >= 4 /\ v layer <= 7) + Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_montgomery @@ -109,5 +62,5 @@ val invert_ntt_montgomery {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires invert_ntt_re_range_1 re) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index 0fe17e19e..1c0bd1278 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,133 +10,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let sample_matrix_A - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (v_A_transpose: - t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (seed: t_Array u8 (sz 34)) - (transpose: bool) - = - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun v_A_transpose temp_1_ -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let _:usize = temp_1_ in - true) - v_A_transpose - (fun v_A_transpose i -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let i:usize = i in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun seeds temp_1_ -> - let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in - let _:usize = temp_1_ in - true) - seeds - (fun seeds j -> - let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in - let j:usize = j in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds - j - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] - <: - t_Array u8 (sz 34)) - (sz 32) - (cast (i <: usize) <: u8) - <: - t_Array u8 (sz 34)) - in - let seeds:t_Array (t_Array u8 (sz 34)) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds - j - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] - <: - t_Array u8 (sz 34)) - (sz 33) - (cast (j <: usize) <: u8) - <: - t_Array u8 (sz 34)) - in - seeds) - in - let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Sampling.sample_from_xof v_K #v_Vector #v_Hasher seeds - in - Rust_primitives.Hax.Folds.fold_enumerated_slice sampled - (fun v_A_transpose temp_1_ -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let _:usize = temp_1_ in - true) - v_A_transpose - (fun v_A_transpose temp_1_ -> - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose - in - let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_1_ - in - if transpose - then - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose - j - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j - ] - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - ) - i - sample - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - v_A_transpose - else - let v_A_transpose:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose - i - (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i - ] - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K - ) - j - sample - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - v_A_transpose)) - in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in - v_A_transpose - let compute_As_plus_e (v_K: usize) (#v_Vector: Type0) @@ -171,7 +44,7 @@ let compute_As_plus_e let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -197,7 +70,7 @@ let compute_As_plus_e temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector matrix_element (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -205,7 +78,7 @@ let compute_As_plus_e v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K (tt_as_ntt.[ i ] <: @@ -219,7 +92,7 @@ let compute_As_plus_e let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_standard_error_reduce #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -227,59 +100,9 @@ let compute_As_plus_e in tt_as_ntt) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in + let hax_temp_output:Prims.unit = () <: Prims.unit in tt_as_ntt -#push-options "--admit_smt_queries true" - -let compute_message - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - = - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_K - (fun result temp_1_ -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - let _:usize = temp_1_ in - true) - result - (fun result i -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - let i:usize = i in - let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector - (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product - in - result) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result - in - result - -#pop-options - -#push-options "--admit_smt_queries true" - let compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -290,7 +113,7 @@ let compute_ring_element_v (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -304,12 +127,12 @@ let compute_ring_element_v let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (r_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product in result) in @@ -317,14 +140,10 @@ let compute_ring_element_v Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_message_error_reduce #v_Vector error_2_ message result + Libcrux_ml_kem.Polynomial.impl__add_message_error_reduce #v_Vector error_2_ message result in result -#pop-options - -#push-options "--admit_smt_queries true" - let compute_vector_u (v_K: usize) (#v_Vector: Type0) @@ -340,7 +159,7 @@ let compute_vector_u v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -385,7 +204,7 @@ let compute_vector_u temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector a_element (r_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -393,7 +212,7 @@ let compute_vector_u v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K (result.[ i ] <: @@ -416,7 +235,7 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_2__add_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_error_reduce #v_Vector (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -426,4 +245,169 @@ let compute_vector_u in result -#pop-options +let compute_message + (v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + = + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun result temp_1_ -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + let i:usize = i in + let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector + (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product + in + result) + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result + in + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__subtract_reduce #v_Vector v result + in + result + +let sample_matrix_A + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (seed: t_Array u8 (sz 34)) + (transpose: bool) + = + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun v_A_transpose temp_1_ -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let _:usize = temp_1_ in + true) + v_A_transpose + (fun v_A_transpose i -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let i:usize = i in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = Rust_primitives.Hax.repeat seed v_K in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_K + (fun seeds temp_1_ -> + let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in + let _:usize = temp_1_ in + true) + seeds + (fun seeds j -> + let seeds:t_Array (t_Array u8 (sz 34)) v_K = seeds in + let j:usize = j in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] + <: + t_Array u8 (sz 34)) + (sz 32) + (cast (i <: usize) <: u8) + <: + t_Array u8 (sz 34)) + in + let seeds:t_Array (t_Array u8 (sz 34)) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seeds + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (seeds.[ j ] + <: + t_Array u8 (sz 34)) + (sz 33) + (cast (j <: usize) <: u8) + <: + t_Array u8 (sz 34)) + in + seeds) + in + let sampled:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Libcrux_ml_kem.Sampling.sample_from_xof v_K #v_Vector #v_Hasher seeds + in + Rust_primitives.Hax.Folds.fold_enumerated_slice sampled + (fun v_A_transpose temp_1_ -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let _:usize = temp_1_ in + true) + v_A_transpose + (fun v_A_transpose temp_1_ -> + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + v_A_transpose + in + let j, sample:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = + temp_1_ + in + if transpose + then + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose + j + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ j + ] + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + ) + i + sample + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + v_A_transpose + else + let v_A_transpose:t_Array + (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v_A_transpose + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (v_A_transpose.[ i + ] + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K + ) + j + sample + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + in + v_A_transpose)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + v_A_transpose diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 58bcbe1b2..78dea4243 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,32 +10,6 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -val sample_matrix_A - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (v_A_transpose: - t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (seed: t_Array u8 (sz 34)) - (transpose: bool) - : Prims.Pure - (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun v_A_transpose_future -> - let v_A_transpose_future:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose_future - in - let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in - valid ==> - (if transpose - then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A - else - Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == - Spec.MLKEM.matrix_transpose matrix_A)) - /// Compute  ◦ ŝ + ê val compute_As_plus_e (v_K: usize) @@ -47,45 +21,10 @@ val compute_As_plus_e (s_as_ntt error_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun tt_as_ntt_future -> - let tt_as_ntt_future:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - tt_as_ntt_future - in - let open Libcrux_ml_kem.Polynomial in - to_spec_vector_t tt_as_ntt_future = - Spec.MLKEM.compute_As_plus_e_ntt (to_spec_matrix_t matrix_A) - (to_spec_vector_t s_as_ntt) - (to_spec_vector_t error_as_ntt)) - -/// The following functions compute various expressions involving -/// vectors and matrices. The computation of these expressions has been -/// abstracted away into these functions in order to save on loop iterations. -/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) -val compute_message - (v_K: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (secret_as_ntt u_as_ntt: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let secret_spec = to_spec_vector_t secret_as_ntt in - let u_spec = to_spec_vector_t u_as_ntt in - let v_spec = to_spec_poly_t v in - to_spec_poly_t res == - Spec.MLKEM.(poly_sub v_spec - (poly_inv_ntt (vector_dot_product_ntt #v_K secret_spec u_spec))) /\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + Prims.l_True + (fun _ -> Prims.l_True) -/// Compute InverseNTT(tᵀ ◦ r\u{302}) + e₂ + message +/// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message val compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -93,21 +32,10 @@ val compute_ring_element_v (tt_as_ntt r_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let tt_spec = to_spec_vector_t tt_as_ntt in - let r_spec = to_spec_vector_t r_as_ntt in - let e2_spec = to_spec_poly_t error_2_ in - let m_spec = to_spec_poly_t message in - let res_spec = to_spec_poly_t res in - res_spec == - Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #v_K tt_spec r_spec) e2_spec) - m_spec) /\ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + Prims.l_True + (fun _ -> Prims.l_True) -/// Compute u := InvertNTT(Aᵀ ◦ r\u{302}) + e₁ +/// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ val compute_vector_u (v_K: usize) (#v_Vector: Type0) @@ -116,17 +44,34 @@ val compute_vector_u t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (r_as_ntt error_1_: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t a_as_ntt in - let r_spec = to_spec_vector_t r_as_ntt in - let e_spec = to_spec_vector_t error_1_ in - let res_spec = to_spec_vector_t res in - res_spec == - Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// The following functions compute various expressions involving +/// vectors and matrices. The computation of these expressions has been +/// abstracted away into these functions in order to save on loop iterations. +/// Compute v − InverseNTT(sᵀ ◦ NTT(u)) +val compute_message + (v_K: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (v: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (secret_as_ntt u_as_ntt: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_matrix_A + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (v_A_transpose: + t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + (seed: t_Array u8 (sz 34)) + (transpose: bool) + : Prims.Pure + (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst new file mode 100644 index 000000000..ca698a11d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst @@ -0,0 +1,108 @@ +module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti new file mode 100644 index 000000000..98114aa20 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti @@ -0,0 +1,86 @@ +module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index 1ed6cc3c1..a7e01533b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 4f57bcb17..24fb25cc9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst new file mode 100644 index 000000000..3b74c3b27 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst @@ -0,0 +1,108 @@ +module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti new file mode 100644 index 000000000..46f643f14 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti @@ -0,0 +1,94 @@ +module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index 8cab7c870..e89c0a92f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index d71f032a7..32080b0df 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst new file mode 100644 index 000000000..b77d33651 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst @@ -0,0 +1,108 @@ +module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti new file mode 100644 index 000000000..fdc651118 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti @@ -0,0 +1,94 @@ +module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index 60a05dcc1..326b30645 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index 9ce6a597e..4ba09a9a9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst new file mode 100644 index 000000000..363d3888a --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst @@ -0,0 +1,51 @@ +module Libcrux_ml_kem.Mlkem1024.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = + Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti new file mode 100644 index 000000000..a6890b7d0 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem1024.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 1024 +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem1024PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem1024KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index c06297797..6137197ca 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) - (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) + (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index fa7a134dd..e62e15b56 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -80,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -99,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem1024_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 1024 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size @@ -115,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst new file mode 100644 index 000000000..6fc3cda34 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst @@ -0,0 +1,104 @@ +module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti new file mode 100644 index 000000000..cd0cb965f --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti @@ -0,0 +1,84 @@ +module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index d84c15890..f58c71977 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 3) (sz 192) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index 79530147b..5b846dc53 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst new file mode 100644 index 000000000..273041027 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst @@ -0,0 +1,104 @@ +module Libcrux_ml_kem.Mlkem512.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti new file mode 100644 index 000000000..40ecdcc8d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti @@ -0,0 +1,92 @@ +module Libcrux_ml_kem.Mlkem512.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 58b2f0dc4..5e88a7193 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 3) (sz 192) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 3d846ac51..f737bc363 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst new file mode 100644 index 000000000..54eb129c9 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst @@ -0,0 +1,105 @@ +module Libcrux_ml_kem.Mlkem512.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) + (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) + (sz 128) (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti new file mode 100644 index 000000000..2aee55d13 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti @@ -0,0 +1,92 @@ +module Libcrux_ml_kem.Mlkem512.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index 97dccb937..47ebe2fe6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 3) (sz 192) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index eee7fb43d..277ef3588 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst new file mode 100644 index 000000000..e0359272f --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst @@ -0,0 +1,49 @@ +module Libcrux_ml_kem.Mlkem512.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = + Libcrux_ml_kem.Mlkem512.generate_key_pair randomness + in + rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti new file mode 100644 index 000000000..95ba62654 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem512.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 512 +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem512PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem512KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index db5293cf8..4898aaa26 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index 40a174dcb..9031c5873 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -1,41 +1,66 @@ module Libcrux_ml_kem.Mlkem512 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let v_C1_BLOCK_SIZE_512_: usize = sz 320 +let v_ETA1: usize = sz 3 -let v_C1_SIZE_512_: usize = sz 640 +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 -let v_C2_SIZE_512_: usize = sz 128 +let v_ETA2: usize = sz 2 -let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = sz 768 +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 -let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = sz 800 +let v_RANK_512_: usize = sz 2 -let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = sz 768 +let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA1: usize = sz 3 +let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = + (v_RANK_512_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 -let v_ETA1_RANDOMNESS_SIZE: usize = sz 192 +let v_T_AS_NTT_ENCODED_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA2: usize = sz 2 +let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32 -let v_ETA2_RANDOMNESS_SIZE: usize = sz 128 +let v_SECRET_KEY_SIZE_512_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = sz 800 +let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 -let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = sz 768 +let v_C1_BLOCK_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_U_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_RANK_512_: usize = sz 2 +let v_C1_SIZE_512_: usize = v_C1_BLOCK_SIZE_512_ *! v_RANK_512_ -let v_SECRET_KEY_SIZE_512_: usize = sz 1632 +let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 -let v_T_AS_NTT_ENCODED_SIZE_512_: usize = sz 768 +let v_C2_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_V_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 +let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_ -let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 +let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ /// Validate a private key. /// Returns `true` if valid, and `false` otherwise. @@ -55,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -74,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem512_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 512 Key Pair /// The input is a byte array of size @@ -90,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem512_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst new file mode 100644 index 000000000..1a75cf7bf --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst @@ -0,0 +1,140 @@ +module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + pk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti new file mode 100644 index 000000000..4d8df4bc3 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti @@ -0,0 +1,106 @@ +module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index 3ec064b3f..a57fd2b32 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index 0b2855263..316f123b3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst new file mode 100644 index 000000000..1b1c3736e --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_kem.Mlkem768.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Neon.Vector_type in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + pk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti new file mode 100644 index 000000000..3c76dc76c --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_kem.Mlkem768.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Neon.Vector_type in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index 4608a3923..b8e43d354 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index 1b4e3414d..6b527d102 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst new file mode 100644 index 000000000..39960a363 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_kem.Mlkem768.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + pk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti new file mode 100644 index 000000000..30956fcb9 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_kem.Mlkem768.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index d98e44837..9690ed48f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index c14954e5d..a44262014 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst new file mode 100644 index 000000000..df3caf4a2 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst @@ -0,0 +1,51 @@ +module Libcrux_ml_kem.Mlkem768.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = + Libcrux_ml_kem.Mlkem768.generate_key_pair randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti new file mode 100644 index 000000000..6d9fbe622 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem768.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 768 +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem768PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem768KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 235881a7e..5d0bec2fe 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index 34bfea335..16febee24 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -80,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -99,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem768_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 768 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size @@ -115,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem768_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index 5d86ce050..46dfb217a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -35,27 +35,15 @@ let ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round * 4 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -63,11 +51,6 @@ let ntt_at_layer_1_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -79,10 +62,19 @@ let ntt_at_layer_1_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_1_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 1 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 2 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 3 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize + ] + <: + i16) <: v_Vector) } @@ -90,15 +82,6 @@ let ntt_at_layer_1_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i +! sz 3 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -113,27 +96,15 @@ let ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round * 2 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -141,11 +112,6 @@ let ntt_at_layer_2_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -157,8 +123,11 @@ let ntt_at_layer_2_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_2_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 1 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) <: v_Vector) } @@ -166,15 +135,6 @@ let ntt_at_layer_2_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -189,27 +149,15 @@ let ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -217,11 +165,6 @@ let ntt_at_layer_3_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -233,29 +176,18 @@ let ntt_at_layer_3_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_3_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#push-options "--admit_smt_queries true" - let ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -265,8 +197,13 @@ let ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer v__initial_coefficient_bound: usize) = + let _:Prims.unit = + if true + then + let _:Prims.unit = Hax_lib.v_assert (layer >=. sz 4 <: bool) in + () + in let step:usize = sz 1 <>! layer <: usize) @@ -303,7 +240,7 @@ let ntt_at_layer_4_plus (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -338,10 +275,6 @@ let ntt_at_layer_4_plus let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - -#push-options "--admit_smt_queries true" - let ntt_at_layer_7_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -350,22 +283,17 @@ let ntt_at_layer_7_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in - let _:Prims.unit = assert (v step == 8) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) step - (fun re j -> + (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let j:usize = j in - (v j < 8 ==> - (forall (i: nat). - (i >= v j /\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))) + let _:usize = temp_1_ in + true) re (fun re j -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let j:usize = j in - let _:Prims.unit = reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #v_Vector) in let t:v_Vector = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant #v_Vector #FStar.Tactics.Typeclasses.solve @@ -413,10 +341,6 @@ let ntt_at_layer_7_ let hax_temp_output:Prims.unit = () <: Prims.unit in re -#pop-options - -#push-options "--z3rlimit 200" - let ntt_binomially_sampled_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -429,53 +353,49 @@ let ntt_binomially_sampled_ring_element in let zeta_i:usize = sz 1 in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 11207) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 11207 +! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 11207 +! (sz 2 *! sz 3328 <: usize) <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 11207 +! (sz 3 *! sz 3328 <: usize) <: usize) + ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 11207 +! (sz 4 *! sz 3328 <: usize) <: usize) + ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 11207 +! (sz 5 *! sz 3328 <: usize) <: usize) + ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in re -#pop-options - -#push-options "--z3rlimit 200" - let ntt_vector_u (v_VECTOR_U_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) @@ -492,47 +412,45 @@ let ntt_vector_u let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 2 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 4 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 5 *! sz 3328 <: usize) + ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 6 *! sz 3328 <: usize) + ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 7 *! sz 3328 <: usize) + ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in re - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti index 487f928cf..2e535adc9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,35 +14,7 @@ val ntt_layer_int_vec_step {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a b: v_Vector) (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))) - (fun _ -> Prims.l_True) - -[@@ "opaque_to_smt"] - let ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) - -[@@ "opaque_to_smt"] - let ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) val ntt_at_layer_1_ (#v_Vector: Type0) @@ -51,21 +23,8 @@ val ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 63 /\ ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_1 re_future /\ v zeta_i_future == 127) - -[@@ "opaque_to_smt"] - let ntt_re_range_3 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_2_ (#v_Vector: Type0) @@ -74,21 +33,8 @@ val ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 31 /\ ntt_re_range_3 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_2 re_future /\ v zeta_i_future == 63) - -[@@ "opaque_to_smt"] - let ntt_re_range_4 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_3_ (#v_Vector: Type0) @@ -97,14 +43,8 @@ val ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 15 /\ ntt_re_range_4 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_3 re_future /\ v zeta_i_future == 31) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_4_plus (#v_Vector: Type0) @@ -113,46 +53,15 @@ val ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - v layer >= 4 /\ v layer <= 7 /\ - ((v layer == 4 ==> v zeta_i == 7) /\ (v layer == 5 ==> v zeta_i == 3) /\ - (v layer == 6 ==> v zeta_i == 1) /\ (v layer == 7 ==> v zeta_i == 0))) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_4 re_future /\ (v layer == 4 ==> v zeta_i_future == 15) /\ - (v layer == 5 ==> v zeta_i_future == 7) /\ (v layer == 6 ==> v zeta_i_future == 3) /\ - (v layer == 7 ==> v zeta_i_future == 1)) - -[@@ "opaque_to_smt"] - let ntt_layer_7_pre (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re_0 re_1: v_Vector) = - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\ - (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i)))) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_7_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - forall i. - i < 8 ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])) + Prims.l_True (fun _ -> Prims.l_True) val ntt_binomially_sampled_ring_element @@ -160,10 +69,7 @@ val ntt_binomially_sampled_ring_element {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - forall i. - i < 8 ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])) + Prims.l_True (fun _ -> Prims.l_True) val ntt_vector_u diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 257bb1029..3cb84c2ef 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,19 +9,33 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let get_zeta (i: usize) = - let result:i16 = v_ZETAS_TIMES_MONTGOMERY_R.[ i ] in - let _:Prims.unit = admit () (* Panic freedom *) in - result +let impl__ZERO + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (_: Prims.unit) + = + { + f_coefficients + = + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector + #FStar.Tactics.Typeclasses.solve + () + <: + v_Vector) + (sz 16) + } + <: + t_PolynomialRingElement v_Vector -let impl_2__add_error_reduce +let impl__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self error: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -65,14 +79,13 @@ let impl_2__add_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__add_message_error_reduce +let impl__add_message_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self message result: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -122,14 +135,13 @@ let impl_2__add_message_error_reduce in result -let impl_2__add_standard_error_reduce +let impl__add_standard_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self error: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -171,17 +183,17 @@ let impl_2__add_standard_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__poly_barrett_reduce +let impl__add_to_ring_element (#v_Vector: Type0) + (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self: t_PolynomialRingElement v_Vector) + (self rhs: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT + (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize) (fun self temp_1_ -> let self:t_PolynomialRingElement v_Vector = self in let _:usize = temp_1_ in @@ -196,9 +208,10 @@ let impl_2__poly_barrett_reduce = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) + (rhs.f_coefficients.[ i ] <: v_Vector) <: v_Vector) <: @@ -210,84 +223,14 @@ let impl_2__poly_barrett_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__subtract_reduce - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self b: t_PolynomialRingElement v_Vector) - = - let _:Prims.unit = admit () in - let b:t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - v_VECTORS_IN_RING_ELEMENT - (fun b temp_1_ -> - let b:t_PolynomialRingElement v_Vector = b in - let _:usize = temp_1_ in - true) - b - (fun b i -> - let b:t_PolynomialRingElement v_Vector = b in - let i:usize = i in - let coefficient_normal_form:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector - #FStar.Tactics.Typeclasses.solve - (b.f_coefficients.[ i ] <: v_Vector) - 1441s - in - let b:t_PolynomialRingElement v_Vector = - { - b with - f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector - #FStar.Tactics.Typeclasses.solve - (self.f_coefficients.[ i ] <: v_Vector) - coefficient_normal_form - <: - v_Vector) - <: - v_Vector) - } - <: - t_PolynomialRingElement v_Vector - in - b) - in - b - -let impl_2__ZERO - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (_: Prims.unit) - = - { - f_coefficients - = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Vector.Traits.f_ZERO #v_Vector - #FStar.Tactics.Typeclasses.solve - () - <: - v_Vector) - (sz 16) - } - <: - t_PolynomialRingElement v_Vector - -let impl_2__from_i16_array +let impl__from_i16_array (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (a: t_Slice i16) = - let result:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in + let result:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -325,15 +268,14 @@ let impl_2__from_i16_array in result -let impl_2__ntt_multiply +let impl__ntt_multiply (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self rhs: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in - let out:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in + let out:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in let out:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -355,10 +297,22 @@ let impl_2__ntt_multiply #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) (rhs.f_coefficients.[ i ] <: v_Vector) - (get_zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize) <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! (sz 4 *! i <: usize) <: usize ] <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 + <: + usize ] + <: + i16) <: v_Vector) <: @@ -369,18 +323,16 @@ let impl_2__ntt_multiply in out -let impl_2__add_to_ring_element +let impl__poly_barrett_reduce (#v_Vector: Type0) - (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (self rhs: t_PolynomialRingElement v_Vector) + (self: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize) + v_VECTORS_IN_RING_ELEMENT (fun self temp_1_ -> let self:t_PolynomialRingElement v_Vector = self in let _:usize = temp_1_ in @@ -395,10 +347,9 @@ let impl_2__add_to_ring_element = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize self.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_add #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) - (rhs.f_coefficients.[ i ] <: v_Vector) <: v_Vector) <: @@ -409,3 +360,52 @@ let impl_2__add_to_ring_element in let hax_temp_output:Prims.unit = () <: Prims.unit in self + +let impl__subtract_reduce + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (self b: t_PolynomialRingElement v_Vector) + = + let b:t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_VECTORS_IN_RING_ELEMENT + (fun b temp_1_ -> + let b:t_PolynomialRingElement v_Vector = b in + let _:usize = temp_1_ in + true) + b + (fun b i -> + let b:t_PolynomialRingElement v_Vector = b in + let i:usize = i in + let coefficient_normal_form:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_montgomery_multiply_by_constant #v_Vector + #FStar.Tactics.Typeclasses.solve + (b.f_coefficients.[ i ] <: v_Vector) + 1441s + in + let b:t_PolynomialRingElement v_Vector = + { + b with + f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize b.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_barrett_reduce #v_Vector + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Vector.Traits.f_sub #v_Vector + #FStar.Tactics.Typeclasses.solve + (self.f_coefficients.[ i ] <: v_Vector) + coefficient_normal_form + <: + v_Vector) + <: + v_Vector) + } + <: + t_PolynomialRingElement v_Vector + in + b) + in + b diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index 7956d29e4..51dae0e12 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,7 +10,6 @@ let _ = () let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = - let _:Prims.unit = assert_norm (pow2 16 == 65536) in let list = [ (-1044s); (-758s); (-359s); (-1517s); 1493s; 1422s; 287s; 202s; (-171s); 622s; 1577s; 182s; @@ -29,85 +28,56 @@ let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128); Rust_primitives.Hax.array_of_list 128 list -val get_zeta (i: usize) - : Prims.Pure i16 - (requires i <. sz 128) - (ensures - fun result -> - let result:i16 = result in - Spec.Utils.is_i16b 1664 result) +let v_VECTORS_IN_RING_ELEMENT: usize = + Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! + Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR type t_PolynomialRingElement (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_coefficients:t_Array v_Vector (sz 16) } -let to_spec_poly_t (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial = - admit() - -let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r = - createi r (fun i -> to_spec_poly_t #v_Vector (m.[i])) - -let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) - -let v_VECTORS_IN_RING_ELEMENT: usize = - Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! - Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR +val impl__ZERO: + #v_Vector: Type0 -> + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_error_reduce +val impl__add_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_message_error_reduce +val impl__add_message_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self message result: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_standard_error_reduce +val impl__add_standard_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__poly_barrett_reduce - (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self: t_PolynomialRingElement v_Vector) - : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val impl_2__subtract_reduce +/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise +/// sum of their constituent coefficients. +val impl__add_to_ring_element (#v_Vector: Type0) + (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self b: t_PolynomialRingElement v_Vector) + (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__ZERO: - #v_Vector: Type0 -> - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> - Prims.unit - -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) - -val impl_2__from_i16_array +val impl__from_i16_array (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: t_Slice i16) - : Prims.Pure (t_PolynomialRingElement v_Vector) - (requires - (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) - (fun _ -> Prims.l_True) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Given two `KyberPolynomialRingElement`s in their NTT representations, /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, -/// the `iᵗʰ` coefficient of the product `k\u{302}` is determined by the calculation: +/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: /// ```plaintext /// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1)) /// ``` @@ -121,21 +91,24 @@ val impl_2__from_i16_array /// end for /// return ĥ /// ``` -/// We say \"almost\" because the coefficients of the ring element output by +/// We say "almost" because the coefficients of the ring element output by /// this function are in the Montgomery domain. /// The NIST FIPS 203 standard can be found at /// . -val impl_2__ntt_multiply +val impl__ntt_multiply (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise -/// sum of their constituent coefficients. -val impl_2__add_to_ring_element +val impl__poly_barrett_reduce (#v_Vector: Type0) - (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (self rhs: t_PolynomialRingElement v_Vector) + (self: t_PolynomialRingElement v_Vector) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) + +val impl__subtract_reduce + (#v_Vector: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (self b: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 3f7e351d4..9c52850fc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -144,106 +144,6 @@ let sample_from_uniform_distribution_next <: (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) -#push-options "--admit_smt_queries true" - -let sample_from_xof - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i2: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i3: - Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) - (seeds: t_Array (t_Array u8 (sz 34)) v_K) - = - let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = - Rust_primitives.Hax.repeat (sz 0) v_K - in - let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K - in - let xof_state:v_Hasher = - Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb_final #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - seeds - in - let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_first_three_blocks #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - xof_state - in - let xof_state:v_Hasher = tmp0 in - let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in - let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = - sample_from_uniform_distribution_next #v_Vector v_K (sz 504) randomness sampled_coefficients out - in - let sampled_coefficients:t_Array usize v_K = tmp0 in - let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in - let done:bool = out1 in - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & - t_Array usize v_K & - v_Hasher) = - Rust_primitives.f_while_loop (fun temp_0_ -> - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & - t_Array usize v_K & - v_Hasher) = - temp_0_ - in - ~.done <: bool) - (done, out, sampled_coefficients, xof_state - <: - (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) - (fun temp_0_ -> - let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & - t_Array usize v_K & - v_Hasher) = - temp_0_ - in - let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_next_block #v_Hasher - #v_K - #FStar.Tactics.Typeclasses.solve - xof_state - in - let xof_state:v_Hasher = tmp0 in - let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in - let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = - sample_from_uniform_distribution_next #v_Vector - v_K - (sz 168) - randomness - sampled_coefficients - out - in - let sampled_coefficients:t_Array usize v_K = tmp0 in - let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in - let done:bool = out1 in - done, out, sampled_coefficients, xof_state - <: - (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) - in - Core.Array.impl_23__map #(t_Array i16 (sz 272)) - v_K - #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - out - (fun s -> - let s:t_Array i16 (sz 272) = s in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector - (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - -#pop-options - -#push-options "--z3rlimit 800" - let sample_from_binomial_distribution_2_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -251,10 +151,6 @@ let sample_from_binomial_distribution_2_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = - assert (v (sz 2 *! sz 64) == 128); - assert (Seq.length randomness == 128) - in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) @@ -279,10 +175,6 @@ let sample_from_binomial_distribution_2_ in let even_bits:u32 = random_bits_as_u32 &. 1431655765ul in let odd_bits:u32 = (random_bits_as_u32 >>! 1l <: u32) &. 1431655765ul in - let _:Prims.unit = - logand_lemma random_bits_as_u32 1431655765ul; - logand_lemma (random_bits_as_u32 >>! 1l) 1431655765ul - in let coin_toss_outcomes:u32 = even_bits +! odd_bits in Rust_primitives.Hax.Folds.fold_range_step_by 0ul Core.Num.impl__u32__BITS @@ -303,15 +195,6 @@ let sample_from_binomial_distribution_2_ <: i16 in - let _:Prims.unit = - logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 3ul; - logand_lemma (coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) 3ul; - assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 3); - assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 3); - assert (v chunk_number <= 31); - assert (v (sz 8 *! chunk_number <: usize) <= 248); - assert (v (cast (outcome_set >>! 2l <: u32) <: usize) <= 7) - in let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s @@ -320,11 +203,7 @@ let sample_from_binomial_distribution_2_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) - -#pop-options - -#push-options "--z3rlimit 800" + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) let sample_from_binomial_distribution_3_ (#v_Vector: Type0) @@ -333,10 +212,6 @@ let sample_from_binomial_distribution_3_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = - assert (v (sz 3 *! sz 64) == 192); - assert (Seq.length randomness == 192) - in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 3) @@ -359,11 +234,6 @@ let sample_from_binomial_distribution_3_ let first_bits:u32 = random_bits_as_u24 &. 2396745ul in let second_bits:u32 = (random_bits_as_u24 >>! 1l <: u32) &. 2396745ul in let third_bits:u32 = (random_bits_as_u24 >>! 2l <: u32) &. 2396745ul in - let _:Prims.unit = - logand_lemma random_bits_as_u24 2396745ul; - logand_lemma (random_bits_as_u24 >>! 1l <: u32) 2396745ul; - logand_lemma (random_bits_as_u24 >>! 2l <: u32) 2396745ul - in let coin_toss_outcomes:u32 = (first_bits +! second_bits <: u32) +! third_bits in Rust_primitives.Hax.Folds.fold_range_step_by 0l 24l @@ -384,15 +254,6 @@ let sample_from_binomial_distribution_3_ <: i16 in - let _:Prims.unit = - logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 7ul; - logand_lemma (coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) 7ul; - assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 7); - assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 7); - assert (v chunk_number <= 63); - assert (v (sz 4 *! chunk_number <: usize) <= 252); - assert (v (cast (outcome_set /! 6l <: i32) <: usize) <= 3) - in let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s @@ -401,9 +262,7 @@ let sample_from_binomial_distribution_3_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) - -#pop-options + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) let sample_from_binomial_distribution (v_ETA: usize) @@ -413,7 +272,6 @@ let sample_from_binomial_distribution Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = assert ((v (cast v_ETA <: u32) == 2) \/ (v (cast v_ETA <: u32) == 3)) in match cast (v_ETA <: usize) <: u32 with | 2ul -> sample_from_binomial_distribution_2_ #v_Vector randomness | 3ul -> sample_from_binomial_distribution_3_ #v_Vector randomness @@ -422,3 +280,97 @@ let sample_from_binomial_distribution <: Rust_primitives.Hax.t_Never) + +let sample_from_xof + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) + (seeds: t_Array (t_Array u8 (sz 34)) v_K) + = + let (sampled_coefficients: t_Array usize v_K):t_Array usize v_K = + Rust_primitives.Hax.repeat (sz 0) v_K + in + let (out: t_Array (t_Array i16 (sz 272)) v_K):t_Array (t_Array i16 (sz 272)) v_K = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K + in + let xof_state:v_Hasher = + Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + seeds + in + let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_three_blocks #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + xof_state + in + let xof_state:v_Hasher = tmp0 in + let randomness:t_Array (t_Array u8 (sz 504)) v_K = out1 in + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = + sample_from_uniform_distribution_next #v_Vector v_K (sz 504) randomness sampled_coefficients out + in + let sampled_coefficients:t_Array usize v_K = tmp0 in + let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in + let done:bool = out1 in + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K & + v_Hasher) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K & + v_Hasher) = + temp_0_ + in + ~.done <: bool) + (done, out, sampled_coefficients, xof_state + <: + (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) + (fun temp_0_ -> + let done, out, sampled_coefficients, xof_state:(bool & t_Array (t_Array i16 (sz 272)) v_K & + t_Array usize v_K & + v_Hasher) = + temp_0_ + in + let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_block #v_Hasher + #v_K + #FStar.Tactics.Typeclasses.solve + xof_state + in + let xof_state:v_Hasher = tmp0 in + let randomness:t_Array (t_Array u8 (sz 168)) v_K = out1 in + let tmp0, tmp1, out1:(t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) = + sample_from_uniform_distribution_next #v_Vector + v_K + (sz 168) + randomness + sampled_coefficients + out + in + let sampled_coefficients:t_Array usize v_K = tmp0 in + let out:t_Array (t_Array i16 (sz 272)) v_K = tmp1 in + let done:bool = out1 in + done, out, sampled_coefficients, xof_state + <: + (bool & t_Array (t_Array i16 (sz 272)) v_K & t_Array usize v_K & v_Hasher)) + in + Core.Array.impl_23__map #(t_Array i16 (sz 272)) + v_K + #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + out + (fun s -> + let s:t_Array i16 (sz 272) = s in + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector + (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti index 7864f558f..5f5ac19d3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -54,16 +54,6 @@ val sample_from_uniform_distribution_next Prims.l_True (fun _ -> Prims.l_True) -val sample_from_xof - (v_K: usize) - (#v_Vector #v_Hasher: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} - (seeds: t_Array (t_Array u8 (sz 34)) v_K) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - Prims.l_True - (fun _ -> Prims.l_True) - /// Given a series of uniformly random bytes in `randomness`, for some number `eta`, /// the `sample_from_binomial_distribution_{eta}` functions sample /// a ring element from a binomial distribution centered at 0 that uses two sets @@ -124,7 +114,15 @@ val sample_from_binomial_distribution {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (randomness: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (v_ETA =. sz 2 || v_ETA =. sz 3) && - (Core.Slice.impl__len #u8 randomness <: usize) =. (v_ETA *! sz 64 <: usize)) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_from_xof + (v_K: usize) + (#v_Vector #v_Hasher: Type0) + {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} + (seeds: t_Array (t_Array u8 (sz 34)) v_K) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index 99fd067a1..f90c60055 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,173 +9,379 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let to_unsigned_field_modulus +let compress_then_serialize_10_ + (v_OUT_LEN: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (a: v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = reveal_opaque (`%field_modulus_range) (field_modulus_range #v_Vector) in - let result:v_Vector = Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector a in - let _:Prims.unit = admit () (* Panic freedom *) in - result + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized i -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let i:usize = i in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector + #FStar.Tactics.Typeclasses.solve + 10l + (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + in + let bytes:t_Array u8 (sz 20) = + Libcrux_ml_kem.Vector.Traits.f_serialize_10_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + in + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 20 *! i <: usize; + Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 20 *! i <: usize; + Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) + in + serialized -let deserialize_then_decompress_11_ +let compress_then_serialize_11_ + (v_OUT_LEN: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUT_LEN = serialized in let _:usize = temp_1_ in true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in + serialized + (fun serialized i -> + let serialized:t_Array u8 v_OUT_LEN = serialized in + let i:usize = i in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve - bytes + 11l + (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 11l - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + let bytes:t_Array u8 (sz 22) = + Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient in - re) + let serialized:t_Array u8 v_OUT_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 22 *! i <: usize; + Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 22 *! i <: usize; + Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in - re + serialized -let deserialize_then_decompress_4_ +let compress_then_serialize_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in + serialized + (fun serialized i -> + let serialized:t_Slice u8 = serialized in + let i:usize = i in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve - bytes + 4l + (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 4l - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + let bytes:t_Array u8 (sz 8) = + Libcrux_ml_kem.Vector.Traits.f_serialize_4_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient in - re) + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 8 *! i <: usize; + Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 8 *! i <: usize; + Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) in - re + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized -let deserialize_then_decompress_5_ +let compress_then_serialize_5_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT + (fun serialized temp_1_ -> + let serialized:t_Slice u8 = serialized in let _:usize = temp_1_ in true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + serialized + (fun serialized i -> + let serialized:t_Slice u8 = serialized in + let i:usize = i in + let coefficients:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector + #FStar.Tactics.Typeclasses.solve + 5l + (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + in + let bytes:t_Array u8 (sz 10) = + Libcrux_ml_kem.Vector.Traits.f_serialize_5_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficients + in + let serialized:t_Slice u8 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 10 *! i <: usize; + Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 10 *! i <: usize; + Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + serialized + +let compress_then_serialize_message + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 16) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 32) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized i -> + let serialized:t_Array u8 (sz 32) = serialized in + let i:usize = i in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + in + let coefficient_compressed:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient + in + let bytes:t_Array u8 (sz 2) = + Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector + #FStar.Tactics.Typeclasses.solve + coefficient_compressed + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (bytes <: t_Slice u8) + <: + t_Slice u8) + in + serialized) + in + serialized + +let compress_then_serialize_ring_element_u + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re + | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let compress_then_serialize_ring_element_v + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (out: t_Slice u8) + = + let out, hax_temp_output:(t_Slice u8 & Prims.unit) = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) + | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) + | _ -> + out, + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + <: + (t_Slice u8 & Prims.unit) + in + out + +let deserialize_then_decompress_10_ + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector #FStar.Tactics.Typeclasses.solve - 5l - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + 10l + coefficient <: v_Vector) } @@ -186,38 +392,31 @@ let deserialize_then_decompress_5_ in re -let deserialize_then_decompress_message +let deserialize_then_decompress_11_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Array u8 (sz 32)) + (serialized: t_Slice u8) = let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 16) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) + serialized (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let _:usize = temp_1_ in true) re - (fun re i -> + (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i:usize = i in - let coefficient_compressed:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #v_Vector #FStar.Tactics.Typeclasses.solve - (serialized.[ { - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + bytes in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -227,7 +426,10 @@ let deserialize_then_decompress_message Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 11l + coefficient <: v_Vector) } @@ -236,44 +438,20 @@ let deserialize_then_decompress_message in re) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let deserialize_then_decompress_ring_element_v - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) - in - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized - | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) + re -let deserialize_to_reduced_ring_element +let deserialize_then_decompress_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) serialized (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in @@ -284,7 +462,7 @@ let deserialize_to_reduced_ring_element let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #v_Vector #FStar.Tactics.Typeclasses.solve bytes in @@ -296,8 +474,9 @@ let deserialize_to_reduced_ring_element Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector #FStar.Tactics.Typeclasses.solve + 4l coefficient <: v_Vector) @@ -307,510 +486,166 @@ let deserialize_to_reduced_ring_element in re) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:Prims.unit = admit () (* Panic freedom *) in - result + re -let deserialize_ring_elements_reduced - (v_K: usize) +let deserialize_then_decompress_5_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: t_Slice u8) - (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (serialized: t_Slice u8) = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT - public_key - (fun deserialized_pk temp_1_ -> - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - deserialized_pk - in - let _:usize = temp_1_ in - true) - deserialized_pk - (fun deserialized_pk temp_1_ -> - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K = - deserialized_pk - in - let i, ring_element:(usize & t_Slice u8) = temp_1_ in - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk - i - (deserialize_to_reduced_ring_element #v_Vector ring_element - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - in - let hax_temp_output:Prims.unit = () <: Prims.unit in - deserialized_pk - -let deserialize_ring_elements_reduced_out - (v_K: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (public_key: t_Slice u8) - = - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun v__i -> - let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialized_pk - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let deserialize_to_uncompressed_ring_element - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let _:usize = temp_1_ in true) re (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i, bytes:(usize & t_Slice u8) = temp_1_ in - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - <: - v_Vector) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + <: + v_Vector) + } <: - t_Array v_Vector (sz 16) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - re - -let compress_then_serialize_10_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - = - let _:Prims.unit = assert_norm (pow2 10 == 1024) in - let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) - serialized - (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - let _:Prims.unit = assert (20 * v i + 20 <= 320) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 10l - (to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 20) = - Libcrux_ml_kem.Vector.Traits.f_serialize_10_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 20 *! i <: usize; - Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 20 *! i <: usize; - Core.Ops.Range.f_end = (sz 20 *! i <: usize) +! sz 20 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) - in - serialized) - in - let result:t_Array u8 v_OUT_LEN = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--admit_smt_queries true" - -let compress_then_serialize_11_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - = - let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized i -> - let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 11l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 22) = - Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let serialized:t_Array u8 v_OUT_LEN = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 22 *! i <: usize; - Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 22 *! i <: usize; - Core.Ops.Range.f_end = (sz 22 *! i <: usize) +! sz 22 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) - in - serialized) - in - serialized - -#pop-options - -let compress_then_serialize_4_ - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = assert_norm (pow2 4 == 16) in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> - let serialized:t_Slice u8 = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> - (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) - serialized - (fun serialized i -> - let serialized:t_Slice u8 = serialized in - let i:usize = i in - let _:Prims.unit = assert (8 * v i + 8 <= 128) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 4l - (to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 8) = - Libcrux_ml_kem.Vector.Traits.f_serialize_4_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 8 *! i <: usize; - Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 8 *! i <: usize; - Core.Ops.Range.f_end = (sz 8 *! i <: usize) +! sz 8 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) - in - serialized) - in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in - serialized - -#push-options "--admit_smt_queries true" - -let compress_then_serialize_5_ - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (serialized: t_Slice u8) - = - let serialized:t_Slice u8 = - Rust_primitives.Hax.Folds.fold_range (sz 0) - Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized temp_1_ -> - let serialized:t_Slice u8 = serialized in - let _:usize = temp_1_ in - true) - serialized - (fun serialized i -> - let serialized:t_Slice u8 = serialized in - let i:usize = i in - let coefficients:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector - #FStar.Tactics.Typeclasses.solve - 5l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - <: - v_Vector) - in - let bytes:t_Array u8 (sz 10) = - Libcrux_ml_kem.Vector.Traits.f_serialize_5_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficients - in - let serialized:t_Slice u8 = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 10 *! i <: usize; - Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 10 *! i <: usize; - Core.Ops.Range.f_end = (sz 10 *! i <: usize) +! sz 10 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) - <: - t_Slice u8) + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - serialized) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 5l + (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) in - let hax_temp_output:Prims.unit = () <: Prims.unit in - serialized - -#pop-options + re -let compress_then_serialize_message +let deserialize_then_decompress_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Array u8 (sz 32)) = - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let serialized:t_Array u8 (sz 32) = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun serialized i -> - let serialized:t_Array u8 (sz 32) = serialized in - let i:usize = i in - v i < 16 ==> coefficients_field_modulus_range re) - serialized - (fun serialized i -> - let serialized:t_Array u8 (sz 32) = serialized in + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i:usize = i in - let _:Prims.unit = assert (2 * v i + 2 <= 32) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in - let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector - (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) - in let coefficient_compressed:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_compress_1_ #v_Vector - #FStar.Tactics.Typeclasses.solve - coefficient - in - let bytes:t_Array u8 (sz 2) = - Libcrux_ml_kem.Vector.Traits.f_serialize_1_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_1_ #v_Vector #FStar.Tactics.Typeclasses.solve - coefficient_compressed - in - let serialized:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized - ({ - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (serialized.[ { - Core.Ops.Range.f_start = sz 2 *! i <: usize; - Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (bytes <: t_Slice u8) + (serialized.[ { + Core.Ops.Range.f_start = sz 2 *! i <: usize; + Core.Ops.Range.f_end = (sz 2 *! i <: usize) +! sz 2 <: usize + } + <: + Core.Ops.Range.t_Range usize ] <: t_Slice u8) in - serialized) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.decompress_1_ #v_Vector coefficient_compressed + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) in - let result:t_Array u8 (sz 32) = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result + re -let compress_then_serialize_ring_element_u - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) +let deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re - | 11ul -> compress_then_serialize_11_ v_OUT_LEN #v_Vector re + | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized + | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) -let compress_then_serialize_ring_element_v - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) +let deserialize_then_decompress_ring_element_v + (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (out: t_Slice u8) + (serialized: t_Slice u8) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in - let out, hax_temp_output:(t_Slice u8 & Prims.unit) = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) - | 5ul -> compress_then_serialize_5_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) - | _ -> - out, - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized + | 5ul -> deserialize_then_decompress_5_ #v_Vector serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - <: - Rust_primitives.Hax.t_Never) - <: - (t_Slice u8 & Prims.unit) - in - out + <: + Rust_primitives.Hax.t_Never) -let deserialize_then_decompress_10_ +let deserialize_to_reduced_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let v__coefficients_length:usize = - Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) serialized (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in @@ -821,7 +656,7 @@ let deserialize_then_decompress_10_ let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let i, bytes:(usize & t_Slice u8) = temp_1_ in let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector + Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector #FStar.Tactics.Typeclasses.solve bytes in @@ -833,9 +668,8 @@ let deserialize_then_decompress_10_ Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_kem.Polynomial.f_coefficients i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + (Libcrux_ml_kem.Vector.Traits.f_cond_subtract_3329_ #v_Vector #FStar.Tactics.Typeclasses.solve - 10l coefficient <: v_Vector) @@ -847,26 +681,105 @@ let deserialize_then_decompress_10_ in re -let deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) +let deserialize_ring_elements_reduced + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) + (public_key: t_Slice u8) + (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT + public_key + (fun deserialized_pk temp_1_ -> + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + deserialized_pk + in + let _:usize = temp_1_ in + true) + deserialized_pk + (fun deserialized_pk temp_1_ -> + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K = + deserialized_pk + in + let i, ring_element:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize deserialized_pk + i + (deserialize_to_reduced_ring_element #v_Vector ring_element + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) in - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized - | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + let hax_temp_output:Prims.unit = () <: Prims.unit in + deserialized_pk - <: - Rust_primitives.Hax.t_Never) +let deserialize_ring_elements_reduced_out + (v_PUBLIC_KEY_SIZE v_K: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (public_key: t_Slice u8) + = + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun v__i -> + let v__i:usize = v__i in + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_ring_elements_reduced v_PUBLIC_KEY_SIZE v_K #v_Vector public_key deserialized_pk + in + deserialized_pk + +let deserialize_to_uncompressed_ring_element + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_deserialize_12_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + <: + v_Vector) + <: + t_Array v_Vector (sz 16) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + re let serialize_uncompressed_ring_element (#v_Vector: Type0) @@ -875,26 +788,20 @@ let serialize_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = assert_norm (pow2 12 == 4096) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 384) = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in let i:usize = i in - let _:Prims.unit = assert (24 * v i + 24 <= 384) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector + Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let bytes:t_Array u8 (sz 24) = @@ -925,6 +832,4 @@ let serialize_uncompressed_ring_element in serialized) in - let result:t_Array u8 (sz 384) = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result + serialized diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 6b109d8e0..b320a6fd9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,41 +9,69 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -[@@ "opaque_to_smt"] -let field_modulus_range (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: v_Vector) = - let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in - forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /\ - v (Seq.index coef i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS +val compress_then_serialize_10_ + (v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +val compress_then_serialize_11_ + (v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) + +val compress_then_serialize_4_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val compress_then_serialize_5_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (serialized: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val compress_then_serialize_message + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val compress_then_serialize_ring_element_u + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) -[@@ "opaque_to_smt"] -let coefficients_field_modulus_range (#v_Vector: Type0) +val compress_then_serialize_ring_element_v + (v_COMPRESSION_FACTOR v_OUT_LEN: usize) + (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i) + (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (out: t_Slice u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val to_unsigned_field_modulus +val deserialize_then_decompress_10_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: v_Vector) - : Prims.Pure v_Vector - (requires field_modulus_range a) - (ensures - fun result -> - let result:v_Vector = result in - forall (i: nat). - i < 16 ==> - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < - v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_then_decompress_11_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_4_ @@ -51,7 +79,7 @@ val deserialize_then_decompress_4_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_5_ @@ -59,7 +87,7 @@ val deserialize_then_decompress_5_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_message @@ -70,15 +98,22 @@ val deserialize_then_decompress_message Prims.l_True (fun _ -> Prims.l_True) +val deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) + val deserialize_then_decompress_ring_element_v (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (v_COMPRESSION_FACTOR =. sz 4 || v_COMPRESSION_FACTOR =. sz 5) && - (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + Prims.l_True (fun _ -> Prims.l_True) /// Only use with public values. @@ -88,151 +123,42 @@ val deserialize_to_reduced_ring_element {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (Core.Slice.impl__len #u8 serialized <: usize) =. - Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) + Prims.l_True (fun _ -> Prims.l_True) /// See [deserialize_ring_elements_reduced_out]. val deserialize_ring_elements_reduced - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Slice u8) (deserialized_pk: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) + Prims.l_True (fun _ -> Prims.l_True) /// This function deserializes ring elements and reduces the result by the field /// modulus. /// This function MUST NOT be used on secret inputs. val deserialize_ring_elements_reduced_out - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Slice u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) - (ensures - fun result -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result - in - forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i)) - -val deserialize_to_uncompressed_ring_element - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (Core.Slice.impl__len #u8 serialized <: usize) =. - Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) - (fun _ -> Prims.l_True) - -val compress_then_serialize_10_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) - -val compress_then_serialize_11_ - (v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) - -val compress_then_serialize_4_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) - -val compress_then_serialize_5_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) - -val compress_then_serialize_message - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 32)) - (requires coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) - -val compress_then_serialize_ring_element_u - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires - (v v_COMPRESSION_FACTOR == 10 \/ v v_COMPRESSION_FACTOR == 11) /\ - v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) - -val compress_then_serialize_ring_element_v - (v_COMPRESSION_FACTOR v_OUT_LEN: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (out: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires - (v v_COMPRESSION_FACTOR == 4 \/ v v_COMPRESSION_FACTOR == 5) /\ - v v_OUT_LEN == 32 * v v_COMPRESSION_FACTOR /\ Seq.length out == v v_OUT_LEN /\ - coefficients_field_modulus_range re) - (ensures - fun out_future -> - let out_future:t_Slice u8 = out_future in - Core.Slice.impl__len #u8 out_future == Core.Slice.impl__len #u8 out) - -val deserialize_then_decompress_10_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) +val deserialize_to_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && - (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + Prims.l_True (fun _ -> Prims.l_True) val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 (sz 384)) - (requires coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 384)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 75ff693ea..9e95712a0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -1,27 +1,27 @@ module Libcrux_ml_kem.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_7__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_14__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_21__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value +let impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value -let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value +let impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value -let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value +let impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value -let impl_21__from +let impl__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_21__into_parts +let impl__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = @@ -29,7 +29,7 @@ let impl_21__into_parts <: (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -let impl_21__new +let impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -51,22 +51,22 @@ let impl_21__new <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_21__pk +let impl__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk + = impl_21__as_slice v_PUBLIC_KEY_SIZE self.f_pk -let impl_21__private_key +let impl__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_sk -let impl_21__public_key +let impl__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_pk -let impl_21__sk +let impl__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk + = impl_14__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index ca59dbe5c..d533a764b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -1,25 +1,44 @@ module Libcrux_ml_kem.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// The number of bytes -val impl_6__len: v_SIZE: usize -> Prims.unit +val impl_7__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_13__len: v_SIZE: usize -> Prims.unit +val impl_14__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_20__len: v_SIZE: usize -> Prims.unit +val impl_21__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_1 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); + f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); + f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -27,7 +46,7 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -40,7 +59,7 @@ let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = +let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = { f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true); f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -48,19 +67,33 @@ let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip } /// A reference to the raw byte slice. -val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Private key type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_8 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_9 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); + f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); + f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -68,7 +101,7 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -81,7 +114,7 @@ let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = +let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -89,19 +122,33 @@ let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPr } /// A reference to the raw byte slice. -val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Public key type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_15 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = + { + f_default_pre = (fun (_: Prims.unit) -> true); + f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); + f_default + = + fun (_: Prims.unit) -> + { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_16 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = + { + f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); + f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); + f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8 + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -109,7 +156,7 @@ let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -122,7 +169,7 @@ let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = +let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -130,132 +177,11 @@ let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu } /// A reference to the raw byte slice. -val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) - -/// An ML-KEM key pair -type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { - f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE; - f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE -} - -/// Create a new [`MlKemKeyPair`] from the secret and public key. -val impl_21__from - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) - (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in - result.f_sk == sk /\ result.f_pk == pk) - -/// Separate this key into the public and private key. -val impl_21__into_parts - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Creates a new [`MlKemKeyPair`]. -val impl_21__new - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (sk: t_Array u8 v_PRIVATE_KEY_SIZE) - (pk: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get a reference to the raw public key bytes. -val impl_21__pk - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Get a reference to the [`MlKemPrivateKey`]. -val impl_21__private_key - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Get a reference to the [`MlKemPublicKey`]. -val impl_21__public_key - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -/// Get a reference to the raw private key bytes. -val impl_21__sk - (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) - (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemCiphertext v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPrivateKey v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = - { - f_default_pre = (fun (_: Prims.unit) -> true); - f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); - f_default - = - fun (_: Prims.unit) -> - { f_value = Rust_primitives.Hax.repeat 0uy v_SIZE } <: t_MlKemPublicKey v_SIZE - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); - f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); - f_as_ref = fun (self: t_MlKemCiphertext v_SIZE) -> self.f_value <: t_Slice u8 - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); - f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); - f_as_ref = fun (self: t_MlKemPrivateKey v_SIZE) -> self.f_value <: t_Slice u8 - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = - { - f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); - f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); - f_as_ref = fun (self: t_MlKemPublicKey v_SIZE) -> self.f_value <: t_Slice u8 - } +val impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_6 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -286,7 +212,7 @@ let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) ( } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_13 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -317,7 +243,7 @@ let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_20 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -346,3 +272,59 @@ let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) ( <: Core.Result.t_Result (t_MlKemPublicKey v_SIZE) Core.Array.t_TryFromSliceError } + +/// An ML-KEM key pair +type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { + f_sk:t_MlKemPrivateKey v_PRIVATE_KEY_SIZE; + f_pk:t_MlKemPublicKey v_PUBLIC_KEY_SIZE +} + +/// Create a new [`MlKemKeyPair`] from the secret and public key. +val impl__from + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) + (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Separate this key into the public and private key. +val impl__into_parts + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Creates a new [`MlKemKeyPair`]. +val impl__new + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (sk: t_Array u8 v_PRIVATE_KEY_SIZE) + (pk: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get a reference to the raw public key bytes. +val impl__pk + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Get a reference to the [`MlKemPrivateKey`]. +val impl__private_key + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Get a reference to the [`MlKemPublicKey`]. +val impl__public_key + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +/// Get a reference to the raw private key bytes. +val impl__sk + (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) + (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) + : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst index 2ee26ba5e..7af62082c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -26,21 +26,4 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = <: t_Slice u8) in - let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in - let _:Prims.unit = - assert (Seq.slice out (Seq.length slice) (v v_LEN) == - Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN)) - in - let _:Prims.unit = - assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i) - in - let _:Prims.unit = - assert (forall i. - (i >= Seq.length slice && i < v v_LEN) ==> - Seq.index out i == - Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice)) - in - let _:Prims.unit = - Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy)) - in out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti index c87b2d316..df9ce411d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,8 +7,4 @@ open FStar.Mul val into_padded_array (v_LEN: usize) (slice: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy) - ) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti index 943518133..4d6616fd4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Variant -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -27,18 +27,18 @@ class t_Variant (v_Self: Type0) = { v_CIPHERTEXT_SIZE: usize -> #v_Hasher: Type0 -> {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> pred: Type0{(Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32 ==> pred}; + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE + -> Type0; f_kdf_post: v_K: usize -> v_CIPHERTEXT_SIZE: usize -> #v_Hasher: Type0 -> {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == shared_secret}; + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> + t_Array u8 (sz 32) + -> Type0; f_kdf: v_K: usize -> v_CIPHERTEXT_SIZE: usize -> @@ -53,15 +53,15 @@ class t_Variant (v_Self: Type0) = { v_K: usize -> #v_Hasher: Type0 -> {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 randomness <: usize) =. sz 32 ==> pred}; + t_Slice u8 + -> Type0; f_entropy_preprocess_post: v_K: usize -> #v_Hasher: Type0 -> {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == randomness}; + t_Slice u8 -> + t_Array u8 (sz 32) + -> Type0; f_entropy_preprocess: v_K: usize -> #v_Hasher: Type0 -> @@ -74,8 +74,8 @@ class t_Variant (v_Self: Type0) = { v_K: usize -> #v_Hasher: Type0 -> {| i4: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - seed: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 seed <: usize) =. sz 32 ==> pred}; + t_Slice u8 + -> Type0; f_cpa_keygen_seed_post: v_K: usize -> #v_Hasher: Type0 -> @@ -108,7 +108,7 @@ let impl: t_Variant t_MlKem = (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -> - (Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32); + true); f_kdf_post = (fun @@ -120,9 +120,9 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (res: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> - res == shared_secret); + true); f_kdf = (fun @@ -148,7 +148,7 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) -> - (Core.Slice.impl__len #u8 randomness <: usize) =. sz 32); + true); f_entropy_preprocess_post = (fun @@ -158,9 +158,9 @@ let impl: t_Variant t_MlKem = i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) - (res: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> - res == randomness); + true); f_entropy_preprocess = (fun @@ -184,7 +184,7 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (key_generation_seed: t_Slice u8) -> - (Core.Slice.impl__len #u8 key_generation_seed <: usize) =. sz 32); + true); f_cpa_keygen_seed_post = (fun diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst index 14c6d47e2..81d8b74e0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst @@ -1,204 +1,59 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) - (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = () +let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i)) - in - result +let bitwise_and_with_constant (vector: u8) (constant: i16) = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8) -let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv - in - let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - result +let multiply_by_constant (vector: u8) (constant: i16) = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8) -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) - (ensures (v (mul_mod (get_lane lhs i) c) == - (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = () +let shift_right (v_SHIFT_BY: i32) (vector: u8) = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector -let multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector cv - in - let _:Prims.unit = - Seq.lemma_eq_intro (vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x *. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane vector i *. constant); - assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); - assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant) - in - result +let sub (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs -let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector - in - let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - result - -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = () - -let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i)) - in - result - -#push-options "--z3rlimit 200" - -let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let barrett_reduce (vector: u8) = + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = - assert (forall i. - get_lane t0 i == - (cast (((cast (get_lane vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) - <: - i16)) - in - let t512:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER <: u8) in - let _:Prims.unit = assert (forall i. get_lane t512 i == 512s) in - let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t0 t512 + let t:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s <: u8) in - let _:Prims.unit = assert (forall i. get_lane t1 i == get_lane t0 i +. 512s) in - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t1 - in - let _:Prims.unit = - assert (forall i. get_lane quotient i == (((get_lane t1 i) <: i16) >>! (10l <: i32))) - in - let quotient_times_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t in + let quotient_times_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 quotient (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = - assert (forall i. - get_lane quotient_times_field_modulus i == - get_lane quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + u8) in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == get_lane vector i -. get_lane quotient_times_field_modulus i); - assert (forall i. get_lane result i == Spec.Utils.barrett_red (get_lane vector i)); - assert (forall i. v (get_lane result i) % 3329 == v (get_lane vector i) % 3329); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) - in - result - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus -#push-options "--z3rlimit 100" - -let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let cond_subtract_3329_ (vector: u8) = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS in - let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in - let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let vv_minus_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus in - let _:Prims.unit = - assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s) - in - let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus - in - let _:Prims.unit = - assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l)) - in - let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sign_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus in + let conditional_add_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus in - let _:Prims.unit = - assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus - conditional_add_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == - (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i)); - assert (forall i. - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i)) - in - result - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus + conditional_add_field_modulus -#push-options "--z3rlimit 200" - -let montgomery_multiply_by_constant - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i16) - = - let vec_constant:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let _:Prims.unit = assert (forall i. get_lane vec_constant i == constant) in - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector vec_constant - in - let _:Prims.unit = assert (forall i. get_lane value_low i == get_lane vector i *. constant) in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let montgomery_multiply_by_constant (vector: u8) (constant: i16) = + let constant:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant in + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector constant in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -206,68 +61,20 @@ let montgomery_multiply_by_constant <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus)); - assert (forall i. - get_lane k_times_modulus i == - (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l) - <: - i16)) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector vec_constant - in - let _:Prims.unit = - assert (forall i. - get_lane value_high i == - (cast (((cast (get_lane vector i) <: i32) *. (cast (get_lane vec_constant i) <: i32)) >>! - 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + u8) in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vector i) constant); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)); - assert (forall i. - v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result - -#pop-options + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector constant in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus -#push-options "--z3rlimit 100" - -let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. get_lane value_low i == get_lane vec i *. get_lane constants i) - in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let montgomery_multiply_by_constants (v c: u8) = + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v c in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -275,69 +82,20 @@ let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus)); - assert (forall i. - get_lane k_times_modulus i == - (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l) - <: - i16)) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. - get_lane value_high i == - (cast (((cast (get_lane vec i) <: i32) *. (cast (get_lane constants i) <: i32)) >>! 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + u8) in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i)); - assert (forall i. - get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vec i) (get_lane constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)); - assert (forall i. - v (get_lane result i) % 3329 == - ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 v c in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus -#pop-options - -#push-options "--z3rlimit 100" - -let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) = - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. get_lane128 value_low i == get_lane128 vec i *. get_lane128 constants i) - in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let montgomery_multiply_m128i_by_constants (v c: u8) = + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 v c in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -345,74 +103,29 @@ let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Av <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let _:Prims.unit = assert (forall i. get_lane128 k i == get_lane128 value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane128 modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 modulus)); - assert (forall i. - get_lane128 k_times_modulus i == - (cast (((cast (get_lane128 k i) <: i32) *. (cast (get_lane128 modulus i) <: i32)) >>! 16l) - <: - i16)) + u8) in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. - get_lane128 value_high i == - (cast (((cast (get_lane128 vec i) <: i32) *. (cast (get_lane128 constants i) <: i32)) >>! - 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus - in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. - get_lane128 result i == (get_lane128 value_high i) -. (get_lane128 k_times_modulus i)); - assert (forall i. - get_lane128 result i == - Spec.Utils.mont_mul_red_i16 (get_lane128 vec i) (get_lane128 constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 result i)); - assert (forall (i: nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result)); - assert (forall i. - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 v c in + Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus -#pop-options - -let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec +let montgomery_reduce_i32s (v: u8) = + let k:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let k_times_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: @@ -420,19 +133,9 @@ let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result + u8) in - let _:Prims.unit = admit () (* Panic freedom *) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l v in + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus in + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result in + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti index 9bc156305..ad8d448c9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti @@ -1,139 +1,34 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let v_BARRETT_MULTIPLIER: i16 = 20159s -open Libcrux_intrinsics.Avx2_extract +val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) + v (get_lane rhs i))) +val bitwise_and_with_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) +val multiply_by_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane vector i) * v constant)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane vector i) * v constant)) +val shift_right (v_SHIFT_BY: i32) (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - -val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i))) +val sub (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) /// See Section 3.2 of the implementation notes document for an explanation /// of this code. -val barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. i < 16 ==> v (get_lane result i) % 3329 == (v (get_lane vector i) % 3329))) +val barrett_reduce (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (pow2 12 - 1) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. - i < 16 ==> - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i - )) +val cond_subtract_3329_ (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 constant) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. - i < 16 ==> - v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329))) +val montgomery_multiply_by_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. - i < 16 ==> - v (get_lane result i) % 3329 == - ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329))) +val montgomery_multiply_by_constants (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\ - (forall i. - i < 8 ==> - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329))) +val montgomery_multiply_m128i_by_constants (v c: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (3328 * pow2 16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array (3328 + 1665) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (Spec.Utils.is_i16b_array (3328 * pow2 15) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec) ==> - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) /\ - (forall i. i < 16 ==> v (get_lane result i) % 3329 == ((v (get_lane vec i) * 169) % 3329)) - ) +val montgomery_reduce_i32s (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst index 87c17cd2a..d40f2d67a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst @@ -1,36 +1,27 @@ module Libcrux_ml_kem.Vector.Avx2.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let mulhi_mm256_epi32 (lhs rhs: u8) = + let prod02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs in + let prod13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l lhs <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: u8) in Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi32 prod02 prod13 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 <: u8) -let compress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) = + let field_modulus_halved:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) @@ -43,63 +34,47 @@ let compress_ciphertext_coefficient <: i32) in - let compression_factor:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l - in - let coefficient_bits_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let compression_factor:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l in + let coefficient_bits_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < Prims.l_True) +val mulhi_mm256_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype /\ - range (v (1l < Prims.l_True) +val compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val compress_message_coefficient (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val decompress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype) - (fun _ -> Prims.l_True) +val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst index 7fb1ccee4..68f788df8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst @@ -1,118 +1,76 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - -let inv_ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - in - let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta3 zeta3 0s 0s zeta2 zeta2 0s 0s zeta1 zeta1 0s 0s zeta0 zeta0 0s 0s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum + u8) in + let sum:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 204l sum sum_times_zetas -#pop-options - -let inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs + u8) in - let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta1 zeta1 zeta1 zeta1 0s 0s 0s 0s zeta0 zeta0 zeta0 zeta0 0s 0s 0s 0s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 240l sum sum_times_zetas -let inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let inv_ntt_layer_3_step (vector: u8) (zeta: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants upper_coefficients - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8) in + let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16) (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16) (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1 @@ -120,92 +78,44 @@ let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 z (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0 zeta0 in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector - in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector in Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let ntt_layer_3_step (vector: u8) (zeta: i16) = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8) in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in + let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) = - let shuffle_with:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let shuffle_with:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y in - let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with - in - let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled - in - let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled - in - let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens - in - let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled - in - let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds - in - let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with - in - let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled - in - let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled - in - let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens - in - let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled - in - let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds - in - let left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with in + let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled in + let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled in + let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens in + let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled in + let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds in + let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with in + let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled in + let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled in + let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens in + let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled in + let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds in + let left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens in + let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds in + let right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right in + let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 right (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg (cast (zeta3 <: i16) <: @@ -220,28 +130,24 @@ let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta (Core.Ops.Arith.Neg.neg (cast (zeta0 <: i16) <: i32) <: i32) (cast (zeta0 <: i16) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right - in - let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right in + let products_left:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_left in - let rhs_adjacent_swapped:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let rhs_adjacent_swapped:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 lhs rhs_adjacent_swapped in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_right in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right - in + let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 170l products_left products_right diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti index b7f8a6c7d..e86b8344d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti @@ -1,51 +1,26 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let ntt_multiply__PERMUTE_WITH: i32 = 216l -val inv_ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) - -val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) - (fun _ -> Prims.l_True) - -val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta) - (fun _ -> Prims.l_True) - -val ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) - -val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) - (fun _ -> Prims.l_True) - -val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta) - (fun _ -> Prims.l_True) - -val ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) +val inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_3_step (vector: u8) (zeta: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_3_step (vector: u8) (zeta: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst index a36ffa505..33c894793 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst @@ -1,36 +1,19 @@ module Libcrux_ml_kem.Vector.Avx2.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS in - let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input - in - let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let potential_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input in + let compare_with_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi16 field_modulus potential_coefficients in let good:t_Array u8 (sz 2) = Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ compare_with_field_modulus in - let _:Prims.unit = - assert (v (cast (good.[ sz 0 ] <: u8) <: usize) < 256); - assert (v (cast (good.[ sz 1 ] <: u8) <: usize) < 256); - assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) <= 8); - assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 1 ]) <: usize) <= 8); - assume (Core.Ops.Index.f_index_pre output - ({ - Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize; - Core.Ops.Range.f_end - = - (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) +! sz 8 - })) - in let lower_shuffles:t_Array u8 (sz 16) = Libcrux_ml_kem.Vector.Rej_sample_table.v_REJECTION_SAMPLE_SHUFFLE_TABLE.[ cast (good.[ sz 0 ] <: @@ -38,13 +21,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = <: usize ] in - let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles in let output:t_Slice i16 = @@ -60,13 +43,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = <: usize ] in - let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles in let output:t_Slice i16 = @@ -93,5 +76,3 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = sampled_count +! (cast (Core.Num.impl__u8__count_ones (good.[ sz 1 ] <: u8) <: u32) <: usize) in output, hax_temp_output <: (t_Slice i16 & usize) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti index d75884373..361ba6196 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti @@ -1,14 +1,7 @@ module Libcrux_ml_kem.Vector.Avx2.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul val rejection_sample (input: t_Slice u8) (output: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) - (requires - (Core.Slice.impl__len #u8 input <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 output <: usize) =. sz 16) - (ensures - fun temp_0_ -> - let output_future, res:(t_Slice i16 & usize) = temp_0_ in - Seq.length output_future == Seq.length output /\ v res <= 16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index d0c07fe84..a7fa366a9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Avx2.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,216 +7,238 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Traits in () -[@@"opaque_to_smt"] +let deserialize_1_ (bytes: t_Slice u8) = + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) + in + let shift_lsb_to_msb:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - (); - (Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync ()))) + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy + 8uy 7uy 6uy 5uy 5uy 4uy + <: + u8) in - let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in - let result:t_Array u8 (sz 2) = - let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l coefficients upper_coefficients in - let _:Prims.unit = - assert (forall (i: nat{i < 8}). - get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8))) + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsbs_to_msbs in - result + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <>! 8l <: i32) <: u8) in - let _:Prims.unit = - introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - -#pop-options - -#push-options "--ext context_pruning --split_queries always" + serialized -let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_concat_pairs_n 12uy vector +let serialize_10_ (vector: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 - (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) - in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_10___serialize_10_vec vector + u8) in - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let lower_8_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -234,6 +256,9 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in + let upper_8_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined + in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } @@ -264,15 +289,33 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError) -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize_12_ (vector: u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_12___serialize_12_vec vector + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < combined i = vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). - bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4)) - in Core.Result.impl__unwrap #(t_Array u8 (sz 8)) #Core.Array.t_TryFromSliceError (Core.Convert.f_try_into #(t_Slice u8) @@ -454,186 +481,6 @@ let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) -#pop-options - -[@@"opaque_to_smt"] - -let deserialize_10___deserialize_10_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 9uy 8uy 8uy 7uy 7uy 6uy 6uy 5uy 4uy 3uy 3uy 2uy - 2uy 1uy 1uy 0uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 13uy 12uy 12uy 11uy 10uy 9uy - 9uy 8uy 8uy 7uy 7uy 6uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 lower_coefficients upper_coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - coefficients i = - (if i % 16 < 10 - then - let j = (i / 16) * 10 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32) - else 0))) - in - coefficients - -let deserialize_10_ (bytes: t_Slice u8) = - let lower_coefficients:t_Slice u8 = - bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } - <: - Core.Ops.Range.t_Range usize ] - in - let upper_coefficients:t_Slice u8 = - bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 20 } - <: - Core.Ops.Range.t_Range usize ] - in - deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients - - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 upper_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - -[@@"opaque_to_smt"] - -let deserialize_12___deserialize_12_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 11uy 10uy 10uy 9uy 8uy 7uy 7uy 6uy 5uy 4uy 4uy - 3uy 2uy 1uy 1uy 0uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy - 8uy 7uy 6uy 5uy 5uy 4uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 lower_coefficients upper_coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - coefficients i = - (if i % 16 < 12 - then - let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64) - else 0))) - in - coefficients - -let deserialize_12_ (bytes: t_Slice u8) = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 24 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients - -let deserialize_5_ (bytes: t_Slice u8) = - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8) - (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8) - (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8) - (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8) - (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8) - in - let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 coefficients coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y - 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) +val deserialize_1_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1___deserialize_1_u8s (a b: u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) +val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2) - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j)) +val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 < 4 - then - let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit b0 (sz j) - | 1 -> get_bit b1 (sz (j - 8)) - | 2 -> get_bit b2 (sz (j - 16)) - | 3 -> get_bit b3 (sz (j - 24)) - | 4 -> get_bit b4 (sz (j - 32)) - | 5 -> get_bit b5 (sz (j - 40)) - | 6 -> get_bit b6 (sz (j - 48)) - | 7 -> get_bit b7 (sz (j - 56))) - else 0)) +val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 < 4 - then - let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit b0 (sz j) - | 1 -> get_bit b1 (sz (j - 8)) - | 2 -> get_bit b2 (sz (j - 16)) - | 3 -> get_bit b3 (sz (j - 24)) - | 4 -> get_bit b4 (sz (j - 32)) - | 5 -> get_bit b5 (sz (j - 40)) - | 6 -> get_bit b6 (sz (j - 48)) - | 7 -> get_bit b7 (sz (j - 56))) - else 0)) +val deserialize_5_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 4 - then 0 - else - let j = (i / 16) * 4 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j)) +val serialize_1_ (vector: u8) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_concat_pairs_n} +val serialize_10_ (vector: u8) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 2)) - (requires forall i. i % 16 >= 1 ==> vector i == 0) - (ensures - fun result -> - let result:t_Array u8 (sz 2) = result in - forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) +val serialize_12_ (vector: u8) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun temp_0_ -> - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - temp_0_ - in - forall (i: nat{i < 160}). - vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80))) +val serialize_5_ (vector: u8) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) - (ensures - fun temp_0_ -> - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - temp_0_ - in - forall (i: nat{i < 192}). - vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96))) +val serialize_4_ (vector: u8) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 20)) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 20) = r in - forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) +val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 24)) - (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 24) = r in - forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12)) - -val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 8)) - (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 8) = r in - forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4)) - -include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128} - -val deserialize_10___deserialize_10_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 10 - then 0 - else - let j = (i / 16) * 10 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) - -val deserialize_10_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 20) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 10 - then 0 - else - let j = (i / 16) * 10 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 20)) 8 j)) - -val deserialize_12___deserialize_12_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 12 - then 0 - else - let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64))) - -val deserialize_12_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 24) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 12 - then 0 - else - let j = (i / 16) * 12 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j)) - -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 10) - (fun _ -> Prims.l_True) - -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_11_ (vector: u8) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst index 8a9c2057c..1aa183708 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst @@ -1,33 +1,17 @@ module Libcrux_ml_kem.Vector.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () +let from_i16_array (array: t_Slice i16) = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector -let vec_from_i16_array (array: t_Slice i16) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let vec_zero (_: Prims.unit) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let vec_to_i16_array (v: t_SIMD256Vector) = +let to_i16_array (v: t_SIMD256Vector) = let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in let output:t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements in - let result:t_Array i16 (sz 16) = output in - let _:Prims.unit = admit () (* Panic freedom *) in - result + output + +let zero (_: Prims.unit) = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index b15ca262d..9622d0152 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -1,139 +1,60 @@ module Libcrux_ml_kem.Vector.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () +type t_SIMD256Vector = { f_elements:u8 } -noeq +val from_i16_array (array: t_Slice i16) + : Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) -type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +val to_i16_array (v: t_SIMD256Vector) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) -let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements - -val vec_from_i16_array (array: t_Slice i16) - : Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == array) - -val vec_zero: Prims.unit - -> Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == Seq.create 16 0s) - -val vec_to_i16_array (v: t_SIMD256Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: t_SIMD256Vector) -> true); - f_repr_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true); - f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x - } +val zero: Prims.unit -> Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); - f_ZERO_post - = - (fun (_: Prims.unit) (out: t_SIMD256Vector) -> impl.f_repr out == Seq.create 16 0s); - f_ZERO = (fun (_: Prims.unit) -> vec_zero ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); - f_from_i16_array_post - = - (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> impl.f_repr out == array); - f_from_i16_array = (fun (array: t_Slice i16) -> vec_from_i16_array array); + f_ZERO_post = (fun (_: Prims.unit) (out: t_SIMD256Vector) -> true); + f_ZERO = (fun (_: Prims.unit) -> zero ()); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); + f_from_i16_array_post = (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> true); + f_from_i16_array = (fun (array: t_Slice i16) -> from_i16_array array); f_to_i16_array_pre = (fun (x: t_SIMD256Vector) -> true); - f_to_i16_array_post - = - (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> out == impl.f_repr x); - f_to_i16_array = (fun (x: t_SIMD256Vector) -> vec_to_i16_array x); - f_add_pre - = - (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (impl.f_repr lhs) i) + v (Seq.index (impl.f_repr rhs) i))); - f_add_post - = - (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (result: t_SIMD256Vector) -> - forall i. - i < 16 ==> - (v (Seq.index (impl.f_repr result) i) == - v (Seq.index (impl.f_repr lhs) i) + v (Seq.index (impl.f_repr rhs) i))); + f_to_i16_array_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true); + f_to_i16_array = (fun (x: t_SIMD256Vector) -> to_i16_array x); + f_add_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> true); + f_add_post = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_add = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.add lhs.f_elements rhs.f_elements } <: t_SIMD256Vector); - f_sub_pre - = - (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (impl.f_repr lhs) i) - v (Seq.index (impl.f_repr rhs) i))); - f_sub_post - = - (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (result: t_SIMD256Vector) -> - forall i. - i < 16 ==> - (v (Seq.index (impl.f_repr result) i) == - v (Seq.index (impl.f_repr lhs) i) - v (Seq.index (impl.f_repr rhs) i))); + f_sub_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> true); + f_sub_post = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_sub = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.sub lhs.f_elements rhs.f_elements } <: t_SIMD256Vector); - f_multiply_by_constant_pre - = - (fun (vec: t_SIMD256Vector) (c: i16) -> - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr vec) i) * v c)); - f_multiply_by_constant_post - = - (fun (vec: t_SIMD256Vector) (c: i16) (result: t_SIMD256Vector) -> - forall i. - i < 16 ==> - (v (Seq.index (impl.f_repr result) i) == v (Seq.index (impl.f_repr vec) i) * v c)); + f_multiply_by_constant_pre = (fun (v: t_SIMD256Vector) (c: i16) -> true); + f_multiply_by_constant_post = (fun (v: t_SIMD256Vector) (c: i16) (out: t_SIMD256Vector) -> true); f_multiply_by_constant = - (fun (vec: t_SIMD256Vector) (c: i16) -> - { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.multiply_by_constant vec.f_elements c } + (fun (v: t_SIMD256Vector) (c: i16) -> + { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.multiply_by_constant v.f_elements c } <: t_SIMD256Vector); f_bitwise_and_with_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true); f_bitwise_and_with_constant_post = - (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> - impl.f_repr out == Spec.Utils.map_array (fun x -> x &. constant) (impl.f_repr vector)); + (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true); f_bitwise_and_with_constant = (fun (vector: t_SIMD256Vector) (constant: i16) -> @@ -144,14 +65,10 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_shift_right_pre - = - (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l); + f_shift_right_pre = (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> true); f_shift_right_post = - (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (impl.f_repr vector)); + (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_shift_right = (fun (v_SHIFT_BY: i32) (vector: t_SIMD256Vector) -> @@ -162,24 +79,15 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_cond_subtract_3329_pre - = - (fun (vector: t_SIMD256Vector) -> Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr vector)); - f_cond_subtract_3329_post - = - (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> - impl.f_repr out == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr vector)); + f_cond_subtract_3329_pre = (fun (vector: t_SIMD256Vector) -> true); + f_cond_subtract_3329_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_cond_subtract_3329_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } <: t_SIMD256Vector); - f_barrett_reduce_pre - = - (fun (vector: t_SIMD256Vector) -> Spec.Utils.is_i16b_array 28296 (impl.f_repr vector)); + f_barrett_reduce_pre = (fun (vector: t_SIMD256Vector) -> true); f_barrett_reduce_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_barrett_reduce = @@ -187,9 +95,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce vector.f_elements } <: t_SIMD256Vector); - f_montgomery_multiply_by_constant_pre - = - (fun (vector: t_SIMD256Vector) (constant: i16) -> Spec.Utils.is_i16b 1664 constant); + f_montgomery_multiply_by_constant_pre = (fun (vector: t_SIMD256Vector) (constant: i16) -> true); f_montgomery_multiply_by_constant_post = (fun (vector: t_SIMD256Vector) (constant: i16) (out: t_SIMD256Vector) -> true); @@ -204,20 +110,11 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_compress_1_pre - = - (fun (vector: t_SIMD256Vector) -> - forall (i: nat). - i < 16 ==> - v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329); - f_compress_1_post - = - (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> - forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); + f_compress_1_pre = (fun (vector: t_SIMD256Vector) -> true); + f_compress_1_post = (fun (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_compress_1_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = @@ -225,26 +122,13 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_compress_pre - = - (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> - v (Seq.index (impl.f_repr vector) i) >= 0 /\ v (Seq.index (impl.f_repr vector) i) < 3329 - )); + f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> true); f_compress_post = - (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) - ); + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); f_compress = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = @@ -255,9 +139,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = t_SIMD256Vector); f_decompress_ciphertext_coefficient_pre = - (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> true); f_decompress_ciphertext_coefficient_post = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) (out: t_SIMD256Vector) -> true); @@ -274,10 +156,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = t_SIMD256Vector); f_ntt_layer_1_step_pre = - (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr vector)); + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> true); f_ntt_layer_1_step_post = (fun @@ -288,11 +167,10 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta3: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array (11207 + 6 * 3328) (impl.f_repr out)); + true); f_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -300,46 +178,31 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_ntt_layer_2_step_pre - = - (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr vector)); + f_ntt_layer_2_step_pre = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> true); f_ntt_layer_2_step_post = - (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out)); + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> true); f_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } <: t_SIMD256Vector); - f_ntt_layer_3_step_pre - = - (fun (vector: t_SIMD256Vector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207 + 3 * 3328) (impl.f_repr vector)); + f_ntt_layer_3_step_pre = (fun (vector: t_SIMD256Vector) (zeta: i16) -> true); f_ntt_layer_3_step_post = - (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out)); + (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> true); f_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); f_inv_ntt_layer_1_step_pre = - (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (impl.f_repr vector)); + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> true); f_inv_ntt_layer_1_step_post = (fun @@ -350,11 +213,10 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta3: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -366,19 +228,13 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_inv_ntt_layer_2_step_pre - = - (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr vector)); + f_inv_ntt_layer_2_step_pre = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> true); f_inv_ntt_layer_2_step_post = - (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (out: t_SIMD256Vector) -> true); f_inv_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -386,18 +242,13 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_inv_ntt_layer_3_step_pre - = - (fun (vector: t_SIMD256Vector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr vector)); + f_inv_ntt_layer_3_step_pre = (fun (vector: t_SIMD256Vector) (zeta: i16) -> true); f_inv_ntt_layer_3_step_post = - (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + (fun (vector: t_SIMD256Vector) (zeta: i16) (out: t_SIMD256Vector) -> true); f_inv_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -411,10 +262,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr lhs) /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr rhs)); + true); f_ntt_multiply_post = (fun @@ -426,7 +274,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta3: i16) (out: t_SIMD256Vector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_ntt_multiply = (fun @@ -437,7 +285,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -450,50 +297,28 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = } <: t_SIMD256Vector); - f_serialize_1_pre - = - (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 1 (impl.f_repr vector)); - f_serialize_1_post - = - (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 2)) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr vector) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr vector) out); + f_serialize_1_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_1_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 2)) -> true); f_serialize_1_ = (fun (vector: t_SIMD256Vector) -> Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ vector.f_elements); - f_deserialize_1_pre - = - (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2); - f_deserialize_1_post - = - (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> - sz (Seq.length bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 bytes (impl.f_repr out)); + f_deserialize_1_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_1_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); f_deserialize_1_ = (fun (bytes: t_Slice u8) -> { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_1_ bytes } <: t_SIMD256Vector); - f_serialize_4_pre - = - (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 4 (impl.f_repr vector)); - f_serialize_4_post - = - (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 8)) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr vector) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr vector) out); + f_serialize_4_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_4_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 8)) -> true); f_serialize_4_ = (fun (vector: t_SIMD256Vector) -> Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_4_ vector.f_elements); - f_deserialize_4_pre - = - (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8); - f_deserialize_4_post - = - (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> - sz (Seq.length bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 bytes (impl.f_repr out)); + f_deserialize_4_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_4_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); f_deserialize_4_ = (fun (bytes: t_Slice u8) -> @@ -505,38 +330,23 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_5_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements); - f_deserialize_5_pre - = - (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 10); + f_deserialize_5_pre = (fun (bytes: t_Slice u8) -> true); f_deserialize_5_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); f_deserialize_5_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes } <: t_SIMD256Vector); - f_serialize_10_pre - = - (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 10 (impl.f_repr vector)); - f_serialize_10_post - = - (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 20)) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr vector) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr vector) out); + f_serialize_10_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_10_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 20)) -> true); f_serialize_10_ = (fun (vector: t_SIMD256Vector) -> Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_10_ vector.f_elements); - f_deserialize_10_pre - = - (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 20); - f_deserialize_10_post - = - (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> - sz (Seq.length bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 bytes (impl.f_repr out)); + f_deserialize_10_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_10_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); f_deserialize_10_ = (fun (bytes: t_Slice u8) -> @@ -549,9 +359,7 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = = (fun (vector: t_SIMD256Vector) -> Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_11_ vector.f_elements); - f_deserialize_11_pre - = - (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 22); + f_deserialize_11_pre = (fun (bytes: t_Slice u8) -> true); f_deserialize_11_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); f_deserialize_11_ = @@ -559,40 +367,24 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_11_ bytes } <: t_SIMD256Vector); - f_serialize_12_pre - = - (fun (vector: t_SIMD256Vector) -> Spec.MLKEM.serialize_pre 12 (impl.f_repr vector)); - f_serialize_12_post - = - (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 24)) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr vector) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr vector) out); + f_serialize_12_pre = (fun (vector: t_SIMD256Vector) -> true); + f_serialize_12_post = (fun (vector: t_SIMD256Vector) (out: t_Array u8 (sz 24)) -> true); f_serialize_12_ = (fun (vector: t_SIMD256Vector) -> Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_12_ vector.f_elements); - f_deserialize_12_pre - = - (fun (bytes: t_Slice u8) -> (Core.Slice.impl__len #u8 bytes <: usize) =. sz 24); - f_deserialize_12_post - = - (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> - sz (Seq.length bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 bytes (impl.f_repr out)); + f_deserialize_12_pre = (fun (bytes: t_Slice u8) -> true); + f_deserialize_12_post = (fun (bytes: t_Slice u8) (out: t_SIMD256Vector) -> true); f_deserialize_12_ = (fun (bytes: t_Slice u8) -> { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ bytes } <: t_SIMD256Vector); - f_rej_sample_pre - = - (fun (input: t_Slice u8) (output: t_Slice i16) -> - (Core.Slice.impl__len #u8 input <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 output <: usize) =. sz 16); + f_rej_sample_pre = (fun (input: t_Slice u8) (output: t_Slice i16) -> true); f_rej_sample_post = - (fun (input: t_Slice u8) (output: t_Slice i16) (output_future, result: (t_Slice i16 & usize)) -> - Seq.length output_future == Seq.length output /\ v result <= 16); + (fun (input: t_Slice u8) (output: t_Slice i16) (out1: (t_Slice i16 & usize)) -> true); f_rej_sample = fun (input: t_Slice u8) (output: t_Slice i16) -> diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst index a36b00a94..37938e8f6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst @@ -1,8 +1,52 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul +let barrett_reduce_int16x8_t (v: u8) = + let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in + let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in + let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in + let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in + let sub:u8 = + Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient + Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + in + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub + +let montgomery_reduce_int16x8_t (low high: u8) = + let k:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16 + (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8) + (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16) + <: + u8) + in + let c:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k + Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) + in + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c + +let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) = + let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in + let vv_high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8) + in + montgomery_reduce_int16x8_t vv_low vv_high + +let montgomery_multiply_int16x8_t (v c: u8) = + let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in + let vv_high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l + (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8) + in + montgomery_reduce_int16x8_t vv_low vv_high + let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let lhs:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { @@ -29,6 +73,29 @@ let add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in lhs +let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + let bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = let c:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 c in let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = @@ -94,6 +161,32 @@ let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vect in v +let montgomery_multiply_by_constant + (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (c: i16) + = + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + let multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) = let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { @@ -170,96 +263,3 @@ let sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector in lhs - -let barrett_reduce_int16x8_t (v: u8) = - let adder:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1024s in - let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v v_BARRETT_MULTIPLIER in - let vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 vec adder in - let quotient:u8 = Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 11l vec in - let sub:u8 = - Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 quotient - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v sub - -let barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - barrett_reduce_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - -let montgomery_reduce_int16x8_t (low high: u8) = - let k:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vmulq_n_u16 - (Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_s16 low <: u8) - (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: u16) - <: - u8) - in - let c:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 k - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - <: - u8) - in - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 high c - -let montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) = - let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_n_s16 v c in - let vv_high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_n_s16 v c <: u8) - in - montgomery_reduce_int16x8_t vv_low vv_high - -let montgomery_multiply_by_constant - (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (c: i16) - = - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low c - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - montgomery_multiply_by_constant_int16x8_t v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high c - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - -let montgomery_multiply_int16x8_t (v c: u8) = - let vv_low:u8 = Libcrux_intrinsics.Arm64_extract.v__vmulq_s16 v c in - let vv_high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshrq_n_s16 1l - (Libcrux_intrinsics.Arm64_extract.v__vqdmulhq_s16 v c <: u8) - in - montgomery_reduce_int16x8_t vv_low vv_high diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti index b765f0915..aa297220e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti @@ -1,57 +1,57 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let v_BARRETT_MULTIPLIER: i16 = 20159s +val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + val add (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) +val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val bitwise_and_with_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val montgomery_multiply_by_constant + (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val barrett_reduce_int16x8_t (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val barrett_reduce (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) +val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val montgomery_reduce_int16x8_t (low high: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant_int16x8_t (v: u8) (c: i16) - : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_by_constant - (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (c: i16) +val sub (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) - -val montgomery_multiply_int16x8_t (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst index c6f54fd1c..e039518f2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -24,6 +24,19 @@ let mask_n_least_significant_bits (coefficient_bits: i16) = | 11s -> 2047s | x -> (1s < Prims.l_True) +val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + val compress (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True @@ -19,9 +22,6 @@ val compress_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) -val decompress_uint32x4_t (v_COEFFICIENT_BITS: i32) (v: u8) - : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) - val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst index d00b944c4..dc8d03610 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst @@ -1,66 +1,8 @@ module Libcrux_ml_kem.Vector.Neon.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = - let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in - let b_minus_a:u8 = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - -let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = - let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in - let t:u8 = - Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v - .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - zeta - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - v with - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - in - v - let inv_ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -200,6 +142,35 @@ let inv_ntt_layer_2_step in v +let inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = + let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in + let b_minus_a:u8 = + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t b_minus_a zeta + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + let ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -335,6 +306,35 @@ let ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) in v +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) = + let zeta:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 zeta in + let t:u8 = + Libcrux_ml_kem.Vector.Neon.Arithmetic.montgomery_multiply_int16x8_t v + .Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + zeta + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vsubq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + let v:Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + { + v with + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vaddq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low t + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + in + v + let ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti index a280dcc7a..46ca8d3df 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti @@ -1,18 +1,8 @@ module Libcrux_ml_kem.Vector.Neon.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - Prims.l_True - (fun _ -> Prims.l_True) - -val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) - : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - Prims.l_True - (fun _ -> Prims.l_True) - val inv_ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -27,6 +17,11 @@ val inv_ntt_layer_2_step Prims.l_True (fun _ -> Prims.l_True) +val inv_ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_layer_1_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) @@ -39,6 +34,11 @@ val ntt_layer_2_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) +val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta: i16) + : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (zeta1 zeta2 zeta3 zeta4: i16) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst index cadc20681..aa783010c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,9 +7,147 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Traits in () +let deserialize_1_ (a: t_Slice u8) = + let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in + let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in + let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in + let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one; + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_12_ (v: t_Slice u8) = + let (indexes: t_Array u8 (sz 16)):t_Array u8 (sz 16) = + let list = + [0uy; 1uy; 1uy; 2uy; 3uy; 4uy; 4uy; 5uy; 6uy; 7uy; 7uy; 8uy; 9uy; 10uy; 10uy; 11uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + in + let index_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (indexes <: t_Slice u8) in + let (shifts: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; (-4s); 0s; (-4s); 0s; (-4s); 0s; (-4s)] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifts <: t_Slice i16) in + let mask12:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u16 4095us in + let input0:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let input0:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range input0 + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (input0.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (v.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let input_vec0:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input0 <: t_Slice u8) in + let input1:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let input1:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range input1 + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (input1.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (v.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 24 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + t_Slice u8) + in + let input_vec1:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input1 <: t_Slice u8) in + let moved0:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 + input_vec0 + index_vec + <: + u8) + in + let shifted0:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved0 shift_vec in + let low:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 + shifted0 + mask12 + <: + u8) + in + let moved1:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 + input_vec1 + index_vec + <: + u8) + in + let shifted1:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved1 shift_vec in + let high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 + shifted1 + mask12 + <: + u8) + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = low; + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = high + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = + let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); + Rust_primitives.Hax.array_of_list 8 list + in + let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in + let low:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + shift + in + let high:u8 = + Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + shift + in + let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in + let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in + let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list + let serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let low0:u8 = Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s32_s16 (Libcrux_intrinsics.Arm64_extract.v__vtrn1q_s16 @@ -360,145 +498,6 @@ let serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in result -let deserialize_1_ (a: t_Slice u8) = - let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in - let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in - let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 1 ] <: u8) <: i16) in - let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = - let list = [0s; 255s; (-2s); (-3s); (-4s); (-5s); (-6s); (-7s)] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list - in - let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in - let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 low shift in - let high:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 high shift in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 low one; - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vandq_s16 high one - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_12_ (v: t_Slice u8) = - let (indexes: t_Array u8 (sz 16)):t_Array u8 (sz 16) = - let list = - [0uy; 1uy; 1uy; 2uy; 3uy; 4uy; 4uy; 5uy; 6uy; 7uy; 7uy; 8uy; 9uy; 10uy; 10uy; 11uy] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - in - let index_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (indexes <: t_Slice u8) in - let (shifts: t_Array i16 (sz 8)):t_Array i16 (sz 8) = - let list = [0s; (-4s); 0s; (-4s); 0s; (-4s); 0s; (-4s)] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list - in - let shift_vec:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifts <: t_Slice i16) in - let mask12:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_u16 4095us in - let input0:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let input0:t_Array u8 (sz 16) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range input0 - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (input0.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (v.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let input_vec0:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input0 <: t_Slice u8) in - let input1:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let input1:t_Array u8 (sz 16) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_range input1 - ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize) - (Core.Slice.impl__copy_from_slice #u8 - (input1.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 12 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - (v.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 24 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - t_Slice u8) - in - let input_vec1:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_u8 (input1 <: t_Slice u8) in - let moved0:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 - input_vec0 - index_vec - <: - u8) - in - let shifted0:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved0 shift_vec in - let low:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 - shifted0 - mask12 - <: - u8) - in - let moved1:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_u16_u8 (Libcrux_intrinsics.Arm64_extract.v__vqtbl1q_u8 - input_vec1 - index_vec - <: - u8) - in - let shifted1:u8 = Libcrux_intrinsics.Arm64_extract.v__vshlq_u16 moved1 shift_vec in - let high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vreinterpretq_s16_u16 (Libcrux_intrinsics.Arm64_extract.v__vandq_u16 - shifted1 - mask12 - <: - u8) - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low = low; - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high = high - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = - let list = [0s; 1s; 2s; 3s; 4s; 5s; 6s; 7s] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 8); - Rust_primitives.Hax.array_of_list 8 list - in - let shift:u8 = Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (shifter <: t_Slice i16) in - let low:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - shift - in - let high:u8 = - Libcrux_intrinsics.Arm64_extract.v__vshlq_s16 v.Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - shift - in - let low:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 low in - let high:i16 = Libcrux_intrinsics.Arm64_extract.v__vaddvq_s16 high in - let list = [cast (low <: i16) <: u8; cast (high <: i16) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list - let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti index 3de7409f7..309df9740 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,15 +7,8 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Traits in () -val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True @@ -29,6 +22,12 @@ val deserialize_12_ (v: t_Slice u8) val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst index 116acadf7..12686d3bb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst @@ -1,51 +1,41 @@ module Libcrux_ml_kem.Vector.Neon.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let repr (x:t_SIMD128Vector) = admit() - let v_ZERO (_: Prims.unit) = - let result:t_SIMD128Vector = - { - f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; - f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + { + f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; + f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s + } + <: + t_SIMD128Vector let from_i16_array (array: t_Slice i16) = - let result:t_SIMD128Vector = - { - f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] + { + f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: - t_Slice i16); - f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: - t_Slice i16) - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + t_SIMD128Vector let to_i16_array (v: t_SIMD128Vector) = let out:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in @@ -83,6 +73,4 @@ let to_i16_array (v: t_SIMD128Vector) = <: t_Slice i16) in - let result:t_Array i16 (sz 16) = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti index c5dd6b6ab..d80603ff5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,28 +8,10 @@ type t_SIMD128Vector = { f_high:u8 } -val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16) - -val v_ZERO: Prims.unit - -> Prims.Pure t_SIMD128Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD128Vector = result in - repr result == Seq.create 16 0s) +val v_ZERO: Prims.unit -> Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) val from_i16_array (array: t_Slice i16) - : Prims.Pure t_SIMD128Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD128Vector = result in - repr result == array) + : Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) val to_i16_array (v: t_SIMD128Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst index f41cefe46..d33fcee14 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,7 +7,6 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Neon.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () let rej_sample (a: t_Slice u8) (result: t_Slice i16) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti index f3280f83e..b68a453af 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,48 +7,26 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Neon.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () val rej_sample (a: t_Slice u8) (result: t_Slice i16) : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); - f_repr_post - = - (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = - (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - impl.f_repr out == Seq.create 16 0s); + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Neon.Vector_type.v_ZERO ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); f_from_i16_array_post = - (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - impl.f_repr out == array); + (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); f_from_i16_array = (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Neon.Vector_type.from_i16_array array); @@ -56,7 +34,7 @@ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = f_to_i16_array_post = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - out == impl.f_repr x); + true); f_to_i16_array = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst index bcb88d903..3eb5abd35 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst @@ -1,34 +1,9 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--z3rlimit 150 --split_queries always" - -let get_n_least_significant_bits (n: u8) (value: u32) = - let res:u32 = value &. ((1ul <>! 1l <: i32) - in - let _:Prims.unit = - assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2 * 3329)); - assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25) - in - let _:Prims.unit = assert (v t / pow2 26 < 9) in - let _:Prims.unit = assert (v t / pow2 26 > - 9) in - let quotient:i16 = cast (t >>! Libcrux_ml_kem.Vector.Traits.v_BARRETT_SHIFT <: i32) <: i16 in - let _:Prims.unit = assert (v quotient = v t / pow2 26) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 9 quotient) in - let result:i16 = value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) in - let _:Prims.unit = - calc ( == ) { - v result % 3329; - ( == ) { () } - (v value - (v quotient * 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329 } - (v value - (v quotient * 3329) % 3329) % 3329; - ( == ) { Math.Lemmas.cancel_mul_mod (v quotient) 3329 } - (v value - 0) % 3329; - ( == ) { () } - (v value) % 3329; - } + (v_BARRETT_R >>! 1l <: i32) in - result - -#pop-options - -#push-options "--z3rlimit 500 --split_queries always" + let quotient:i16 = cast (t >>! v_BARRETT_SHIFT <: i32) <: i16 in + value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) let montgomery_reduce_element (value: i32) = let _:i32 = v_MONTGOMERY_R in @@ -73,320 +22,181 @@ let montgomery_reduce_element (value: i32) = (cast (cast (value <: i32) <: i16) <: i32) *! (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) in - let _:Prims.unit = - assert (v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16); - assert (v k == (v value @% pow2 16) * 62209); - assert (v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16); - assert (v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15); - assert (v (cast (cast (k <: i32) <: i16) <: i32) >= - pow2 15); - assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329) - in let k_times_modulus:i32 = (cast (cast (k <: i32) <: i16) <: i32) *! (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) in - let _:Prims.unit = - Spec.Utils.lemma_mul_i16b (pow2 15) - (3329) - (cast (k <: i32) <: i16) - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS; - assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus) - in let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in - let _:Prims.unit = - assert (v k_times_modulus < pow2 31); - assert (v k_times_modulus / pow2 16 < pow2 15); - assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert (v c == v k_times_modulus / pow2 16); - assert (Spec.Utils.is_i16b 1665 c) - in let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in - let _:Prims.unit = - assert (v value < pow2 31); - assert (v value / pow2 16 < pow2 15); - assert (v value_high == (v value / pow2 16) @% pow2 16); - Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); - assert (Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); - assert (Spec.Utils.is_i16b 3328 value_high) - in - let res:i16 = value_high -! c in - let _:Prims.unit = assert (Spec.Utils.is_i16b (3328 + 1665) res) in - let _:Prims.unit = - assert (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res) - in - let _:Prims.unit = - calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v k @% pow2 16) * 3329) % pow2 16; - ( == ) { assert (v k = (v value @% pow2 16) * 62209) } - ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) - (pow2 16) - 3329 } - ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) } - ((((v value @% pow2 16) * 62209) * 3329) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) } - ((v value @% pow2 16) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 } - (v value) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus); - assert ((v value - v k_times_modulus) % pow2 16 == 0) - in - let _:Prims.unit = - calc ( == ) { - v res % 3329; - ( == ) { assert (v res == v value_high - v c) } - (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) - (pow2 16 * 169) - 3329 } - (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169) } - (v value * 169) % 3329; - } - in - res - -#pop-options - -#push-options "--z3rlimit 300" + value_high -! c let montgomery_multiply_fe_by_fer (fe fer: i16) = - let _:Prims.unit = Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer in - let product:i32 = (cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) in - montgomery_reduce_element product - -#pop-options - -#push-options "--z3rlimit 150" + montgomery_reduce_element ((cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) <: i32) let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> + (fun lhs temp_1_ -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let i:usize = i in - (forall j. - j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) +! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + let _:usize = temp_1_ in + true) lhs (fun lhs i -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) + v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in lhs -#pop-options - -#push-options "--z3rlimit 150" - -let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - (forall j. - j < v i ==> - (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\ - v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329) - )) /\ - (forall j. - j >= v i ==> - (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\ - Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j)))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - let vi:i16 = - barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (barrett_reduce_element (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) <: i16) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - vi - } <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert (Spec.Utils.is_i16b 3328 vi); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)) - in - vec) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec - -#pop-options + v let bitwise_and_with_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. j < v i ==> Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j &. c) - ) /\ (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j) - ) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c <: i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements (Spec.Utils.map_array (fun x -> x &. c) v__vec0.f_elements) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - Seq.index vec.f_elements j == - (let x = Seq.index v__vec0.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - if - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s - <: - bool + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) >=. + 0s + <: + bool) && + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <. 4096s + <: + bool)) + in + () + in + if (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s then { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s <: i16) - <: - t_Array i16 (sz 16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - else vec) + else v) in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements) - in - vec - -#push-options "--z3rlimit 150" + v let montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - (let vecj = Seq.index vec.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\ - v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - (montgomery_multiply_fe_by_fer (vec + (montgomery_multiply_fe_by_fer (v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) @@ -399,125 +209,93 @@ let montgomery_multiply_by_constant <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -#pop-options - -let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c <: i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! - v_SHIFT_BY - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! v_SHIFT_BY + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> + (fun lhs temp_1_ -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let i:usize = i in - (forall j. - j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + let _:usize = temp_1_ in + true) lhs (fun lhs i -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in lhs diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti index 92516558b..860b97328 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti @@ -1,22 +1,30 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ let v_BARRETT_MULTIPLIER: i32 = 20159l +let v_BARRETT_SHIFT: i32 = 26l + +let v_BARRETT_R: i32 = 1l < let result:u32 = result in - v result == v value % pow2 (v n)) + result <. + (Core.Num.impl__u32__pow 2ul + (Core.Convert.f_into #u8 #u32 #FStar.Tactics.Typeclasses.solve n <: u32) + <: + u32)) /// Signed Barrett Reduction /// Given an input `value`, `barrett_reduce` outputs a representative `result` @@ -24,142 +32,102 @@ val get_n_least_significant_bits (n: u8) (value: u32) /// - result ≡ value (mod FIELD_MODULUS) /// - the absolute value of `result` is bound as follows: /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) -/// -/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS -/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. val barrett_reduce_element (value: i16) : Prims.Pure i16 - (requires Spec.Utils.is_i16b 28296 value) + (requires + (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) >. + (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i32) && + (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) <. v_BARRETT_R + ) (ensures fun result -> let result:i16 = result in - Spec.Utils.is_i16b 3328 result /\ v result % 3329 == v value % 3329) + result >. (Core.Ops.Arith.Neg.neg Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) && + result <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /// Signed Montgomery Reduction /// Given an input `value`, `montgomery_reduce` outputs a representative `o` /// such that: /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) /// - the absolute value of `o` is bound as follows: -/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 -/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`. -/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664 -/// +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. val montgomery_reduce_element (value: i32) : Prims.Pure i16 - (requires Spec.Utils.is_i32b (3328 * pow2 16) value) + (requires + value >=. + ((Core.Ops.Arith.Neg.neg (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) + <: + i32) *! + v_MONTGOMERY_R + <: + i32) && + value <=. + ((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) *! v_MONTGOMERY_R + <: + i32)) (ensures fun result -> let result:i16 = result in - Spec.Utils.is_i16b (3328 + 1665) result /\ - (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\ - v result % 3329 == (v value * 169) % 3329) + result >=. + ((Core.Ops.Arith.Neg.neg (3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) + <: + i16) /! + 2s + <: + i16) && + result <=. ((3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) /! 2s <: i16)) -/// If `fe` is some field element \'x\' of the Kyber field and `fer` is congruent to +/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to /// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to /// `x · y`, as follows: /// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. val montgomery_multiply_fe_by_fer (fe fer: i16) - : Prims.Pure i16 - (requires Spec.Utils.is_i16b 1664 fer) - (ensures - fun result -> - let result:i16 = result in - Spec.Utils.is_i16b 3328 result /\ v result % 3329 == (v fe * v fer * 169) % 3329) + : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) val add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))) + Prims.l_True + (fun _ -> Prims.l_True) -val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b_array 28296 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329)) - ) + Prims.l_True + (fun _ -> Prims.l_True) val bitwise_and_with_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector Prims.l_True - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements)) + (fun _ -> Prims.l_True) -/// Note: This function is not secret independent -/// Only use with public values. -val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b_array (pow2 12 - 1) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - result.f_elements == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements)) + Prims.l_True + (fun _ -> Prims.l_True) val montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b 1664 c) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) % 3329 == - (v (Seq.index vec.f_elements i) * v c * 169) % 3329))) - -val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) + Prims.l_True + (fun _ -> Prims.l_True) + +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)) + Prims.l_True + (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements)) + Prims.l_True + (fun _ -> Prims.l_True) val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst index 8bda725bd..4a470d7d1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -22,146 +22,78 @@ let compress_message_coefficient (fe: u16) = let shifted_positive_in_range:i16 = shifted_to_positive -! 832s in cast ((shifted_positive_in_range >>! 15l <: i16) &. 1s <: i16) <: u8 -#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" - let compress (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = - assert (v (cast (v_COEFFICIENT_BITS) <: u8) == v v_COEFFICIENT_BITS); - assert (v (cast (v_COEFFICIENT_BITS) <: u32) == v v_COEFFICIENT_BITS) - in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - (cast (a.f_elements.[ sz i ]) <: u16) <. - (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in - let i:usize = i in - (v i < 16 ==> - (forall (j: nat). - (j >= v i /\ j < 16) ==> - v (cast (a.f_elements.[ sz j ]) <: u16) < - v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ - (forall (j: nat). - j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ - v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) - a - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - a with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) - (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - u16) - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + u16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ - v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) - in - a) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - v (a.f_elements.[ sz i ] <: i16) >= 0 /\ - v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) - in - a - -#pop-options - -#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" - -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) + v -let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - (cast (a.f_elements.[ sz i ]) <: u16) <. - (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in - let i:usize = i in - (v i < 16 ==> - (forall (j: nat). - (j >= v i /\ j < 16) ==> - v (cast (a.f_elements.[ sz j ]) <: u16) < - v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ - (forall (j: nat). - j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) - a - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let _:Prims.unit = - compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - a with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (cast (compress_message_coefficient (cast (a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - <: - u16) - <: - u8) - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (compress_message_coefficient (cast (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) + <: + u8) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) - in - a) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) - in - a - -#pop-options + v let decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti index 938330976..8a078f1b0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -47,32 +47,15 @@ val compress_message_coefficient (fe: u16) val compress (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329)) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall (i: nat). - i < 16 ==> - v (result.f_elements.[ sz i ] <: i16) >= 0 /\ - v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) + Prims.l_True + (fun _ -> Prims.l_True) -val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall (i: nat). - i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall (i: nat). - i < 16 ==> - v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) + Prims.l_True + (fun _ -> Prims.l_True) val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst index 06bc6c676..99ab0e5b0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst @@ -1,289 +1,199 @@ module Libcrux_ml_kem.Vector.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let inv_ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) = let a_minus_b:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -! - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) in - let a_plus_b:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) +! - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - in - let _:Prims.unit = - assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))); - assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) - in - let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element a_plus_b in - let o1:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta - in - let _:Prims.unit = - calc ( == ) { - v o0 % 3329; - ( == ) { () } - v a_plus_b % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329; - }; - calc ( == ) { - v o1 % 3329; - ( == ) { () } - (v a_minus_b * v zeta * 169) % 3329; - ( == ) { () } - ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - o0 + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) + <: + i16) + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements j - o1 + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == o0); - assert (Seq.index vec.f_elements (v j) == o1) - in - vec - -#push-options "--z3rlimit 200" + v let inv_ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 0) (sz 2) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 1) (sz 3) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 4) (sz 6) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 5) (sz 7) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta2 (sz 8) (sz 10) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta2 (sz 9) (sz 11) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta3 (sz 12) (sz 14) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta3 (sz 13) (sz 15) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 13)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 15)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 12)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 14)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 9)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 11)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 8)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 10)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 5)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 7)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 4)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 6)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 1)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 3)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 0)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 2)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements i)) - in - vec - -#pop-options - -#push-options "--z3rlimit 100" + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 0) (sz 2) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 1) (sz 3) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 4) (sz 6) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 5) (sz 7) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta2 (sz 8) (sz 10) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta2 (sz 9) (sz 11) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta3 (sz 12) (sz 14) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta3 (sz 13) (sz 15) + in + v let inv_ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 0) (sz 4) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 0) (sz 4) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 1) (sz 5) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 1) (sz 5) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 2) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 2) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 3) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 3) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 8) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 8) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 9) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 9) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 10) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 10) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 11) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 11) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let inv_ntt_layer_3_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 0) (sz 8) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 0) (sz 8) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 1) (sz 9) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 1) (sz 9) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 2) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 2) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 3) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 3) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 4) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 4) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 5) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 5) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 6) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 6) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 7) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 7) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 250 --split_queries always --query_stats --ext context_prune" + v let ntt_multiply_binomials (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - (i: usize) + (i j: usize) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let ai:i16 = a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in - let bi:i16 = b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in - let aj:i16 = - a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize - ] - in - let bj:i16 = - b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize - ] - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b 3328 ai); - assert (Spec.Utils.is_i16b 3328 bi); - assert (Spec.Utils.is_i16b 3328 aj); - assert (Spec.Utils.is_i16b 3328 bj); - assert_norm (3328 * 3328 < pow2 31) - in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bi in - let ai_bi:i32 = (cast (ai <: i16) <: i32) *! (cast (bi <: i16) <: i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bj in - let aj_bj___:i32 = (cast (aj <: i16) <: i32) *! (cast (bj <: i16) <: i32) in - let _:Prims.unit = assert_norm (3328 * 3328 <= 3328 * pow2 15) in - let aj_bj:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element aj_bj___ in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 1664 aj_bj zeta in - let aj_bj_zeta:i32 = (cast (aj_bj <: i16) <: i32) *! (cast (zeta <: i16) <: i32) in - let ai_bi_aj_bj:i32 = ai_bi +! aj_bj_zeta in - let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 1664) ai_bi_aj_bj) in - let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15) in - let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bi_aj_bj in - let _:Prims.unit = - calc ( == ) { - v o0 % 3329; - ( == ) { () } - (v ai_bi_aj_bj * 169) % 3329; - ( == ) { assert (v ai_bi_aj_bj == v ai_bi + v aj_bj_zeta) } - ((v ai_bi + v aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v ai_bi == v ai * v bi) } - (((v ai * v bi) + v aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v aj_bj_zeta == v aj_bj * v zeta) } - (((v ai * v bi) + (v aj_bj * v zeta)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 } - ((((v ai * v bi) + (v aj_bj * v zeta)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 } - ((((v ai * v bi) + ((v aj_bj * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 } - ((((v ai * v bi) + (((v aj_bj % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { assert (v aj_bj % 3329 == (v aj_bj___ * 169) % 3329) } - ((((v ai * v bi) + ((((v aj_bj___ * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { assert (v aj_bj___ == v aj * v bj) } - ((((v ai * v bi) + ((((v aj * v bj * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj * v bj * 169) (v zeta) 3329 } - ((((v ai * v bi) + (((v aj * v bj * 169 * v zeta) % 3329))) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj * v bj * 169 * v zeta) 3329 } - ((((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) - 169 - 3329 } - (((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) * 169) % 3329; - } + let o0:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) + <: + i32) +! + ((cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) + <: + i32) + <: + i32) + <: + i16) + <: + i32) *! + (cast (zeta <: i16) <: i32) + <: + i32) + <: + i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bj in - let ai_bj:i32 = (cast (ai <: i16) <: i32) *! (cast (bj <: i16) <: i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bi in - let aj_bi:i32 = (cast (aj <: i16) <: i32) *! (cast (bi <: i16) <: i32) in - let ai_bj_aj_bi:i32 = ai_bj +! aj_bi in - let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 3328) ai_bj_aj_bi) in - let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15) in - let o1:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bj_aj_bi in - let _:Prims.unit = - calc ( == ) { - v o1 % 3329; - ( == ) { () } - (v ai_bj_aj_bi * 169) % 3329; - ( == ) { assert (v ai_bj_aj_bi == v ai_bj + v aj_bi) } - ((v ai_bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v ai_bj == v ai * v bj) } - ((v ai * v bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v aj_bi == v aj * v bi) } - ((v ai * v bj + v aj * v bi) * 169) % 3329; - } + let o1:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) + <: + i32) +! + ((cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) + <: + i32) + <: + i32) in - let v__out0:t_Array i16 (sz 16) = out.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { out with @@ -291,7 +201,7 @@ let ntt_multiply_binomials = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - (sz 2 *! i <: usize) + i o0 } <: @@ -304,264 +214,170 @@ let ntt_multiply_binomials = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - ((sz 2 *! i <: usize) +! sz 1 <: usize) + j o1 } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index out.f_elements (2 * v i) == o0); - assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); - assert (forall k. - (k <> 2 * v i /\ k <> 2 * v i + 1) ==> Seq.index out.f_elements k == Seq.index v__out0 k) - in - let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in out -#pop-options - let ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) = let t:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) zeta in - let _:Prims.unit = - assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) - in - let a_minus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t - in - let _:Prims.unit = - calc ( == ) { - v a_minus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let a_plus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t - in - let _:Prims.unit = - calc ( == ) { - v a_plus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements j - a_minus_t + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t <: i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - a_plus_t + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t <: i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t) - in - vec - -#push-options "--z3rlimit 100" + v let ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 2) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 0) (sz 2) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 3) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 1) (sz 3) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 4) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 4) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 5) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 5) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 8) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta2 (sz 8) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 9) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta2 (sz 9) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 12) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta3 (sz 12) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 13) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta3 (sz 13) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 4) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 0) (sz 4) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 5) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 1) (sz 5) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 2) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 2) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 3) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 3) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 8) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 8) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 9) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 9) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 10) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 10) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 11) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 11) (sz 15) in - vec - -#pop-options + v -#push-options "--z3rlimit 100" - -let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 0) (sz 8) +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 0) (sz 8) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 1) (sz 9) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 1) (sz 9) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 2) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 2) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 3) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 3) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 4) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 4) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 5) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 5) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 6) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 6) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 7) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 7) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let nzeta0:i16 = Core.Ops.Arith.Neg.neg zeta0 in - let nzeta1:i16 = Core.Ops.Arith.Neg.neg zeta1 in - let nzeta2:i16 = Core.Ops.Arith.Neg.neg zeta2 in - let nzeta3:i16 = Core.Ops.Arith.Neg.neg zeta3 in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta0) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta1) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta2) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta3) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Vector_type.zero () in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta0 (sz 0) out + ntt_multiply_binomials lhs rhs zeta0 (sz 0) (sz 1) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta0 (sz 1) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta0 <: i16) (sz 2) (sz 3) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta1 (sz 2) out + ntt_multiply_binomials lhs rhs zeta1 (sz 4) (sz 5) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta1 (sz 3) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta1 <: i16) (sz 6) (sz 7) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta2 (sz 4) out + ntt_multiply_binomials lhs rhs zeta2 (sz 8) (sz 9) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta2 (sz 5) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta2 <: i16) (sz 10) (sz 11) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta3 (sz 6) out + ntt_multiply_binomials lhs rhs zeta3 (sz 12) (sz 13) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta3 (sz 7) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta3 <: i16) (sz 14) (sz 15) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#pop-options + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti index 1b1a575e4..3c826a279 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti @@ -1,65 +1,36 @@ module Libcrux_ml_kem.Vector.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -[@@ "opaque_to_smt"] - val inv_ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - Spec.Utils.is_i16b_array (4 * 3328) vec_future.f_elements /\ - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v i)) /\ - Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v j)) /\ - Spec.Utils.inv_ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_3_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) - -[@@ "opaque_to_smt"] + Prims.l_True + (fun _ -> Prims.l_True) /// Compute the product of two Kyber binomials with respect to the /// modulus `X² - zeta`. @@ -73,127 +44,49 @@ val inv_ntt_layer_3_step /// c₁ ← a₀·b₁ + a₁·b₀ /// return c₀, c₁ /// ``` -/// We say \"almost\" because the coefficients output by this function are in +/// We say "almost" because the coefficients output by this function are in /// the Montgomery domain (unlike in the specification). /// The NIST FIPS 203 standard can be found at /// . val ntt_multiply_binomials (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - (i: usize) + (i j: usize) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 8 /\ Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 a.f_elements /\ - Spec.Utils.is_i16b_array 3328 b.f_elements /\ Spec.Utils.is_i16b_array 3328 out.f_elements) - (ensures - fun out_future -> - let out_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out_future in - Spec.Utils.is_i16b_array 3328 out_future.f_elements /\ - (forall k. - (k <> 2 * v i /\ k <> 2 * v i + 1) ==> - Seq.index out_future.f_elements k == Seq.index out.f_elements k) /\ - (let ai = Seq.index a.f_elements (2 * v i) in - let aj = Seq.index a.f_elements (2 * v i + 1) in - let bi = Seq.index b.f_elements (2 * v i) in - let bj = Seq.index b.f_elements (2 * v i + 1) in - let oi = Seq.index out_future.f_elements (2 * v i) in - let oj = Seq.index out_future.f_elements (2 * v i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))) - -[@@ "opaque_to_smt"] + Prims.l_True + (fun _ -> Prims.l_True) val ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ]) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - (forall b. - (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==> - (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\ - Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\ - Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) -val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) +val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 lhs.f_elements /\ Spec.Utils.is_i16b_array 3328 rhs.f_elements - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (let zetas = - Seq.seq_of_list [ - v zeta0; - - v zeta0; - v zeta1; - - v zeta1; - v zeta2; - - v zeta2; - v zeta3; - - v zeta3 - ] - in - (forall (i: nat). - i < 8 ==> - (let ai = Seq.index lhs.f_elements (2 * i) in - let aj = Seq.index lhs.f_elements (2 * i + 1) in - let bi = Seq.index rhs.f_elements (2 * i) in - let bj = Seq.index rhs.f_elements (2 * i + 1) in - let oi = Seq.index result.f_elements (2 * i) in - let oj = Seq.index result.f_elements (2 * i + 1) in - ((v oi % 3329) == - (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst index b9c0febd3..aec49a64f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst @@ -1,10 +1,8 @@ module Libcrux_ml_kem.Vector.Portable.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - let rej_sample (a: t_Slice u8) (result: t_Slice i16) = let sampled:usize = sz 0 in let result, sampled:(t_Slice i16 & usize) = @@ -42,5 +40,3 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) = in let hax_temp_output:usize = sampled in result, hax_temp_output <: (t_Slice i16 & usize) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti index cbbc36deb..fc5f15276 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti @@ -1,14 +1,7 @@ module Libcrux_ml_kem.Vector.Portable.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul val rej_sample (a: t_Slice u8) (result: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) - (requires - (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 result <: usize) =. sz 16) - (ensures - fun temp_0_ -> - let result_future, res:(t_Slice i16 & usize) = temp_0_ in - Seq.length result_future == Seq.length result /\ v res <= 16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index 37ca063e4..9a88facf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -244,65 +244,159 @@ let serialize_5_int (v: t_Slice i16) = in r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8) -let deserialize_11_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } +let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 2) = Rust_primitives.Hax.repeat 0uy (sz 2) in + let result:t_Array u8 (sz 2) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 8) + (fun result temp_1_ -> + let result:t_Array u8 (sz 2) = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + ((result.[ sz 0 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) < + let result:t_Array u8 (sz 2) = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + ((result.[ sz 1 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) <>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result2:i16 = cast (((v.[ sz 0 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result3:i16 = cast (((v.[ sz 0 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result4:i16 = cast (((v.[ sz 0 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result5:i16 = cast (((v.[ sz 0 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result6:i16 = cast (((v.[ sz 0 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result7:i16 = cast (((v.[ sz 0 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - let result8:i16 = cast ((v.[ sz 1 ] <: u8) &. 1uy <: u8) <: i16 in - let result9:i16 = cast (((v.[ sz 1 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result10:i16 = cast (((v.[ sz 1 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result11:i16 = cast (((v.[ sz 1 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result12:i16 = cast (((v.[ sz 1 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result13:i16 = cast (((v.[ sz 1 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result14:i16 = cast (((v.[ sz 1 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result15:i16 = cast (((v.[ sz 1 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - result0; result1; result2; result3; result4; result5; result6; result7; result8; result9; - result10; result11; result12; result13; result14; result15 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_1_ v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_1_bounded_lemma inputs = - admit() - -let deserialize_10_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + let r6_8_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 6 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 20 } + let r9_11_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 6; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_10_ v).f_elements 10 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_10_bounded_lemma inputs = - admit() - -let deserialize_12_ (bytes: t_Slice u8) = - let v0_1_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } + let r12_14_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 10 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v2_3_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 6 } + let r15_17_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 12 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v4_5_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 6; Core.Ops.Range.f_end = sz 9 } + let r18_20_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 12; + Core.Ops.Range.f_end = sz 14 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v6_7_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 12 } + let r21_23_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 14; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_9_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 15 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + let result:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_2_._1 in - let v10_11_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 15; Core.Ops.Range.f_end = sz 18 } + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_2_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_2_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r3_5_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r3_5_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r3_5_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r6_8_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r6_8_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r6_8_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r9_11_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 10) r9_11_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 11) r9_11_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 12) r12_14_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 13) r12_14_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 14) r12_14_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 15) r15_17_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 16) r15_17_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 17) r15_17_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 18) r18_20_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 19) r18_20_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 20) r18_20_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 21) r21_23_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 22) r21_23_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 23) r21_23_._3 + in + result + +let serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result0_3_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v12_13_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 18; Core.Ops.Range.f_end = sz 21 } + let result4_7_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v14_15_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 21; Core.Ops.Range.f_end = sz 24 } + let result:t_Array u8 (sz 8) = Rust_primitives.Hax.repeat 0uy (sz 8) in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) result0_3_._1 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) result0_3_._2 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) result0_3_._3 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) result0_3_._4 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) result4_7_._1 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) result4_7_._2 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) result4_7_._3 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) result4_7_._4 + in + result + +let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let r0_4_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_1_._1; v0_1_._2; v2_3_._1; v2_3_._2; v4_5_._1; v4_5_._2; v6_7_._1; v6_7_._2; v8_9_._1; - v8_9_._2; v10_11_._1; v10_11_._2; v12_13_._1; v12_13_._2; v14_15_._1; v14_15_._2 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_12_ v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_12_bounded_lemma inputs = - admit() - -let deserialize_4_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + let r5_9_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + let result:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_4_._1 in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_4_ v).f_elements 4 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_4_bounded_lemma inputs = - admit() + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_4_._2 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_4_._3 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r0_4_._4 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r0_4_._5 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r5_9_._1 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r5_9_._2 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r5_9_._3 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r5_9_._4 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r5_9_._5 + in + result -let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let result0:u8 = - (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) - <: - u8) < + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 0 ] <: u8) >>! i <: u8) &. 1uy <: u8) <: i16) <: - u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) <: u8) < + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 1 ] <: u8) >>! (i -! sz 8 <: usize) <: u8) &. 1uy <: u8) <: i16) <: - u8) + t_Array i16 (sz 16) + } <: - u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) <: u8) < Prims.l_True) val deserialize_11_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 11) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_12_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 3) - (fun _ -> Prims.l_True) + : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True) val deserialize_4_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 4) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_5_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 5) + Prims.l_True (fun _ -> Prims.l_True) val serialize_10_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 4) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_11_int (v: t_Slice i16) : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) + Prims.l_True (fun _ -> Prims.l_True) val serialize_12_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 2) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_4_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_5_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 22) - (fun _ -> Prims.l_True) +val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 10) - (fun _ -> Prims.l_True) +val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_1_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 v =. sz 2) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) - -val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1) - val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 20) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) - -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 24) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) - -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) - val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 8) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) - -val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4) - -val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) - -val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) - -val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (serialize_12_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) - -val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst index 948ac409c..962c322cf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti index 7f42fe833..4c354edf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti @@ -1,30 +1,14 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul type t_PortableVector = { f_elements:t_Array i16 (sz 16) } val from_i16_array (array: t_Slice i16) - : Prims.Pure t_PortableVector - (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16) - (ensures - fun result -> - let result:t_PortableVector = result in - result.f_elements == array) + : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) val to_i16_array (x: t_PortableVector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == x.f_elements) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) -val zero: Prims.unit - -> Prims.Pure t_PortableVector - Prims.l_True - (ensures - fun result -> - let result:t_PortableVector = result in - result.f_elements == Seq.create 16 0s) +val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 10098ed48..164f28caa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,135 +7,24 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () -val deserialize_11_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) - (fun _ -> Prims.l_True) - -val deserialize_5_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10) - (fun _ -> Prims.l_True) - -val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr -Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_repr_post - = - (fun - (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (out: t_Array i16 (sz 16)) - -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x - } - -val deserialize_1_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)) - -val deserialize_10_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)) - -val deserialize_12_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)) - -val deserialize_4_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 8) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)) - -val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) - (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 2) = out in - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out) - -val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 20)) - (requires Spec.MLKEM.serialize_pre 10 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 20) = out in - Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr a) out) - -val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 24)) - (requires Spec.MLKEM.serialize_pre 12 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 24) = out in - Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr a) out) - -val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) - (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 8) = out in - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out) - -#push-options "--z3rlimit 400 --split_queries always" - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = - (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == Seq.create 16 0s); + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); f_from_i16_array_post = (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == array); + true); f_from_i16_array = (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Portable.Vector_type.from_i16_array array); @@ -148,7 +37,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array i16 (sz 16)) -> - out == impl.f_repr x); + true); f_to_i16_array = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> @@ -159,21 +48,15 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))); + true); f_add_post = (fun (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))); + true); f_add = (fun @@ -187,21 +70,15 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))); + true); f_sub_post = (fun (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))); + true); f_sub = (fun @@ -211,22 +88,19 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.sub lhs rhs); f_multiply_by_constant_pre = - (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); f_multiply_by_constant_post = (fun - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)); + true); f_multiply_by_constant = - (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> - Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant vec c); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant v c); f_bitwise_and_with_constant_pre = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); @@ -237,15 +111,14 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (c: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr v)); + true); f_bitwise_and_with_constant = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.bitwise_and_with_constant v c); f_shift_right_pre = - (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l); + (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_shift_right_post = (fun @@ -253,32 +126,28 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (impl.f_repr v)); + true); f_shift_right = (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.shift_right v_SHIFT_BY v); f_cond_subtract_3329_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr v)); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_cond_subtract_3329_post = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr v)); + true); f_cond_subtract_3329_ = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.cond_subtract_3329_ v); f_barrett_reduce_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 28296 (impl.f_repr v)); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_barrett_reduce_post = (fun @@ -292,8 +161,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce v); f_montgomery_multiply_by_constant_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> - Spec.Utils.is_i16b 1664 r); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> true); f_montgomery_multiply_by_constant_post = (fun @@ -308,57 +176,47 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r); f_compress_1_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall (i: nat). - i < 16 ==> v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_compress_1_post = (fun - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); + true); f_compress_1_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ a); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v); f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> - v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329)); + true); f_compress_post = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) - ); + true); f_compress = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS a); + Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v); f_decompress_ciphertext_coefficient_pre = (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + true); f_decompress_ciphertext_coefficient_post = (fun @@ -384,9 +242,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr a)); + true); f_ntt_layer_1_step_post = (fun @@ -397,7 +253,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 6 * 3328) (impl.f_repr out)); + true); f_ntt_layer_1_step = (fun @@ -415,8 +271,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr a)); + true); f_ntt_layer_2_step_post = (fun @@ -425,7 +280,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta1: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out)); + true); f_ntt_layer_2_step = (fun @@ -436,8 +291,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_2_step a zeta0 zeta1); f_ntt_layer_3_step_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); f_ntt_layer_3_step_post = (fun @@ -445,7 +299,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out)); + true); f_ntt_layer_3_step = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> @@ -459,9 +313,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (impl.f_repr a)); + true); f_inv_ntt_layer_1_step_post = (fun @@ -472,7 +324,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_1_step = (fun @@ -490,8 +342,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr a)); + true); f_inv_ntt_layer_2_step_post = (fun @@ -500,7 +351,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta1: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_2_step = (fun @@ -511,8 +362,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_2_step a zeta0 zeta1); f_inv_ntt_layer_3_step_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); f_inv_ntt_layer_3_step_post = (fun @@ -520,7 +370,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_3_step = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> @@ -535,10 +385,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr lhs) /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr rhs)); + true); f_ntt_multiply_post = (fun @@ -550,7 +397,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_ntt_multiply = (fun @@ -564,46 +411,46 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3); f_serialize_1_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_1_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 2)) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out); + true); f_serialize_1_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_1_ a); - f_deserialize_1_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 2); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a); + f_deserialize_1_pre = (fun (a: t_Slice u8) -> true); f_deserialize_1_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)); - f_deserialize_1_ = (fun (a: t_Slice u8) -> deserialize_1_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_1_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a); f_serialize_4_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_4_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 8)) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out); + true); f_serialize_4_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_4_ a); - f_deserialize_4_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 8); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a); + f_deserialize_4_pre = (fun (a: t_Slice u8) -> true); f_deserialize_4_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)); - f_deserialize_4_ = (fun (a: t_Slice u8) -> deserialize_4_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_4_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a); f_serialize_5_pre = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); @@ -616,33 +463,36 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = true); f_serialize_5_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_5_ a); - f_deserialize_5_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 10); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a); + f_deserialize_5_pre = (fun (a: t_Slice u8) -> true); f_deserialize_5_post = (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_deserialize_5_ = (fun (a: t_Slice u8) -> deserialize_5_ a); + f_deserialize_5_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a); f_serialize_10_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_10_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 20)) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr a) out); + true); f_serialize_10_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_10_ a); - f_deserialize_10_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 20); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a); + f_deserialize_10_pre = (fun (a: t_Slice u8) -> true); f_deserialize_10_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)); - f_deserialize_10_ = (fun (a: t_Slice u8) -> deserialize_10_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_10_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a); f_serialize_11_pre = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); @@ -655,42 +505,40 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = true); f_serialize_11_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_11_ a); - f_deserialize_11_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 22); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a); + f_deserialize_11_pre = (fun (a: t_Slice u8) -> true); f_deserialize_11_post = (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_deserialize_11_ = (fun (a: t_Slice u8) -> deserialize_11_ a); + f_deserialize_11_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a); f_serialize_12_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_12_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 24)) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr a) out); + true); f_serialize_12_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_12_ a); - f_deserialize_12_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 24); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a); + f_deserialize_12_pre = (fun (a: t_Slice u8) -> true); f_deserialize_12_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)); - f_deserialize_12_ = (fun (a: t_Slice u8) -> deserialize_12_ a); - f_rej_sample_pre + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_12_ = - (fun (a: t_Slice u8) (out: t_Slice i16) -> - (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 out <: usize) =. sz 16); + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a); + f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true); f_rej_sample_post = - (fun (a: t_Slice u8) (out: t_Slice i16) (out_future, result: (t_Slice i16 & usize)) -> - Seq.length out_future == Seq.length out /\ v result <= 16); + (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true); f_rej_sample = fun (a: t_Slice u8) (out: t_Slice i16) -> @@ -701,5 +549,3 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = let hax_temp_output:usize = out1 in out, hax_temp_output <: (t_Slice i16 & usize) } - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti index f1aa1ee53..ce3906fea 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Rej_sample_table -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index cbc90050c..e52e5813d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -1,40 +1,22 @@ module Libcrux_ml_kem.Vector.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--z3rlimit 200 --split_queries always" - let decompress_1_ (#v_T: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) - (vec: v_T) + (v: v_T) = - let z:v_T = f_ZERO #v_T #FStar.Tactics.Typeclasses.solve () in - let _:Prims.unit = - assert (forall i. Seq.index (i1._super_8706949974463268012.f_repr z) i == 0s) - in - let _:Prims.unit = - assert (forall i. - let x = Seq.index (i1._super_8706949974463268012.f_repr vec) i in - ((0 - v x) == 0 \/ (0 - v x) == - 1)) - in - let _:Prims.unit = - assert (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (0 - v (Seq.index (i1._super_8706949974463268012.f_repr vec) i))) - in - let s:v_T = f_sub #v_T #FStar.Tactics.Typeclasses.solve z vec in - let _:Prims.unit = - assert (forall i. - Seq.index (i1._super_8706949974463268012.f_repr s) i == 0s \/ - Seq.index (i1._super_8706949974463268012.f_repr s) i == (-1s)) - in - let _:Prims.unit = assert (i1.f_bitwise_and_with_constant_pre s 1665s) in - f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve s 1665s - -#pop-options + f_bitwise_and_with_constant #v_T + #FStar.Tactics.Typeclasses.solve + (f_sub #v_T + #FStar.Tactics.Typeclasses.solve + (f_ZERO #v_T #FStar.Tactics.Typeclasses.solve () <: v_T) + v + <: + v_T) + 1665s let montgomery_multiply_fe (#v_T: Type0) @@ -53,8 +35,6 @@ let to_standard_domain v v_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS -#push-options "--admit_smt_queries true" - let to_unsigned_representative (#v_T: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_T) @@ -65,5 +45,3 @@ let to_unsigned_representative f_bitwise_and_with_constant #v_T #FStar.Tactics.Typeclasses.solve t v_FIELD_MODULUS in f_add #v_T #FStar.Tactics.Typeclasses.solve a fm - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index cb32321d0..c5dbe6258 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -1,323 +1,142 @@ module Libcrux_ml_kem.Vector.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -class t_Repr (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - f_repr_pre:x: v_Self -> pred: Type0{true ==> pred}; - f_repr_post:v_Self -> t_Array i16 (sz 16) -> Type0; - f_repr:x0: v_Self - -> Prims.Pure (t_Array i16 (sz 16)) (f_repr_pre x0) (fun result -> f_repr_post x0 result) -} - class t_Operations (v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_8706949974463268012:t_Repr v_Self; - f_ZERO_pre:x: Prims.unit - -> pred: - Type0 - { (let _:Prims.unit = x in - true) ==> - pred }; - f_ZERO_post:x: Prims.unit -> result: v_Self - -> pred: - Type0 - { pred ==> - (let _:Prims.unit = x in - f_repr result == Seq.create 16 0s) }; + f_ZERO_pre:Prims.unit -> Type0; + f_ZERO_post:Prims.unit -> v_Self -> Type0; f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); - f_from_i16_array_pre:array: t_Slice i16 - -> pred: Type0{(Core.Slice.impl__len #i16 array <: usize) =. sz 16 ==> pred}; - f_from_i16_array_post:array: t_Slice i16 -> result: v_Self - -> pred: Type0{pred ==> f_repr result == array}; + f_from_i16_array_pre:t_Slice i16 -> Type0; + f_from_i16_array_post:t_Slice i16 -> v_Self -> Type0; f_from_i16_array:x0: t_Slice i16 -> Prims.Pure v_Self (f_from_i16_array_pre x0) (fun result -> f_from_i16_array_post x0 result); - f_to_i16_array_pre:x: v_Self -> pred: Type0{true ==> pred}; - f_to_i16_array_post:x: v_Self -> result: t_Array i16 (sz 16) - -> pred: Type0{pred ==> f_repr x == result}; + f_to_i16_array_pre:v_Self -> Type0; + f_to_i16_array_post:v_Self -> t_Array i16 (sz 16) -> Type0; f_to_i16_array:x0: v_Self -> Prims.Pure (t_Array i16 (sz 16)) (f_to_i16_array_pre x0) (fun result -> f_to_i16_array_post x0 result); - f_add_pre:lhs: v_Self -> rhs: v_Self - -> pred: - Type0 - { (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) ==> - pred }; - f_add_post:lhs: v_Self -> rhs: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> - (v (Seq.index (f_repr result) i) == - v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) }; + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; f_add:x0: v_Self -> x1: v_Self -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); - f_sub_pre:lhs: v_Self -> rhs: v_Self - -> pred: - Type0 - { (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) ==> - pred }; - f_sub_post:lhs: v_Self -> rhs: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> - (v (Seq.index (f_repr result) i) == - v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) }; + f_sub_pre:v_Self -> v_Self -> Type0; + f_sub_post:v_Self -> v_Self -> v_Self -> Type0; f_sub:x0: v_Self -> x1: v_Self -> Prims.Pure v_Self (f_sub_pre x0 x1) (fun result -> f_sub_post x0 x1 result); - f_multiply_by_constant_pre:vec: v_Self -> c: i16 - -> pred: - Type0 - { (forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr vec) i) * v c)) ==> - pred }; - f_multiply_by_constant_post:vec: v_Self -> c: i16 -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> (v (Seq.index (f_repr result) i) == v (Seq.index (f_repr vec) i) * v c)) }; + f_multiply_by_constant_pre:v_Self -> i16 -> Type0; + f_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0; f_multiply_by_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_multiply_by_constant_pre x0 x1) (fun result -> f_multiply_by_constant_post x0 x1 result); - f_bitwise_and_with_constant_pre:v: v_Self -> c: i16 -> pred: Type0{true ==> pred}; - f_bitwise_and_with_constant_post:v: v_Self -> c: i16 -> result: v_Self - -> pred: Type0{pred ==> f_repr result == Spec.Utils.map_array (fun x -> x &. c) (f_repr v)}; + f_bitwise_and_with_constant_pre:v_Self -> i16 -> Type0; + f_bitwise_and_with_constant_post:v_Self -> i16 -> v_Self -> Type0; f_bitwise_and_with_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_bitwise_and_with_constant_pre x0 x1) (fun result -> f_bitwise_and_with_constant_post x0 x1 result); - f_shift_right_pre:v_SHIFT_BY: i32 -> v: v_Self - -> pred: Type0{v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l ==> pred}; - f_shift_right_post:v_SHIFT_BY: i32 -> v: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - f_repr result == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (f_repr v) }; + f_shift_right_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_right_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; f_shift_right:v_SHIFT_BY: i32 -> x0: v_Self -> Prims.Pure v_Self (f_shift_right_pre v_SHIFT_BY x0) (fun result -> f_shift_right_post v_SHIFT_BY x0 result); - f_cond_subtract_3329_pre:v: v_Self - -> pred: Type0{Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr v) ==> pred}; - f_cond_subtract_3329_post:v: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - f_repr result == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr v) }; + f_cond_subtract_3329_pre:v_Self -> Type0; + f_cond_subtract_3329_post:v_Self -> v_Self -> Type0; f_cond_subtract_3329_:x0: v_Self -> Prims.Pure v_Self (f_cond_subtract_3329_pre x0) (fun result -> f_cond_subtract_3329_post x0 result); - f_barrett_reduce_pre:vector: v_Self - -> pred: Type0{Spec.Utils.is_i16b_array 28296 (f_repr vector) ==> pred}; + f_barrett_reduce_pre:v_Self -> Type0; f_barrett_reduce_post:v_Self -> v_Self -> Type0; f_barrett_reduce:x0: v_Self -> Prims.Pure v_Self (f_barrett_reduce_pre x0) (fun result -> f_barrett_reduce_post x0 result); - f_montgomery_multiply_by_constant_pre:v: v_Self -> c: i16 - -> pred: Type0{Spec.Utils.is_i16b 1664 c ==> pred}; + f_montgomery_multiply_by_constant_pre:v_Self -> i16 -> Type0; f_montgomery_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0; f_montgomery_multiply_by_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_montgomery_multiply_by_constant_pre x0 x1) (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); - f_compress_1_pre:a: v_Self - -> pred: - Type0 - { (forall (i: nat). - i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> - pred }; - f_compress_1_post:a: v_Self -> result: v_Self - -> pred: Type0{pred ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) 1)}; + f_compress_1_pre:v_Self -> Type0; + f_compress_1_post:v_Self -> v_Self -> Type0; f_compress_1_:x0: v_Self -> Prims.Pure v_Self (f_compress_1_pre x0) (fun result -> f_compress_1_post x0 result); - f_compress_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self - -> pred: - Type0 - { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> - pred }; - f_compress_post:v_COEFFICIENT_BITS: i32 -> a: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) (v v_COEFFICIENT_BITS)) - }; + f_compress_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0; + f_compress_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; f_compress:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_compress_pre v_COEFFICIENT_BITS x0) (fun result -> f_compress_post v_COEFFICIENT_BITS x0 result); - f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v: v_Self - -> pred: - Type0 - { v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l ==> - pred }; + f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0; f_decompress_ciphertext_coefficient_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; f_decompress_ciphertext_coefficient:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_decompress_ciphertext_coefficient_pre v_COEFFICIENT_BITS x0) (fun result -> f_decompress_ciphertext_coefficient_post v_COEFFICIENT_BITS x0 result); - f_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_1_step_post: - a: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 6 * 3328) (f_repr out)}; + f_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16 -> Prims.Pure v_Self (f_ntt_layer_1_step_pre x0 x1 x2 x3 x4) (fun result -> f_ntt_layer_1_step_post x0 x1 x2 x3 x4 result); - f_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr out)}; + f_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0; + f_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0; f_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16 -> Prims.Pure v_Self (f_ntt_layer_2_step_pre x0 x1 x2) (fun result -> f_ntt_layer_2_step_post x0 x1 x2 result); - f_ntt_layer_3_step_pre:a: v_Self -> zeta: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr out)}; + f_ntt_layer_3_step_pre:v_Self -> i16 -> Type0; + f_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0; f_ntt_layer_3_step:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_ntt_layer_3_step_pre x0 x1) (fun result -> f_ntt_layer_3_step_post x0 x1 result); - f_inv_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr a) ==> - pred }; - f_inv_ntt_layer_1_step_post: - a: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_inv_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_inv_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_1_step_pre x0 x1 x2 x3 x4) (fun result -> f_inv_ntt_layer_1_step_post x0 x1 x2 x3 x4 result); - f_inv_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (f_repr a) ==> - pred }; - f_inv_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0; + f_inv_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0; f_inv_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_2_step_pre x0 x1 x2) (fun result -> f_inv_ntt_layer_2_step_post x0 x1 x2 result); - f_inv_ntt_layer_3_step_pre:a: v_Self -> zeta: i16 - -> pred: - Type0{Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (f_repr a) ==> pred}; - f_inv_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_3_step_pre:v_Self -> i16 -> Type0; + f_inv_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0; f_inv_ntt_layer_3_step:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_3_step_pre x0 x1) (fun result -> f_inv_ntt_layer_3_step_post x0 x1 result); - f_ntt_multiply_pre: - lhs: v_Self -> - rhs: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (f_repr lhs) /\ Spec.Utils.is_i16b_array 3328 (f_repr rhs) ==> - pred }; - f_ntt_multiply_post: - lhs: v_Self -> - rhs: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_ntt_multiply_pre:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_ntt_multiply_post:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_ntt_multiply:x0: v_Self -> x1: v_Self -> x2: i16 -> x3: i16 -> x4: i16 -> x5: i16 -> Prims.Pure v_Self (f_ntt_multiply_pre x0 x1 x2 x3 x4 x5) (fun result -> f_ntt_multiply_post x0 x1 x2 x3 x4 x5 result); - f_serialize_1_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 1 (f_repr a) ==> pred}; - f_serialize_1_post:a: v_Self -> result: t_Array u8 (sz 2) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 1 (f_repr a) ==> Spec.MLKEM.serialize_post 1 (f_repr a) result }; + f_serialize_1_pre:v_Self -> Type0; + f_serialize_1_post:v_Self -> t_Array u8 (sz 2) -> Type0; f_serialize_1_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 2)) (f_serialize_1_pre x0) (fun result -> f_serialize_1_post x0 result); - f_deserialize_1_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 2 ==> pred}; - f_deserialize_1_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0{pred ==> sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (f_repr result)}; + f_deserialize_1_pre:t_Slice u8 -> Type0; + f_deserialize_1_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_1_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_1_pre x0) (fun result -> f_deserialize_1_post x0 result); - f_serialize_4_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 4 (f_repr a) ==> pred}; - f_serialize_4_post:a: v_Self -> result: t_Array u8 (sz 8) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 4 (f_repr a) ==> Spec.MLKEM.serialize_post 4 (f_repr a) result }; + f_serialize_4_pre:v_Self -> Type0; + f_serialize_4_post:v_Self -> t_Array u8 (sz 8) -> Type0; f_serialize_4_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 8)) (f_serialize_4_pre x0) (fun result -> f_serialize_4_post x0 result); - f_deserialize_4_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 8 ==> pred}; - f_deserialize_4_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0{pred ==> sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (f_repr result)}; + f_deserialize_4_pre:t_Slice u8 -> Type0; + f_deserialize_4_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_4_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_4_pre x0) (fun result -> f_deserialize_4_post x0 result); f_serialize_5_pre:v_Self -> Type0; @@ -326,28 +145,18 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Array u8 (sz 10)) (f_serialize_5_pre x0) (fun result -> f_serialize_5_post x0 result); - f_deserialize_5_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 10 ==> pred}; + f_deserialize_5_pre:t_Slice u8 -> Type0; f_deserialize_5_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_5_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_5_pre x0) (fun result -> f_deserialize_5_post x0 result); - f_serialize_10_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 10 (f_repr a) ==> pred}; - f_serialize_10_post:a: v_Self -> result: t_Array u8 (sz 20) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 10 (f_repr a) ==> Spec.MLKEM.serialize_post 10 (f_repr a) result - }; + f_serialize_10_pre:v_Self -> Type0; + f_serialize_10_post:v_Self -> t_Array u8 (sz 20) -> Type0; f_serialize_10_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 20)) (f_serialize_10_pre x0) (fun result -> f_serialize_10_post x0 result); - f_deserialize_10_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 20 ==> pred}; - f_deserialize_10_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0 - {pred ==> sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (f_repr result)}; + f_deserialize_10_pre:t_Slice u8 -> Type0; + f_deserialize_10_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_10_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_10_pre x0) (fun result -> f_deserialize_10_post x0 result); f_serialize_11_pre:v_Self -> Type0; @@ -356,52 +165,28 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Array u8 (sz 22)) (f_serialize_11_pre x0) (fun result -> f_serialize_11_post x0 result); - f_deserialize_11_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 22 ==> pred}; + f_deserialize_11_pre:t_Slice u8 -> Type0; f_deserialize_11_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_11_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_11_pre x0) (fun result -> f_deserialize_11_post x0 result); - f_serialize_12_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 12 (f_repr a) ==> pred}; - f_serialize_12_post:a: v_Self -> result: t_Array u8 (sz 24) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 12 (f_repr a) ==> Spec.MLKEM.serialize_post 12 (f_repr a) result - }; + f_serialize_12_pre:v_Self -> Type0; + f_serialize_12_post:v_Self -> t_Array u8 (sz 24) -> Type0; f_serialize_12_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 24)) (f_serialize_12_pre x0) (fun result -> f_serialize_12_post x0 result); - f_deserialize_12_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 24 ==> pred}; - f_deserialize_12_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0 - {pred ==> sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (f_repr result)}; + f_deserialize_12_pre:t_Slice u8 -> Type0; + f_deserialize_12_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_12_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_12_pre x0) (fun result -> f_deserialize_12_post x0 result); - f_rej_sample_pre:a: t_Slice u8 -> out: t_Slice i16 - -> pred: - Type0 - { (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 out <: usize) =. sz 16 ==> - pred }; - f_rej_sample_post:a: t_Slice u8 -> out: t_Slice i16 -> x: (t_Slice i16 & usize) - -> pred: - Type0 - { pred ==> - (let out_future, result:(t_Slice i16 & usize) = x in - Seq.length out_future == Seq.length out /\ v result <= 16) }; + f_rej_sample_pre:t_Slice u8 -> t_Slice i16 -> Type0; + f_rej_sample_post:t_Slice u8 -> t_Slice i16 -> (t_Slice i16 & usize) -> Type0; f_rej_sample:x0: t_Slice u8 -> x1: t_Slice i16 -> Prims.Pure (t_Slice i16 & usize) (f_rej_sample_pre x0 x1) (fun result -> f_rej_sample_post x0 x1 result) } -let v_BARRETT_SHIFT: i32 = 26l - -let v_BARRETT_R: i32 = 1l < Prims.l_True) +val decompress_1_ (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) + : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True) val montgomery_multiply_fe (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) (fer: i16) - : Prims.Pure v_T (requires Spec.Utils.is_i16b 1664 fer) (fun _ -> Prims.l_True) + : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True) val to_standard_domain (#v_T: Type0) {| i1: t_Operations v_T |} (v: v_T) : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True) val to_unsigned_representative (#v_T: Type0) {| i1: t_Operations v_T |} (a: v_T) - : Prims.Pure v_T - (requires Spec.Utils.is_i16b_array 3328 (i1._super_8706949974463268012.f_repr a)) - (ensures - fun result -> - let result:v_T = result in - forall i. - (let x = Seq.index (i1._super_8706949974463268012.f_repr a) i in - let y = Seq.index (i1._super_8706949974463268012.f_repr result) i in - (v y >= 0 /\ v y <= 3328 /\ (v y % 3329 == v x % 3329)))) + : Prims.Pure v_T Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json b/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json index d7b3a38b6..bfd5cccba 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json +++ b/libcrux-ml-kem/proofs/fstar/extraction/ML.KEM.fst.config.json @@ -14,11 +14,9 @@ ], "include_dirs": [ "${HACL_HOME}/lib", - "${HACL_HOME}/specs", "${HAX_HOME}/proof-libs/fstar/rust_primitives", "${HAX_HOME}/proof-libs/fstar/core", "${HAX_HOME}/hax-lib/proofs/fstar/extraction", - "../spec", "../../../../sys/platform/proofs/fstar/extraction", "../../../../libcrux-sha3/proofs/fstar/extraction", "../../../../libcrux-intrinsics/proofs/fstar/extraction" diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index b7a4485d1..747c4a7e3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -1,20 +1,185 @@ -SLOW_MODULES += Libcrux_ml_kem.Vector.Portable.Serialize.fst - -ADMIT_MODULES = Libcrux_ml_kem.Ind_cca.Unpacked.fst \ - Libcrux_ml_kem.Vector.Avx2.fsti \ - Libcrux_ml_kem.Vector.Avx2.fst \ - Libcrux_ml_kem.Vector.Avx2.Ntt.fst \ - Libcrux_ml_kem.Vector.Avx2.Sampling.fst \ - Libcrux_ml_kem.Vector.Portable.Compress.fst \ - Libcrux_ml_kem.Vector.Portable.Sampling.fst \ - Libcrux_ml_kem.Vector.Portable.Vector_type.fst \ - Libcrux_ml_kem.Vector.Rej_sample_table.fsti \ - Libcrux_ml_kem.Vector.Neon.Arithmetic.fst \ - Libcrux_ml_kem.Vector.Neon.Compress.fst \ - Libcrux_ml_kem.Vector.Neon.fsti \ - Libcrux_ml_kem.Vector.Neon.fst \ - Libcrux_ml_kem.Vector.Neon.Ntt.fst \ - Libcrux_ml_kem.Vector.Neon.Serialize.fst \ - Libcrux_ml_kem.Vector.Neon.Vector_type.fst - -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + +VERIFIED = +PANIC_FREE = Libcrux_ml_kem.Constant_time_ops.fst \ + Libcrux_ml_kem.Constant_time_ops.fsti \ + Libcrux_ml_kem.Constants.fsti \ + Libcrux_ml_kem.Hash_functions.Avx2.fsti \ + Libcrux_ml_kem.Hash_functions.fsti \ + Libcrux_ml_kem.Hash_functions.Neon.fsti \ + Libcrux_ml_kem.Hash_functions.Portable.fsti \ + Libcrux_ml_kem.Ind_cca.fsti \ + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst \ + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti \ + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst \ + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti \ + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst \ + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti \ + Libcrux_ml_kem.Ind_cca.Multiplexing.fst \ + Libcrux_ml_kem.Ind_cca.Multiplexing.fsti \ + Libcrux_ml_kem.Ind_cpa.fsti \ + Libcrux_ml_kem.Ind_cpa.Unpacked.fsti \ + Libcrux_ml_kem.Invert_ntt.fsti \ + Libcrux_ml_kem.Matrix.fsti \ + Libcrux_ml_kem.Mlkem512.Avx2.fst \ + Libcrux_ml_kem.Mlkem512.Avx2.fsti \ + Libcrux_ml_kem.Mlkem512.fst \ + Libcrux_ml_kem.Mlkem512.fsti \ + Libcrux_ml_kem.Mlkem512.Neon.fst \ + Libcrux_ml_kem.Mlkem512.Neon.fsti \ + Libcrux_ml_kem.Mlkem512.Portable.fst \ + Libcrux_ml_kem.Mlkem512.Portable.fsti \ + Libcrux_ml_kem.Mlkem768.Avx2.fst \ + Libcrux_ml_kem.Mlkem768.Avx2.fsti \ + Libcrux_ml_kem.Mlkem768.fst \ + Libcrux_ml_kem.Mlkem768.fsti \ + Libcrux_ml_kem.Mlkem768.Neon.fst \ + Libcrux_ml_kem.Mlkem768.Neon.fsti \ + Libcrux_ml_kem.Mlkem768.Portable.fst \ + Libcrux_ml_kem.Mlkem768.Portable.fsti \ + Libcrux_ml_kem.Mlkem1024.Avx2.fst \ + Libcrux_ml_kem.Mlkem1024.Avx2.fsti \ + Libcrux_ml_kem.Mlkem1024.fst \ + Libcrux_ml_kem.Mlkem1024.fsti \ + Libcrux_ml_kem.Mlkem1024.Neon.fst \ + Libcrux_ml_kem.Mlkem1024.Neon.fsti \ + Libcrux_ml_kem.Mlkem1024.Portable.fst \ + Libcrux_ml_kem.Mlkem1024.Portable.fsti \ + Libcrux_ml_kem.Ntt.fsti \ + Libcrux_ml_kem.Polynomial.fsti \ + Libcrux_ml_kem.Sampling.fsti \ + Libcrux_ml_kem.Serialize.fsti \ + Libcrux_ml_kem.Types.fst \ + Libcrux_ml_kem.Types.fsti \ + Libcrux_ml_kem.Utils.fst \ + Libcrux_ml_kem.Utils.fsti \ + Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti \ + Libcrux_ml_kem.Vector.Avx2.Compress.fsti \ + Libcrux_ml_kem.Vector.Avx2.fsti \ + Libcrux_ml_kem.Vector.Avx2.Ntt.fsti \ + Libcrux_ml_kem.Vector.Avx2.Sampling.fsti \ + Libcrux_ml_kem.Vector.Avx2.Serialize.fsti \ + Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti \ + Libcrux_ml_kem.Vector.Neon.Compress.fsti \ + Libcrux_ml_kem.Vector.Neon.fsti \ + Libcrux_ml_kem.Vector.Neon.Ntt.fsti \ + Libcrux_ml_kem.Vector.Neon.Serialize.fsti \ + Libcrux_ml_kem.Vector.Neon.Vector_type.fsti \ + Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti \ + Libcrux_ml_kem.Vector.Portable.Compress.fsti \ + Libcrux_ml_kem.Vector.Portable.fsti \ + Libcrux_ml_kem.Vector.Portable.Ntt.fsti \ + Libcrux_ml_kem.Vector.Portable.Sampling.fsti \ + Libcrux_ml_kem.Vector.Portable.Serialize.fsti \ + Libcrux_ml_kem.Vector.Portable.Vector_type.fsti \ + Libcrux_ml_kem.Vector.Rej_sample_table.fsti \ + Libcrux_ml_kem.Vector.Traits.fsti + +UNVERIFIED = $(filter-out $(PANIC_FREE),$(wildcard *.fst)) + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +PANIC_FREE_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(PANIC_FREE))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(PANIC_FREE) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives \ + $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) \ + ../../../../sys/platform/proofs/fstar/extraction/ \ + ../../../../libcrux-intrinsics/proofs/fstar/extraction/ \ + ../../../../libcrux-sha3/proofs/fstar/extraction/ + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(PANIC_FREE_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 02ea01eca..b37bad7a1 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -11,44 +11,13 @@ use crate::constants::SHARED_SECRET_SIZE; // XXX: We have to disable this for C extraction for now. See eurydice/issues#37 /// Return 1 if `value` is not zero and 0 otherwise. -#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\ - ($value =!= 0uy ==> $result == 1uy)"))] fn inz(value: u8) -> u8 { - let _orig_value = value; let value = value as u16; - let result = ((!value).wrapping_add(1) >> 8) as u8; - let res = result & 1; - hax_lib::fstar!("if v $_orig_value = 0 then ( - assert($value == zero); - lognot_lemma $value; - assert((~.$value +. 1us) == zero); - assert((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) == zero); - logor_lemma $value zero; - assert(($value |. (Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) <: u16) == $value); - assert (v $result == v (($value >>! 8l))); - assert ((v $value / pow2 8) == 0); - assert ($result == 0uy); - logand_lemma 1uy $result; - assert ($res == 0uy)) - else ( - assert (v $value <> 0); - lognot_lemma $value; - assert (v (~.$value) = pow2 16 - 1 - v $value); - assert (v (~.$value) + 1 = pow2 16 - v $value); - assert (v ($value) <= pow2 8 - 1); - assert ((v (~.$value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v $value)); - assert ((v (~.$value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v $value)); - assert ((v (~.$value) + 1)/pow2 8 = (pow2 8 - 1)); - assert (v ((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) >>! 8l) = pow2 8 - 1); - assert ($result = ones); - logand_lemma 1uy $result; - assert ($res = 1uy))"); - res + let result = ((value | (!value).wrapping_add(1)) >> 8) & 1; + result as u8 } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\ - ($value =!= 0uy ==> $result == 1uy)"))] fn is_non_zero(value: u8) -> u8 { #[cfg(eurydice)] return inz(value); @@ -59,46 +28,13 @@ fn is_non_zero(value: u8) -> u8 { /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. -#[hax_lib::requires(lhs.len() == rhs.len())] -#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\ - ($lhs =!= $rhs ==> $result == 1uy)"))] +#[cfg_attr(hax, hax_lib::requires( + lhs.len() == rhs.len() +))] fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { let mut r: u8 = 0; for i in 0..lhs.len() { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i <= Seq.length $lhs /\\ - (if (Seq.slice $lhs 0 (v $i) = Seq.slice $rhs 0 (v $i)) then - $r == 0uy - else ~ ($r == 0uy))") }); - let nr = r | (lhs[i] ^ rhs[i]); - hax_lib::fstar!("if $r =. 0uy then ( - if (Seq.index $lhs (v $i) = Seq.index $rhs (v $i)) then ( - logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i)); - assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) = zero); - logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert ($nr = $r); - assert (forall j. Seq.index (Seq.slice $lhs 0 (v $i)) j == Seq.index $lhs j); - assert (forall j. Seq.index (Seq.slice $rhs 0 (v $i)) j == Seq.index $rhs j); - eq_intro (Seq.slice $lhs 0 ((v $i) + 1)) (Seq.slice $rhs 0 ((v $i) + 1)) - ) - else ( - logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i)); - assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) <> zero); - logor_lemma r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert (v $nr > 0); - assert (Seq.index (Seq.slice $lhs 0 ((v $i)+1)) (v $i) <> - Seq.index (Seq.slice $rhs 0 ((v $i)+1)) (v $i)); - assert (Seq.slice $lhs 0 ((v $i)+1) <> Seq.slice $rhs 0 ((v $i) + 1)) - ) - ) else ( - logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert (v $nr >= v $r); - assert (Seq.slice $lhs 0 (v $i) <> Seq.slice $rhs 0 (v $i)); - if (Seq.slice $lhs 0 ((v $i)+1) = Seq.slice $rhs 0 ((v $i) + 1)) then - (assert (forall j. j < (v $i) + 1 ==> Seq.index (Seq.slice $lhs 0 ((v $i)+1)) j == Seq.index (Seq.slice $rhs 0 ((v $i)+1)) j); - eq_intro (Seq.slice $lhs 0 (v $i)) (Seq.slice $rhs 0 (v $i)); - assert(False)) - )"); - r = nr; + r |= lhs[i] ^ rhs[i]; } is_non_zero(r) @@ -106,65 +42,25 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs.len() == rhs.len() && lhs.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\ - ($selector =!= 0uy ==> $result == $rhs)"))] -#[hax_lib::fstar::options("--ifuel 0 --z3rlimit 50")] +))] fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { let mask = is_non_zero(selector).wrapping_sub(1); - hax_lib::fstar!("assert (if $selector = 0uy then $mask = ones else $mask = zero); - lognot_lemma $mask; - assert (if $selector = 0uy then ~.$mask = zero else ~.$mask = ones)"); let mut out = [0u8; SHARED_SECRET_SIZE]; for i in 0..SHARED_SECRET_SIZE { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i <= v $SHARED_SECRET_SIZE /\\ - (forall j. j < v $i ==> (if ($selector =. 0uy) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\\ - (forall j. j >= v $i ==> Seq.index $out j == 0uy)") }); - hax_lib::fstar!("assert ((${out}.[ $i ] <: u8) = 0uy)"); - let outi = (lhs[i] & mask) | (rhs[i] & !mask); - hax_lib::fstar!("if ($selector = 0uy) then ( - logand_lemma (${lhs}.[ $i ] <: u8) $mask; - assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == (${lhs}.[ $i ] <: u8)); - logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask); - assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == zero); - logor_lemma ((${lhs}.[ $i ] <: u8) &. $mask <: u8) ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8); - assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); - logor_lemma (${out}.[ $i ] <: u8) (${lhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); - assert ($outi = (${lhs}.[ $i ] <: u8)) - ) - else ( - logand_lemma (${lhs}.[ $i ] <: u8) $mask; - assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == zero); - logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask); - assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); - logor_lemma (${rhs}.[ $i ] <: u8) zero; - assert ((logor zero (${rhs}.[ $i ] <: u8)) == (${rhs}.[ $i ] <: u8)); - assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8)) == (${rhs}.[ $i ] <: u8)); - logor_lemma (${out}.[ $i ] <: u8) (${rhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); - assert ($outi = (${rhs}.[ $i ] <: u8)) - )"); - out[i] = outi; + out[i] = (lhs[i] & mask) | (rhs[i] & !mask); } - hax_lib::fstar!("if ($selector =. 0uy) then ( - eq_intro $out $lhs - ) - else ( - eq_intro $out $rhs - )"); out } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::requires(lhs.len() == rhs.len())] -#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\ - ($lhs =!= $rhs ==> $result == 1uy)"))] +#[cfg_attr(hax, hax_lib::requires( + lhs.len() == rhs.len() +))] pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 { #[cfg(eurydice)] return compare(lhs, rhs); @@ -174,12 +70,10 @@ pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs.len() == rhs.len() && lhs.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\ - ($selector =!= 0uy ==> $result == $rhs)"))] +))] pub(crate) fn select_shared_secret_in_constant_time( lhs: &[u8], rhs: &[u8], @@ -192,14 +86,11 @@ pub(crate) fn select_shared_secret_in_constant_time( core::hint::black_box(select_ct(lhs, rhs, selector)) } -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs_c.len() == rhs_c.len() && lhs_s.len() == rhs_s.len() && lhs_s.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("let selector = if $lhs_c =. $rhs_c then 0uy else 1uy in - ((selector == 0uy ==> $result == $lhs_s) /\\ - (selector =!= 0uy ==> $result == $rhs_s))"))] +))] pub(crate) fn compare_ciphertexts_select_shared_secret_in_constant_time( lhs_c: &[u8], rhs_c: &[u8], diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index 4422a435f..341404af9 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -23,45 +23,27 @@ pub(crate) const THREE_BLOCKS: usize = BLOCK_SIZE * 3; /// - AVX2 /// - NEON /// - Portable -#[hax_lib::attributes] pub(crate) trait Hash { /// G aka SHA3 512 - #[requires(true)] - #[ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE]; /// H aka SHA3 256 - #[requires(true)] - #[ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE]; /// PRF aka SHAKE256 - #[requires(fstar!("v $LEN < pow2 32"))] - #[ensures(|result| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input")) - ] fn PRF(input: &[u8]) -> [u8; LEN]; /// PRFxN aka N SHAKE256 - #[requires(true)] fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K]; /// Create a SHAKE128 state and absorb the input. - #[requires(true)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self; + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self; /// Squeeze 3 blocks out of the SHAKE128 state. - #[requires(true)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; /// Squeeze 1 block out of the SHAKE128 state. - #[requires(true)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; } /// A portable implementation of [`Hash`] @@ -69,7 +51,10 @@ pub(crate) mod portable { use super::*; use libcrux_sha3::portable::{ self, - incremental, + incremental::{ + shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks, + shake128_squeeze_next_block, + }, KeccakState, }; @@ -82,9 +67,6 @@ pub(crate) mod portable { shake128_state: [KeccakState; K], } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -92,9 +74,6 @@ pub(crate) mod portable { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -102,10 +81,6 @@ pub(crate) mod portable { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -125,66 +100,51 @@ pub(crate) mod portable { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> PortableHash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> PortableHash { debug_assert!(K == 2 || K == 3 || K == 4); - let mut shake128_state = [incremental::shake128_init(); K]; + let mut shake128_state = [shake128_init(); K]; for i in 0..K { - incremental::shake128_absorb_final(&mut shake128_state[i], &input[i]); + shake128_absorb_final(&mut shake128_state[i], &input[i]); } PortableHash { shake128_state } } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut PortableHash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; THREE_BLOCKS]; K]; for i in 0..K { - incremental::shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]); + shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]); } out } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut PortableHash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut PortableHash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; for i in 0..K { - incremental::shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); + shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); } out } - #[hax_lib::attributes] impl Hash for PortableHash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -196,18 +156,18 @@ pub(crate) mod portable { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } @@ -230,9 +190,6 @@ pub(crate) mod avx2 { shake128_state: KeccakState, } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -240,9 +197,6 @@ pub(crate) mod avx2 { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -250,10 +204,6 @@ pub(crate) mod avx2 { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -304,7 +254,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Simd256Hash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Simd256Hash { debug_assert!(K == 2 || K == 3 || K == 4); let mut state = x4::incremental::init(); @@ -333,7 +283,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut Simd256Hash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -371,7 +321,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; let mut out0 = [0u8; BLOCK_SIZE]; @@ -406,32 +356,17 @@ pub(crate) mod avx2 { out } - #[hax_lib::attributes] impl Hash for Simd256Hash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[hax_lib::ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -443,18 +378,18 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } @@ -474,9 +409,6 @@ pub(crate) mod neon { shake128_state: [KeccakState; 2], } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -484,9 +416,6 @@ pub(crate) mod neon { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -494,10 +423,6 @@ pub(crate) mod neon { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -541,7 +466,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Simd128Hash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Simd128Hash { debug_assert!(K == 2 || K == 3 || K == 4); let mut state = [x2::incremental::init(), x2::incremental::init()]; match K as u8 { @@ -565,7 +490,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut Simd128Hash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -623,7 +548,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; @@ -678,32 +603,17 @@ pub(crate) mod neon { out } - #[hax_lib::attributes] impl Hash for Simd128Hash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -715,18 +625,18 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index 825da534d..291886c02 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -35,16 +35,6 @@ pub(crate) mod instantiations; /// Serialize the secret key. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"))] -#[hax_lib::ensures(|result| fstar!("$result == Seq.append $private_key ( - Seq.append $public_key ( - Seq.append (Spec.Utils.v_H $public_key) - $implicit_rejection_value))"))] fn serialize_kem_secret_key>( private_key: &[u8], public_key: &[u8], @@ -60,25 +50,6 @@ fn serialize_kem_secret_key( public_key: &[u8; PUBLIC_KEY_SIZE], ) -> bool { - let deserialized_pk = deserialize_ring_elements_reduced_out::( + let deserialized_pk = deserialize_ring_elements_reduced_out::( &public_key[..RANKED_BYTES_PER_RING_ELEMENT], ); let public_key_serialized = @@ -117,9 +85,6 @@ fn validate_public_key< /// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` /// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. #[inline(always)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -143,22 +108,13 @@ fn validate_private_key< /// /// Depending on the `Vector` and `Hasher` used, this requires different hardware /// features -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_generate_keypair $K $randomness in - valid ==> (${result}.f_sk.f_value, ${result}.f_pk.f_value) == expected"))] #[inline(always)] fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, Vector: Operations, @@ -174,7 +130,7 @@ fn generate_keypair< K, CPA_PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, Vector, @@ -193,22 +149,6 @@ fn generate_keypair< MlKemKeyPair::from(private_key, MlKemPublicKey::from(public_key)) } -#[hax_lib::fstar::options("--z3rlimit 150")] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_encapsulate $K ${public_key}.f_value $randomness in - valid ==> (${result}._1.f_value, ${result}._2) == expected"))] #[inline(always)] fn encapsulate< const K: usize, @@ -219,7 +159,7 @@ fn encapsulate< const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -233,11 +173,8 @@ fn encapsulate< ) -> (MlKemCiphertext, MlKemSharedSecret) { let randomness = Scheme::entropy_preprocess::(&randomness); let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $randomness"); to_hash[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(public_key.as_slice())); - hax_lib::fstar!("assert (Seq.slice to_hash 0 (v $H_DIGEST_SIZE) == $randomness); - lemma_slice_append $to_hash $randomness (Spec.Utils.v_H ${public_key}.f_value); - assert ($to_hash == concat $randomness (Spec.Utils.v_H ${public_key}.f_value))"); + let hashed = Hasher::G(&to_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); @@ -249,7 +186,7 @@ fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -260,29 +197,10 @@ fn encapsulate< let ciphertext = MlKemCiphertext::from(ciphertext); let shared_secret_array = Scheme::kdf::(shared_secret, &ciphertext); + (ciphertext, shared_secret_array) } -/// This code verifies on some machines, runs out of memory on others -#[hax_lib::fstar::options("--z3rlimit 500")] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] -#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cca_decapsulate $K ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $result == expected"))] #[inline(always)] pub(crate) fn decapsulate< const K: usize, @@ -308,17 +226,10 @@ pub(crate) fn decapsulate< private_key: &MlKemPrivateKey, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { - hax_lib::fstar!("assert (v $CIPHERTEXT_SIZE == v $IMPLICIT_REJECTION_HASH_INPUT_SIZE - v $SHARED_SECRET_SIZE)"); let (ind_cpa_secret_key, secret_key) = private_key.value.split_at(CPA_SECRET_KEY_SIZE); let (ind_cpa_public_key, secret_key) = secret_key.split_at(PUBLIC_KEY_SIZE); let (ind_cpa_public_key_hash, implicit_rejection_value) = secret_key.split_at(H_DIGEST_SIZE); - hax_lib::fstar!("assert ($ind_cpa_secret_key == slice ${private_key}.f_value (sz 0) $CPA_SECRET_KEY_SIZE); - assert ($ind_cpa_public_key == slice ${private_key}.f_value $CPA_SECRET_KEY_SIZE ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE)); - assert ($ind_cpa_public_key_hash == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE) - ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); - assert ($implicit_rejection_value == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) - (length ${private_key}.f_value))"); let decrypted = crate::ind_cpa::decrypt::< K, CIPHERTEXT_SIZE, @@ -329,31 +240,16 @@ pub(crate) fn decapsulate< >(ind_cpa_secret_key, &ciphertext.value); let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $decrypted"); to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash); - hax_lib::fstar!("lemma_slice_append to_hash $decrypted $ind_cpa_public_key_hash; - assert ($decrypted == Spec.MLKEM.ind_cpa_decrypt $K $ind_cpa_secret_key ${ciphertext}.f_value); - assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)"); let hashed = Hasher::G(&to_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); - hax_lib::fstar!("assert (($shared_secret , $pseudorandomness) == split $hashed $SHARED_SECRET_SIZE); - assert (length $implicit_rejection_value = $SECRET_KEY_SIZE -! $CPA_SECRET_KEY_SIZE -! $PUBLIC_KEY_SIZE -! $H_DIGEST_SIZE); - assert (length $implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); - assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K)"); let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] = into_padded_array(implicit_rejection_value); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $implicit_rejection_value"); to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref()); - hax_lib::fstar!("assert_norm (pow2 32 == 0x100000000); - assert (v (sz 32) < pow2 32); - assert (i4.f_PRF_pre (sz 32) $to_hash); - lemma_slice_append $to_hash $implicit_rejection_value ${ciphertext}.f_value"); let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash); - hax_lib::fstar!("assert ($implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) $to_hash); - assert (Seq.length $ind_cpa_public_key == v $PUBLIC_KEY_SIZE)"); let expected_ciphertext = crate::ind_cpa::encrypt::< K, CIPHERTEXT_SIZE, @@ -375,13 +271,12 @@ pub(crate) fn decapsulate< Scheme::kdf::(&implicit_rejection_shared_secret, ciphertext); let shared_secret = Scheme::kdf::(shared_secret, ciphertext); - let shared_secret = compare_ciphertexts_select_shared_secret_in_constant_time( - ciphertext.as_ref(), - &expected_ciphertext, - &shared_secret, - &implicit_rejection_shared_secret, - ); - shared_secret + compare_ciphertexts_select_shared_secret_in_constant_time( + ciphertext.as_ref(), + &expected_ciphertext, + &shared_secret, + &implicit_rejection_shared_secret, + ) } /// Types for the unpacked API. @@ -432,7 +327,7 @@ pub(crate) mod unpacked { public_key: &MlKemPublicKey, unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( &public_key.value[..T_AS_NTT_ENCODED_SIZE], &mut unpacked_public_key.ind_cpa_public_key.t_as_ntt, ); diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs index fc2e754e2..9269fd501 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs @@ -7,19 +7,12 @@ macro_rules! instantiate { }; /// Portable generate key pair. - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] pub(crate) fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, >( @@ -30,7 +23,7 @@ macro_rules! instantiate { CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, $vector, @@ -66,10 +59,6 @@ macro_rules! instantiate { } /// Portable public key validation - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))] - #[inline(always)] pub(crate) fn validate_public_key< const K: usize, const RANKED_BYTES_PER_RING_ELEMENT: usize, @@ -86,10 +75,6 @@ macro_rules! instantiate { } /// Portable private key validation - #[inline(always)] - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] pub(crate) fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -144,19 +129,6 @@ macro_rules! instantiate { >(public_key, randomness) } - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] pub(crate) fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -166,7 +138,7 @@ macro_rules! instantiate { const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -184,7 +156,7 @@ macro_rules! instantiate { C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -242,23 +214,6 @@ macro_rules! instantiate { } /// Portable decapsulate - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] pub fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs index 4a78a567b..88098f375 100644 --- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs +++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs @@ -52,9 +52,6 @@ use instantiations::portable::{ kyber_generate_keypair as kyber_generate_keypair_neon, }; -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))] #[inline(always)] pub(crate) fn validate_public_key< const K: usize, @@ -69,9 +66,6 @@ pub(crate) fn validate_public_key< } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] pub(crate) fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -132,19 +126,12 @@ pub(crate) fn kyber_generate_keypair< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] pub(crate) fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, >( @@ -157,7 +144,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -167,7 +154,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -177,7 +164,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -254,19 +241,6 @@ pub(crate) fn kyber_encapsulate< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] pub(crate) fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -276,7 +250,7 @@ pub(crate) fn encapsulate< const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -295,7 +269,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -311,7 +285,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -327,7 +301,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -418,22 +392,6 @@ pub(crate) fn kyber_decapsulate< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] pub(crate) fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs index 4a5b455ce..7f1d4435a 100644 --- a/libcrux-ml-kem/src/ind_cpa.rs +++ b/libcrux-ml-kem/src/ind_cpa.rs @@ -60,18 +60,6 @@ use unpacked::*; /// Concatenate `t` and `ρ` into the public key. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - length $seed_for_a == sz 32 /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"))] -#[hax_lib::ensures(|res| - fstar!("$res == Seq.append (Spec.MLKEM.vector_encode_12 #$K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt)) - $seed_for_a)") -)] pub(crate) fn serialize_public_key< const K: usize, const RANKED_BYTES_PER_RING_ELEMENT: usize, @@ -92,19 +80,6 @@ pub(crate) fn serialize_public_key< /// Concatenate `t` and `ρ` into the public key. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - length $seed_for_a == sz 32 /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $t_as_ntt i))"))] -#[hax_lib::ensures(|res| - fstar!("${serialized}_future == - Seq.append (Spec.MLKEM.vector_encode_12 #$K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $t_as_ntt)) - $seed_for_a)") -)] pub(crate) fn serialize_public_key_mut< const K: usize, const RANKED_BYTES_PER_RING_ELEMENT: usize, @@ -125,16 +100,6 @@ pub(crate) fn serialize_public_key_mut< /// Call [`serialize_uncompressed_ring_element`] for each ring element. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 200")] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $OUT_LEN == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key i))"))] -#[hax_lib::ensures(|res| - fstar!("$res == Spec.MLKEM.vector_encode_12 #$K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $key)") -)] pub(crate) fn serialize_secret_key( key: &[PolynomialRingElement; K], ) -> [u8; OUT_LEN] { @@ -142,8 +107,6 @@ pub(crate) fn serialize_secret_key - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $key (v $i))") }); out[i * BYTES_PER_RING_ELEMENT..(i + 1) * BYTES_PER_RING_ELEMENT] .copy_from_slice(&serialize_uncompressed_ring_element(&re)); } @@ -154,11 +117,6 @@ pub(crate) fn serialize_secret_key ([PolynomialRingElement; K], u8) { let mut error_1 = from_fn(|_i| PolynomialRingElement::::ZERO()); let mut prf_inputs = [prf_input; K]; - let _domain_separator_init = domain_separator; for i in 0..K { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $domain_separator == v $_domain_separator_init + v $i") }); prf_inputs[i][32] = domain_separator; domain_separator += 1; } @@ -187,17 +143,6 @@ fn sample_ring_element_cbd< /// Sample a vector of ring elements from a centered binomial distribution and /// convert them into their NTT representations. #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA == Spec.MLKEM.v_ETA1 $K /\\ - v $domain_separator < 2 * v $K /\\ - range (v $domain_separator + v $K) u8_inttype"))] -#[hax_lib::ensures(|ds| - fstar!("v $ds == v $domain_separator + v $K /\\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re_as_ntt}_future == - Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))") -)] fn sample_vector_cbd_then_ntt< const K: usize, const ETA: usize, @@ -210,9 +155,7 @@ fn sample_vector_cbd_then_ntt< mut domain_separator: u8, ) -> u8 { let mut prf_inputs = [prf_input; K]; - let _domain_separator_init = domain_separator; for i in 0..K { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $domain_separator == v $_domain_separator_init + v $i") }); prf_inputs[i][32] = domain_separator; domain_separator += 1; } @@ -225,17 +168,6 @@ fn sample_vector_cbd_then_ntt< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $ETA_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA == Spec.MLKEM.v_ETA1 $K /\\ - v $domain_separator < 2 * v $K /\\ - range (v $domain_separator + v $K) u8_inttype"))] -#[hax_lib::ensures(|(re,ds)| - fstar!("v $ds == v $domain_separator + v $K /\\ - Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${re} == - Spec.MLKEM.sample_vector_cbd_then_ntt #$K (Seq.slice $prf_input 0 32) (sz (v $domain_separator))") -)] fn sample_vector_cbd_then_ntt_out< const K: usize, const ETA: usize, @@ -294,17 +226,6 @@ fn sample_vector_cbd_then_ntt_out< /// The NIST FIPS 203 standard can be found at /// . #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"))] -#[hax_lib::ensures(|_| fstar!(" - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${private_key}_future.f_secret_as_ntt i)) /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index ${public_key}_future.f_t_as_ntt i)) -"))] #[inline(always)] pub(crate) fn generate_keypair_unpacked< const K: usize, @@ -353,16 +274,6 @@ pub(crate) fn generate_keypair_unpacked< } #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - length $key_generation_seed == Spec.MLKEM.v_CPA_KEY_GENERATION_SEED_SIZE"))] -#[hax_lib::ensures(|result| fstar!("let (expected, valid) = Spec.MLKEM.ind_cpa_generate_keypair $K $key_generation_seed in - valid ==> $result == expected"))] #[inline(always)] pub(crate) fn generate_keypair< const K: usize, @@ -400,18 +311,6 @@ pub(crate) fn generate_keypair< } /// Call [`compress_then_serialize_ring_element_u`] on each ring element. -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $OUT_LEN == Spec.MLKEM.v_C1_SIZE $K /\\ - $COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - ${out.len()} == $OUT_LEN /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input i))"))] -#[hax_lib::ensures(|_| - fstar!("$out_future == Spec.MLKEM.compress_then_encode_u #$K - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $input)") -)] #[inline(always)] fn compress_then_serialize_u< const K: usize, @@ -423,14 +322,10 @@ fn compress_then_serialize_u< input: [PolynomialRingElement; K], out: &mut [u8], ) { - hax_lib::fstar!("assert ((v $COEFFICIENTS_IN_RING_ELEMENT * v $COMPRESSION_FACTOR) / 8 == 320 \\/ - (v $COEFFICIENTS_IN_RING_ELEMENT * v $COMPRESSION_FACTOR) / 8 == 352)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 cloop! { for (i, re) in input.into_iter().enumerate() { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i < v $K ==> (Seq.length out == v $OUT_LEN /\\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $input (v $i)))") }); out[i * (OUT_LEN / K)..(i + 1) * (OUT_LEN / K)].copy_from_slice( &compress_then_serialize_ring_element_u::(&re), ); @@ -479,19 +374,6 @@ fn compress_then_serialize_u< /// The NIST FIPS 203 standard can be found at /// . #[allow(non_snake_case)] -#[hax_lib::fstar::options("--z3rlimit 200")] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_LEN == Spec.MLKEM.v_C2_SIZE $K /\\ - $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"))] #[inline(always)] pub(crate) fn encrypt_unpacked< const K: usize, @@ -569,25 +451,6 @@ pub(crate) fn encrypt_unpacked< } #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $ETA1 = Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 = Spec.MLKEM.v_ETA2 $K /\\ - $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA2_RANDOMNESS_SIZE = Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - length $public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_LEN == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_LEN == Spec.MLKEM.v_C2_SIZE $K"))] -#[hax_lib::ensures(|result| - fstar!("let (expected, valid) = Spec.MLKEM.ind_cpa_encrypt $K $public_key $message $randomness in - valid ==> $result == expected") -)] #[inline(always)] pub(crate) fn encrypt< const K: usize, @@ -612,7 +475,7 @@ pub(crate) fn encrypt< let mut unpacked_public_key = IndCpaPublicKeyUnpacked::::default(); // tˆ := Decode_12(pk) - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( &public_key[..T_AS_NTT_ENCODED_SIZE], &mut unpacked_public_key.t_as_ntt, ); @@ -652,14 +515,6 @@ pub(crate) fn encrypt< /// Call [`deserialize_then_decompress_ring_element_u`] on each ring element /// in the `ciphertext`. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K"))] -#[hax_lib::ensures(|res| - fstar!("Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res == - Spec.MLKEM.(vector_ntt (decode_then_decompress_u #$K (Seq.slice $ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE $K)))))") -)] fn deserialize_then_decompress_u< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -683,14 +538,6 @@ fn deserialize_then_decompress_u< /// Call [`deserialize_to_uncompressed_ring_element`] for each ring element. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - v (${secret_key.len()}) / v $BYTES_PER_RING_ELEMENT <= v $K"))] -#[hax_lib::ensures(|res| - fstar!("Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector $res == - Spec.MLKEM.vector_decode_12 #$K $secret_key") -)] fn deserialize_secret_key( secret_key: &[u8], ) -> [PolynomialRingElement; K] { @@ -726,11 +573,6 @@ fn deserialize_secret_key( /// The NIST FIPS 203 standard can be found at /// . #[allow(non_snake_case)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K"))] #[inline(always)] pub(crate) fn decrypt_unpacked< const K: usize, @@ -759,16 +601,6 @@ pub(crate) fn decrypt_unpacked< } #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - length $secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K"))] -#[hax_lib::ensures(|result| - fstar!("$result == Spec.MLKEM.ind_cpa_decrypt $K $secret_key $ciphertext") -)] #[inline(always)] pub(crate) fn decrypt< const K: usize, diff --git a/libcrux-ml-kem/src/invert_ntt.rs b/libcrux-ml-kem/src/invert_ntt.rs index 49fa7fea5..12b60f3cf 100644 --- a/libcrux-ml-kem/src/invert_ntt.rs +++ b/libcrux-ml-kem/src/invert_ntt.rs @@ -1,152 +1,68 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{PolynomialRingElement, get_zeta}, + polynomial::{PolynomialRingElement, ZETAS_TIMES_MONTGOMERY_R}, vector::{montgomery_multiply_fe, Operations, FIELD_ELEMENTS_IN_VECTOR}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let invert_ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let invert_ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 128 /\\ - invert_ntt_re_range_1 $re"))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 64"))] pub(crate) fn invert_ntt_at_layer_1( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round * 4 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::inv_ntt_layer_1_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i - 1), - get_zeta (*zeta_i - 2), - get_zeta (*zeta_i - 3), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3], ); *zeta_i -= 3; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 64 /\\ - invert_ntt_re_range_2 $re "))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 32"))] pub(crate) fn invert_ntt_at_layer_2( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round * 2 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::inv_ntt_layer_2_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i - 1), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], ); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 32 /\\ - invert_ntt_re_range_2 $re"))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 16"))] pub(crate) fn invert_ntt_at_layer_3( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = - Vector::inv_ntt_layer_3_step(re.coefficients[round], get_zeta (*zeta_i)); - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); + Vector::inv_ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } () } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\\ - Spec.Utils.is_i16b_array 28296 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array - (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"))] pub(crate) fn inv_ntt_layer_int_vec_step_reduce( mut a: Vector, mut b: Vector, @@ -157,10 +73,7 @@ pub(crate) fn inv_ntt_layer_int_vec_step_reduce( b = montgomery_multiply_fe::(a_minus_b, zeta_r); (a, b) } - #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7"))] pub(crate) fn invert_ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, @@ -181,7 +94,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus( let (x, y) = inv_ntt_layer_int_vec_step_reduce( re.coefficients[j], re.coefficients[j + step_vec], - get_zeta (*zeta_i), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); re.coefficients[j] = x; re.coefficients[j + step_vec] = y; @@ -191,7 +104,6 @@ pub(crate) fn invert_ntt_at_layer_4_plus( } #[inline(always)] -#[hax_lib::requires(fstar!("invert_ntt_re_range_1 $re"))] pub(crate) fn invert_ntt_montgomery( re: &mut PolynomialRingElement, ) { diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs index 855b45891..651ab345b 100644 --- a/libcrux-ml-kem/src/matrix.rs +++ b/libcrux-ml-kem/src/matrix.rs @@ -5,14 +5,6 @@ use crate::{ #[inline(always)] #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in - valid ==> ( - if $transpose then Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == matrix_A - else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)") -)] pub(crate) fn sample_matrix_A>( A_transpose: &mut [[PolynomialRingElement; K]; K], seed: [u8; 34], @@ -45,17 +37,6 @@ pub(crate) fn sample_matrix_A( v: &PolynomialRingElement, secret_as_ntt: &[PolynomialRingElement; K], @@ -76,18 +57,6 @@ pub(crate) fn compute_message( /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - let tt_spec = to_spec_vector_t $t_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e2_spec = to_spec_poly_t $error_2 in - let m_spec = to_spec_poly_t $message in - let res_spec = to_spec_poly_t $res in - res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res") -)] pub(crate) fn compute_ring_element_v( t_as_ntt: &[PolynomialRingElement; K], r_as_ntt: &[PolynomialRingElement; K], @@ -109,18 +78,6 @@ pub(crate) fn compute_ring_element_v( /// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t $a_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e_spec = to_spec_vector_t $error_1 in - let res_spec = to_spec_vector_t $res in - res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))") -)] pub(crate) fn compute_vector_u( a_as_ntt: &[[PolynomialRingElement; K]; K], r_as_ntt: &[PolynomialRingElement; K], @@ -148,16 +105,6 @@ pub(crate) fn compute_vector_u( /// Compute  ◦ ŝ + ê #[inline(always)] #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - to_spec_vector_t ${t_as_ntt}_future = - Spec.MLKEM.compute_As_plus_e_ntt - (to_spec_matrix_t $matrix_A) - (to_spec_vector_t $s_as_ntt) - (to_spec_vector_t $error_as_ntt)") -)] pub(crate) fn compute_As_plus_e( t_as_ntt: &mut [PolynomialRingElement; K], matrix_A: &[[PolynomialRingElement; K]; K], diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs index 6bc86a8cf..875406268 100644 --- a/libcrux-ml-kem/src/mlkem1024.rs +++ b/libcrux-ml-kem/src/mlkem1024.rs @@ -410,11 +410,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem1024KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { @@ -435,12 +430,6 @@ pub fn generate_key_pair( /// The input is a reference to an [`MlKem1024PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem1024PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -467,11 +456,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem1024_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem1024PrivateKey, ciphertext: &MlKem1024Ciphertext, diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs index cad3bd02b..4fae634c0 100644 --- a/libcrux-ml-kem/src/mlkem512.rs +++ b/libcrux-ml-kem/src/mlkem512.rs @@ -3,31 +3,34 @@ use super::{constants::*, ind_cca::*, types::*, *}; // Kyber 512 parameters const RANK_512: usize = 2; -const RANKED_BYTES_PER_RING_ELEMENT_512: usize = 768; -const T_AS_NTT_ENCODED_SIZE_512: usize = 768; +const RANKED_BYTES_PER_RING_ELEMENT_512: usize = RANK_512 * BITS_PER_RING_ELEMENT / 8; +const T_AS_NTT_ENCODED_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; const VECTOR_U_COMPRESSION_FACTOR_512: usize = 10; // [hax]: hacspec/hacspec-v2#27 stealing error // block_len::() -const C1_BLOCK_SIZE_512: usize = 320; +const C1_BLOCK_SIZE_512: usize = + (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_512) / 8; // [hax]: hacspec/hacspec-v2#27 stealing error // serialized_len::() -const C1_SIZE_512: usize = 640; +const C1_SIZE_512: usize = C1_BLOCK_SIZE_512 * RANK_512; const VECTOR_V_COMPRESSION_FACTOR_512: usize = 4; // [hax]: hacspec/hacspec-v2#27 stealing error // block_len::() -const C2_SIZE_512: usize = 128; -const CPA_PKE_SECRET_KEY_SIZE_512: usize = 768; -pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = 800; -const CPA_PKE_CIPHERTEXT_SIZE_512: usize = 768; - -pub(crate) const SECRET_KEY_SIZE_512: usize = 1632; +const C2_SIZE_512: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_512) / 8; +const CPA_PKE_SECRET_KEY_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = T_AS_NTT_ENCODED_SIZE_512 + 32; +const CPA_PKE_CIPHERTEXT_SIZE_512: usize = C1_SIZE_512 + C2_SIZE_512; +pub(crate) const SECRET_KEY_SIZE_512: usize = + CPA_PKE_SECRET_KEY_SIZE_512 + CPA_PKE_PUBLIC_KEY_SIZE_512 + H_DIGEST_SIZE + SHARED_SECRET_SIZE; const ETA1: usize = 3; -const ETA1_RANDOMNESS_SIZE: usize = 192; +const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; const ETA2: usize = 2; -const ETA2_RANDOMNESS_SIZE: usize = 128; +const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; -const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = 800; +const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_512; // Kyber 512 types /// An ML-KEM 512 Ciphertext @@ -400,11 +403,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem512KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair { multiplexing::generate_keypair::< RANK_512, @@ -423,12 +421,6 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512 /// The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem512PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -455,11 +447,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem512_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem512PrivateKey, ciphertext: &MlKem512Ciphertext, diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs index 17cf7aadf..4f5f114e3 100644 --- a/libcrux-ml-kem/src/mlkem768.rs +++ b/libcrux-ml-kem/src/mlkem768.rs @@ -398,11 +398,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem768KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair { multiplexing::generate_keypair::< RANK_768, @@ -421,12 +416,6 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768 /// The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem768PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -453,11 +442,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem768_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem768PrivateKey, ciphertext: &MlKem768Ciphertext, diff --git a/libcrux-ml-kem/src/ntt.rs b/libcrux-ml-kem/src/ntt.rs index b3aa4087e..d33d9c077 100644 --- a/libcrux-ml-kem/src/ntt.rs +++ b/libcrux-ml-kem/src/ntt.rs @@ -1,168 +1,71 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, get_zeta}, + polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R}, vector::{montgomery_multiply_fe, Operations}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 63 /\\ - ntt_re_range_2 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_1 ${re}_future /\\ - v ${*zeta_i}_future == 127"))] pub(crate) fn ntt_at_layer_1( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round * 4 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::ntt_layer_1_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i + 1), - get_zeta (*zeta_i + 2), - get_zeta (*zeta_i + 3), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], ); *zeta_i += 3; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_3 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 31 /\\ - ntt_re_range_3 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 63"))] pub(crate) fn ntt_at_layer_2( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round * 2 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::ntt_layer_2_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i + 1), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], ); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_4 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 15 /\\ - ntt_re_range_4 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_3 ${re}_future /\\ - v ${*zeta_i}_future == 31"))] pub(crate) fn ntt_at_layer_3( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = - Vector::ntt_layer_3_step(re.coefficients[round], get_zeta (*zeta_i)); - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); + Vector::ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } () } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\ - (let t = ${montgomery_multiply_fe::} $b $zeta_r in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"))] fn ntt_layer_int_vec_step( mut a: Vector, mut b: Vector, @@ -173,28 +76,16 @@ fn ntt_layer_int_vec_step( a = Vector::add(a, &t); (a, b) } - #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7 /\\ - ((v $layer == 4 ==> v ${*zeta_i} == 7) /\\ - (v $layer == 5 ==> v ${*zeta_i} == 3) /\\ - (v $layer == 6 ==> v ${*zeta_i} == 1) /\\ - (v $layer == 7 ==> v ${*zeta_i} == 0))"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_4 ${re}_future /\\ - (v $layer == 4 ==> v ${*zeta_i}_future == 15) /\\ - (v $layer == 5 ==> v ${*zeta_i}_future == 7) /\\ - (v $layer == 6 ==> v ${*zeta_i}_future == 3) /\\ - (v $layer == 7 ==> v ${*zeta_i}_future == 1)"))] pub(crate) fn ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, layer: usize, _initial_coefficient_bound: usize, ) { + debug_assert!(layer >= 4); let step = 1 << layer; - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..(128 >> layer) { @@ -208,7 +99,7 @@ pub(crate) fn ntt_at_layer_4_plus( let (x, y) = ntt_layer_int_vec_step( re.coefficients[j], re.coefficients[j + step_vec], - get_zeta (*zeta_i), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); re.coefficients[j] = x; re.coefficients[j + step_vec] = y; @@ -218,36 +109,11 @@ pub(crate) fn ntt_at_layer_4_plus( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -//We should make the loops inside this function `opaque_to_smt` to get it work -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_layer_7_pre (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re_0 re_1: v_Vector) = - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\\ - (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))")] -#[hax_lib::requires(fstar!("forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ]) - (${re}.f_coefficients.[ sz i +! sz 8 ])"))] pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement) { let step = VECTORS_IN_RING_ELEMENT / 2; - hax_lib::fstar!("assert (v $step == 8)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..step { - hax_lib::loop_invariant!(|j: usize| { fstar!("(v j < 8 ==> - (forall (i:nat). (i >= v j /\\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))") }); - hax_lib::fstar!("reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)"); let t = Vector::multiply_by_constant(re.coefficients[j + step], -1600); re.coefficients[j + step] = Vector::sub(re.coefficients[j], &t); re.coefficients[j] = Vector::add(re.coefficients[j], &t); @@ -256,9 +122,6 @@ pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement< } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 200")] -#[hax_lib::requires(fstar!("forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ]) - (${re}.f_coefficients.[ sz i +! sz 8 ])"))] pub(crate) fn ntt_binomially_sampled_ring_element( re: &mut PolynomialRingElement, ) { @@ -267,18 +130,17 @@ pub(crate) fn ntt_binomially_sampled_ring_element( ntt_at_layer_7(re); let mut zeta_i = 1; - ntt_at_layer_4_plus(&mut zeta_i, re, 6, 11207); - ntt_at_layer_4_plus(&mut zeta_i, re, 5, 11207+3328); - ntt_at_layer_4_plus(&mut zeta_i, re, 4, 11207+2*3328); - ntt_at_layer_3(&mut zeta_i, re, 3, 11207+3*3328); - ntt_at_layer_2(&mut zeta_i, re, 2, 11207+4*3328); - ntt_at_layer_1(&mut zeta_i, re, 1, 11207+5*3328); + ntt_at_layer_4_plus(&mut zeta_i, re, 6, 3); + ntt_at_layer_4_plus(&mut zeta_i, re, 5, 3); + ntt_at_layer_4_plus(&mut zeta_i, re, 4, 3); + ntt_at_layer_3(&mut zeta_i, re, 3, 3); + ntt_at_layer_2(&mut zeta_i, re, 2, 3); + ntt_at_layer_1(&mut zeta_i, re, 1, 3); re.poly_barrett_reduce() } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 200")] pub(crate) fn ntt_vector_u( re: &mut PolynomialRingElement, ) { @@ -289,12 +151,12 @@ pub(crate) fn ntt_vector_u i16 { - ZETAS_TIMES_MONTGOMERY_R[i] -} +]; pub(crate) const VECTORS_IN_RING_ELEMENT: usize = super::constants::COEFFICIENTS_IN_RING_ELEMENT / FIELD_ELEMENTS_IN_VECTOR; -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))"))] -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r = - createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))"))] -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_poly_t (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial = - admit()"))] // XXX: We don't want to copy this. But for eurydice we have to have this. #[derive(Clone, Copy)] pub(crate) struct PolynomialRingElement { pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT], } -#[hax_lib::attributes] impl PolynomialRingElement { #[allow(non_snake_case)] pub(crate) fn ZERO() -> Self { @@ -52,7 +30,6 @@ impl PolynomialRingElement { } #[inline(always)] - #[requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())] pub(crate) fn from_i16_array(a: &[i16]) -> Self { let mut result = PolynomialRingElement::ZERO(); for i in 0..VECTORS_IN_RING_ELEMENT { @@ -65,7 +42,6 @@ impl PolynomialRingElement { /// sum of their constituent coefficients. #[inline(always)] pub(crate) fn add_to_ring_element(&mut self, rhs: &Self) { - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..self.coefficients.len() { @@ -76,8 +52,6 @@ impl PolynomialRingElement { #[inline(always)] pub fn poly_barrett_reduce(&mut self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { @@ -88,8 +62,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn subtract_reduce(&self, mut b: Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient_normal_form = Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441); @@ -101,8 +73,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_message_error_reduce(&self, message: &Self, mut result: Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient_normal_form = Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441); @@ -132,8 +102,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_error_reduce(&mut self, error: &Self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..VECTORS_IN_RING_ELEMENT { @@ -150,8 +118,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_standard_error_reduce(&mut self, error: &Self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..VECTORS_IN_RING_ELEMENT { @@ -207,8 +173,6 @@ impl PolynomialRingElement { // ))))] #[inline(always)] pub(crate) fn ntt_multiply(&self, rhs: &Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // hax_debug_debug_assert!(lhs // .coefficients // .into_iter() @@ -220,10 +184,10 @@ impl PolynomialRingElement { out.coefficients[i] = Vector::ntt_multiply( &self.coefficients[i], &rhs.coefficients[i], - get_zeta (64 + 4 * i), - get_zeta (64 + 4 * i + 1), - get_zeta (64 + 4 * i + 2), - get_zeta (64 + 4 * i + 3), + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 1], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 2], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 3], ); } diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs index 094334c58..d71a0f8a1 100644 --- a/libcrux-ml-kem/src/sampling.rs +++ b/libcrux-ml-kem/src/sampling.rs @@ -1,5 +1,5 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, + constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, hax_utils::hax_debug_assert, helper::cloop, polynomial::PolynomialRingElement, vector::Operations, }; @@ -71,15 +71,14 @@ fn sample_from_uniform_distribution_next>( seeds: [[u8; 34]; K], ) -> [PolynomialRingElement; K] { let mut sampled_coefficients: [usize; K] = [0; K]; let mut out: [[i16; 272]; K] = [[0; 272]; K]; - let mut xof_state = Hasher::shake128_init_absorb_final(seeds); - let randomness = xof_state.shake128_squeeze_first_three_blocks(); + let mut xof_state = Hasher::shake128_init_absorb(seeds); + let randomness = xof_state.shake128_squeeze_three_blocks(); let mut done = sample_from_uniform_distribution_next::( randomness, @@ -93,7 +92,7 @@ pub(super) fn sample_from_xof( randomness, &mut sampled_coefficients, @@ -152,19 +151,16 @@ pub(super) fn sample_from_xof. -#[hax_lib::requires(randomness.len() == 2 * 64)] +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 2 * 64))] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::ensures(|result| // hax_lib::forall(|i:usize| // hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 2 // ))))] #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_2( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (sz 2 *! sz 64) == 128); - assert (Seq.length $randomness == 128)"); let mut sampled_i16s = [0i16; 256]; cloop! { @@ -176,21 +172,12 @@ fn sample_from_binomial_distribution_2( let even_bits = random_bits_as_u32 & 0x55555555; let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555; - hax_lib::fstar!("logand_lemma $random_bits_as_u32 1431655765ul; - logand_lemma ($random_bits_as_u32 >>! 1l) 1431655765ul"); let coin_toss_outcomes = even_bits + odd_bits; cloop! { for outcome_set in (0..u32::BITS).step_by(4) { let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as i16; let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as i16; - hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul; - logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 2ul <: u32) <: u32) 3ul; - assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 3); - assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 3); - assert (v $chunk_number <= 31); - assert (v (sz 8 *! $chunk_number <: usize) <= 248); - assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)"); let offset = (outcome_set >> 2) as usize; sampled_i16s[8 * chunk_number + offset] = outcome_1 - outcome_2; @@ -201,19 +188,16 @@ fn sample_from_binomial_distribution_2( PolynomialRingElement::from_i16_array(&sampled_i16s) } -#[hax_lib::requires(randomness.len() == 3 * 64)] +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 3 * 64))] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::ensures(|result| // hax_lib::forall(|i:usize| // hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 3 // ))))] #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_3( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (sz 3 *! sz 64) == 192); - assert (Seq.length $randomness == 192)"); let mut sampled_i16s = [0i16; 256]; cloop! { @@ -224,9 +208,6 @@ fn sample_from_binomial_distribution_3( let first_bits = random_bits_as_u24 & 0x00249249; let second_bits = (random_bits_as_u24 >> 1) & 0x00249249; let third_bits = (random_bits_as_u24 >> 2) & 0x00249249; - hax_lib::fstar!("logand_lemma $random_bits_as_u24 2396745ul; - logand_lemma ($random_bits_as_u24 >>! 1l <: u32) 2396745ul; - logand_lemma ($random_bits_as_u24 >>! 2l <: u32) 2396745ul"); let coin_toss_outcomes = first_bits + second_bits + third_bits; @@ -234,13 +215,6 @@ fn sample_from_binomial_distribution_3( for outcome_set in (0..24).step_by(6) { let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as i16; let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as i16; - hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul; - logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 3l <: i32) <: u32) 7ul; - assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 7); - assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 7); - assert (v $chunk_number <= 63); - assert (v (sz 4 *! $chunk_number <: usize) <= 252); - assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)"); let offset = (outcome_set / 6) as usize; sampled_i16s[4 * chunk_number + offset] = outcome_1 - outcome_2; @@ -252,13 +226,11 @@ fn sample_from_binomial_distribution_3( } #[inline(always)] -#[hax_lib::requires((ETA == 2 || ETA == 3) && randomness.len() == ETA * 64)] pub(super) fn sample_from_binomial_distribution( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $ETA <: u32) == 2) \\/ - (v (cast $ETA <: u32) == 3))"); + hax_debug_assert!(randomness.len() == ETA * 64); + match ETA as u32 { 2 => sample_from_binomial_distribution_2(randomness), 3 => sample_from_binomial_distribution_3(randomness), diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs index 9e059baf7..44736b59d 100644 --- a/libcrux-ml-kem/src/serialize.rs +++ b/libcrux-ml-kem/src/serialize.rs @@ -1,49 +1,18 @@ use crate::{ - constants::{COEFFICIENTS_IN_RING_ELEMENT, BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + hax_utils::hax_debug_assert, helper::cloop, polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT}, - vector::{decompress_1, to_unsigned_representative, Operations, FIELD_MODULUS}, + vector::{decompress_1, to_unsigned_representative, Operations}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] -let coefficients_field_modulus_range (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i)")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] -let field_modulus_range (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (a: v_Vector) = - let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in - forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v $FIELD_MODULUS) /\\ - v (Seq.index coef i) < v $FIELD_MODULUS")] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("field_modulus_range $a"))] -#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"))] -pub(super) fn to_unsigned_field_modulus( - a: Vector, -) -> Vector { - hax_lib::fstar!("reveal_opaque (`%field_modulus_range) (field_modulus_range #$:Vector)"); - to_unsigned_representative::(a) -} - -#[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("coefficients_field_modulus_range $re"))] pub(super) fn compress_then_serialize_message( re: PolynomialRingElement, ) -> [u8; SHARED_SECRET_SIZE] { let mut serialized = [0u8; SHARED_SECRET_SIZE]; for i in 0..16 { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i < 16 ==> - coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (2 * v $i + 2 <= 32)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); + let coefficient = to_unsigned_representative::(re.coefficients[i]); let coefficient_compressed = Vector::compress_1(coefficient); let bytes = Vector::serialize_1(coefficient_compressed); @@ -52,9 +21,7 @@ pub(super) fn compress_then_serialize_message( serialized } - #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] pub(super) fn deserialize_then_decompress_message( serialized: [u8; SHARED_SECRET_SIZE], ) -> PolynomialRingElement { @@ -67,20 +34,12 @@ pub(super) fn deserialize_then_decompress_message( } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("coefficients_field_modulus_range $re"))] pub(super) fn serialize_uncompressed_ring_element( re: &PolynomialRingElement, ) -> [u8; BYTES_PER_RING_ELEMENT] { - hax_lib::fstar!("assert_norm (pow2 12 == 4096)"); let mut serialized = [0u8; BYTES_PER_RING_ELEMENT]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (24 * v $i + 24 <= 384)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); + let coefficient = to_unsigned_representative::(re.coefficients[i]); let bytes = Vector::serialize_12(coefficient); serialized[24 * i..24 * i + 24].copy_from_slice(&bytes); @@ -89,13 +48,11 @@ pub(super) fn serialize_uncompressed_ring_element( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == BYTES_PER_RING_ELEMENT -)] pub(super) fn deserialize_to_uncompressed_ring_element( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"); + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -111,14 +68,11 @@ pub(super) fn deserialize_to_uncompressed_ring_element( /// /// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - serialized.len() == BYTES_PER_RING_ELEMENT -)] fn deserialize_to_reduced_ring_element( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"); + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -135,23 +89,15 @@ fn deserialize_to_reduced_ring_element( /// /// This function MUST NOT be used on secret inputs. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - fstar!("Spec.MLKEM.is_rank v_K /\\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)") -)] -#[hax_lib::ensures(|result| - fstar!("forall (i:nat). i < v $K ==> - coefficients_field_modulus_range (Seq.index $result i)") -)] pub(super) fn deserialize_ring_elements_reduced_out< + const PUBLIC_KEY_SIZE: usize, const K: usize, Vector: Operations, >( public_key: &[u8], ) -> [PolynomialRingElement; K] { let mut deserialized_pk = core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( public_key, &mut deserialized_pk, ); @@ -160,11 +106,8 @@ pub(super) fn deserialize_ring_elements_reduced_out< /// See [deserialize_ring_elements_reduced_out]. #[inline(always)] -#[hax_lib::requires( - fstar!("Spec.MLKEM.is_rank v_K /\\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)") -)] pub(super) fn deserialize_ring_elements_reduced< + const PUBLIC_KEY_SIZE: usize, const K: usize, Vector: Operations, >( @@ -183,21 +126,13 @@ pub(super) fn deserialize_ring_elements_reduced< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("v $OUT_LEN == 320 /\\ coefficients_field_modulus_range $re"))] fn compress_then_serialize_10( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { - hax_lib::fstar!("assert_norm (pow2 10 == 1024)"); let mut serialized = [0u8; OUT_LEN]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (20 * v $i + 20 <= 320)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); let coefficient = - Vector::compress::<10>(to_unsigned_field_modulus(re.coefficients[i])); + Vector::compress::<10>(to_unsigned_representative::(re.coefficients[i])); let bytes = Vector::serialize_10(coefficient); serialized[20 * i..20 * i + 20].copy_from_slice(&bytes); @@ -206,7 +141,6 @@ fn compress_then_serialize_10( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] fn compress_then_serialize_11( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { @@ -222,8 +156,6 @@ fn compress_then_serialize_11( } #[inline(always)] -#[hax_lib::requires(fstar!("(v $COMPRESSION_FACTOR == 10 \\/ v $COMPRESSION_FACTOR == 11) /\\ - v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\\ coefficients_field_modulus_range $re"))] pub(super) fn compress_then_serialize_ring_element_u< const COMPRESSION_FACTOR: usize, const OUT_LEN: usize, @@ -231,10 +163,8 @@ pub(super) fn compress_then_serialize_ring_element_u< >( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"); + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + match COMPRESSION_FACTOR as u32 { 10 => compress_then_serialize_10(re), 11 => compress_then_serialize_11(re), @@ -243,28 +173,15 @@ pub(super) fn compress_then_serialize_ring_element_u< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Seq.length $serialized == 128 /\\ - coefficients_field_modulus_range $re"))] -#[hax_lib::ensures(|_| - fstar!("${serialized_future.len()} == ${serialized.len()}") -)] fn compress_then_serialize_4( re: PolynomialRingElement, serialized: &mut [u8], ) { - hax_lib::fstar!("assert_norm (pow2 4 == 16)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { - // NOTE: Using `$serialized` in loop_invariant doesn't work here - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> (Seq.length serialized == 128 /\\ coefficients_field_modulus_range $re)") }); - hax_lib::fstar!("assert (8 * v $i + 8 <= 128)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); let coefficient = - Vector::compress::<4>(to_unsigned_field_modulus(re.coefficients[i])); + Vector::compress::<4>(to_unsigned_representative::(re.coefficients[i])); let bytes = Vector::serialize_4(coefficient); serialized[8 * i..8 * i + 8].copy_from_slice(&bytes); @@ -273,13 +190,6 @@ fn compress_then_serialize_4( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires( - serialized.len() == 160 -)] -#[hax_lib::ensures(|_| - fstar!("${serialized_future.len()} == ${serialized.len()}") -)] fn compress_then_serialize_5( re: PolynomialRingElement, serialized: &mut [u8], @@ -297,11 +207,6 @@ fn compress_then_serialize_5( } #[inline(always)] -#[hax_lib::requires(fstar!("(v $COMPRESSION_FACTOR == 4 \\/ v $COMPRESSION_FACTOR == 5) /\\ v $OUT_LEN == 32 * v $COMPRESSION_FACTOR /\\ - Seq.length $out == v $OUT_LEN /\\ coefficients_field_modulus_range $re"))] -#[hax_lib::ensures(|_| - fstar!("${out_future.len()} == ${out.len()}") -)] pub(super) fn compress_then_serialize_ring_element_v< const COMPRESSION_FACTOR: usize, const OUT_LEN: usize, @@ -310,10 +215,8 @@ pub(super) fn compress_then_serialize_ring_element_v< re: PolynomialRingElement, out: &mut [u8], ) { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"); + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + match COMPRESSION_FACTOR as u32 { 4 => compress_then_serialize_4(re, out), 5 => compress_then_serialize_5(re, out), @@ -322,16 +225,13 @@ pub(super) fn compress_then_serialize_ring_element_v< } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 320 -)] fn deserialize_then_decompress_10( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8); + let mut re = PolynomialRingElement::::ZERO(); - let _coefficients_length = re.coefficients.len(); cloop! { for (i, bytes) in serialized.chunks_exact(20).enumerate() { let coefficient = Vector::deserialize_10(bytes); @@ -342,13 +242,11 @@ fn deserialize_then_decompress_10( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 352 -)] fn deserialize_then_decompress_11( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -362,19 +260,14 @@ fn deserialize_then_decompress_11( } #[inline(always)] -#[hax_lib::requires( - (COMPRESSION_FACTOR == 10 || COMPRESSION_FACTOR == 11) && - serialized.len() == 32 * COMPRESSION_FACTOR -)] pub(super) fn deserialize_then_decompress_ring_element_u< const COMPRESSION_FACTOR: usize, Vector: Operations, >( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11))"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + match COMPRESSION_FACTOR as u32 { 10 => deserialize_then_decompress_10(serialized), 11 => deserialize_then_decompress_11(serialized), @@ -383,15 +276,11 @@ pub(super) fn deserialize_then_decompress_ring_element_u< } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 128 -)] fn deserialize_then_decompress_4( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8); let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(8).enumerate() { let coefficient = Vector::deserialize_4(bytes); @@ -402,13 +291,11 @@ fn deserialize_then_decompress_4( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 160 -)] fn deserialize_then_decompress_5( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -421,19 +308,14 @@ fn deserialize_then_decompress_5( } #[inline(always)] -#[hax_lib::requires( - (COMPRESSION_FACTOR == 4 || COMPRESSION_FACTOR == 5) && - serialized.len() == 32 * COMPRESSION_FACTOR -)] pub(super) fn deserialize_then_decompress_ring_element_v< const COMPRESSION_FACTOR: usize, Vector: Operations, >( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 5))"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + match COMPRESSION_FACTOR as u32 { 4 => deserialize_then_decompress_4(serialized), 5 => deserialize_then_decompress_5(serialized), diff --git a/libcrux-ml-kem/src/types.rs b/libcrux-ml-kem/src/types.rs index b1ff9dc03..b13a8e8dd 100644 --- a/libcrux-ml-kem/src/types.rs +++ b/libcrux-ml-kem/src/types.rs @@ -48,10 +48,8 @@ macro_rules! impl_generic_struct { } } - #[hax_lib::attributes] impl $name { /// A reference to the raw byte slice. - #[ensures(|result| fstar!("$result == self.f_value"))] pub fn as_slice(&self) -> &[u8; SIZE] { &self.value } @@ -148,7 +146,6 @@ pub struct MlKemKeyPair, } -#[hax_lib::attributes] impl MlKemKeyPair { @@ -161,7 +158,6 @@ impl } /// Create a new [`MlKemKeyPair`] from the secret and public key. - #[ensures(|result| fstar!("${result}.f_sk == $sk /\\ ${result}.f_pk == $pk"))] pub fn from( sk: MlKemPrivateKey, pk: MlKemPublicKey, diff --git a/libcrux-ml-kem/src/utils.rs b/libcrux-ml-kem/src/utils.rs index 62590aa13..3c3be2bcc 100644 --- a/libcrux-ml-kem/src/utils.rs +++ b/libcrux-ml-kem/src/utils.rs @@ -8,16 +8,9 @@ #[cfg_attr(hax, hax_lib::requires( slice.len() <= LEN ))] -#[cfg_attr(hax, hax_lib::ensures(|result| - fstar!("$result == Seq.append $slice (Seq.create (v $LEN - v (${slice.len()})) 0uy)")))] pub(crate) fn into_padded_array(slice: &[u8]) -> [u8; LEN] { let mut out = [0u8; LEN]; out[0..slice.len()].copy_from_slice(slice); - hax_lib::fstar!("assert (Seq.slice out 0 (Seq.length slice) == slice)"); - hax_lib::fstar!("assert (Seq.slice out (Seq.length slice) (v v_LEN) == Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))"); - hax_lib::fstar!("assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)"); - hax_lib::fstar!("assert (forall i. (i >= Seq.length slice && i < v v_LEN) ==> Seq.index out i == Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))"); - hax_lib::fstar!("Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))"); out } diff --git a/libcrux-ml-kem/src/variant.rs b/libcrux-ml-kem/src/variant.rs index 0ce3c7182..46f5916e2 100644 --- a/libcrux-ml-kem/src/variant.rs +++ b/libcrux-ml-kem/src/variant.rs @@ -9,18 +9,12 @@ use crate::{constants::CPA_PKE_KEY_GENERATION_SEED_SIZE, hash_functions::Hash, M /// NIST PQ competition. /// /// cf. FIPS 203, Appendix C -#[hax_lib::attributes] pub(crate) trait Variant { - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!("$res == $shared_secret"))] // We only have post-conditions for ML-KEM, not Kyber fn kdf>( shared_secret: &[u8], ciphertext: &MlKemCiphertext, ) -> [u8; 32]; - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!("$res == $randomness"))] // We only have post-conditions for ML-KEM, not Kyber fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32]; - #[requires(seed.len() == 32)] fn cpa_keygen_seed>(seed: &[u8]) -> [u8; 64]; } @@ -66,11 +60,8 @@ impl Variant for Kyber { /// * the derivation of the shared secret does not include a hash of the ML-KEM ciphertext. pub(crate) struct MlKem {} -#[hax_lib::attributes] impl Variant for MlKem { #[inline(always)] - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!("$res == $shared_secret"))] fn kdf>( shared_secret: &[u8], _: &MlKemCiphertext, @@ -81,8 +72,6 @@ impl Variant for MlKem { } #[inline(always)] - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!("$res == $randomness"))] fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { let mut out = [0u8; 32]; out.copy_from_slice(randomness); @@ -90,7 +79,6 @@ impl Variant for MlKem { } #[inline(always)] - #[requires(key_generation_seed.len() == 32)] fn cpa_keygen_seed>(key_generation_seed: &[u8]) -> [u8; 64] { let mut seed = [0u8; CPA_PKE_KEY_GENERATION_SEED_SIZE + 1]; seed[0..CPA_PKE_KEY_GENERATION_SEED_SIZE].copy_from_slice(key_generation_seed); diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs index 2d6d18798..c1ed75d25 100644 --- a/libcrux-ml-kem/src/vector/avx2.rs +++ b/libcrux-ml-kem/src/vector/avx2.rs @@ -1,4 +1,5 @@ use super::traits::Operations; + pub(crate) use libcrux_intrinsics::avx2::*; mod arithmetic; @@ -8,25 +9,19 @@ mod sampling; mod serialize; #[derive(Clone, Copy)] -#[hax_lib::fstar::before(interface, "noeq")] -#[hax_lib::fstar::after(interface,"let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements")] pub struct SIMD256Vector { elements: Vec256, } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == Seq.create 16 0s"))] -fn vec_zero() -> SIMD256Vector { +fn zero() -> SIMD256Vector { SIMD256Vector { elements: mm256_setzero_si256(), } } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] -fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { +fn to_i16_array(v: SIMD256Vector) -> [i16; 16] { let mut output = [0i16; 16]; mm256_storeu_si256_i16(&mut output, v.elements); @@ -34,47 +29,28 @@ fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == ${array}"))] -fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector { +fn from_i16_array(array: &[i16]) -> SIMD256Vector { SIMD256Vector { elements: mm256_loadu_si256_i16(array), } } -#[cfg(hax)] -impl crate::vector::traits::Repr for SIMD256Vector { - fn repr(x: Self) -> [i16; 16] { - vec_to_i16_array(x) - } -} - -#[hax_lib::attributes] impl Operations for SIMD256Vector { #[inline(always)] - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { - vec_zero() + zero() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] #[inline(always)] fn from_i16_array(array: &[i16]) -> Self { - vec_from_i16_array(array) + from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] #[inline(always)] fn to_i16_array(x: Self) -> [i16; 16] { - vec_to_i16_array(x) + to_i16_array(x) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (impl.f_repr ${result}) i) == - v (Seq.index (impl.f_repr ${lhs}) i) + v (Seq.index (impl.f_repr ${rhs}) i))"))] #[inline(always)] fn add(lhs: Self, rhs: &Self) -> Self { Self { @@ -82,11 +58,6 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (impl.f_repr ${result}) i) == - v (Seq.index (impl.f_repr ${lhs}) i) - v (Seq.index (impl.f_repr ${rhs}) i))"))] #[inline(always)] fn sub(lhs: Self, rhs: &Self) -> Self { Self { @@ -94,19 +65,13 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (impl.f_repr ${vec}) i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (impl.f_repr ${result}) i) == - v (Seq.index (impl.f_repr ${vec}) i) * v c)"))] #[inline(always)] - fn multiply_by_constant(vec: Self, c: i16) -> Self { + fn multiply_by_constant(v: Self, c: i16) -> Self { Self { - elements: arithmetic::multiply_by_constant(vec.elements, c), + elements: arithmetic::multiply_by_constant(v.elements, c), } } - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> x &. $constant) (impl.f_repr $vector)"))] #[inline(always)] fn bitwise_and_with_constant(vector: Self, constant: i16) -> Self { Self { @@ -114,8 +79,6 @@ impl Operations for SIMD256Vector { } } - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|out| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $vector)"))] #[inline(always)] fn shift_right(vector: Self) -> Self { Self { @@ -123,17 +86,13 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $vector)"))] - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"))] #[inline(always)] fn cond_subtract_3329(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: arithmetic::cond_subtract_3329(vector.elements), } } - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${vector})"))] #[inline(always)] fn barrett_reduce(vector: Self) -> Self { Self { @@ -141,7 +100,6 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 $constant"))] #[inline(always)] fn montgomery_multiply_by_constant(vector: Self, constant: i16) -> Self { Self { @@ -149,31 +107,15 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\ - v (Seq.index (impl.f_repr $vector) i) < 3329"))] - #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))] #[inline(always)] fn compress_1(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: compress::compress_message_coefficient(vector.elements), } } - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $vector) i) >= 0 /\\ - v (Seq.index (impl.f_repr $vector) i) < 3329)"))] - #[ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))] #[inline(always)] fn compress(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: compress::compress_ciphertext_coefficient::( vector.elements, @@ -181,8 +123,6 @@ impl Operations for SIMD256Vector { } } - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] #[inline(always)] fn decompress_ciphertext_coefficient(vector: Self) -> Self { Self { @@ -192,79 +132,48 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${vector})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${vector})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1), } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${vector})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_3_step(vector.elements, zeta), } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${vector})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1), } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${vector})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta), } } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn ntt_multiply( lhs: &Self, @@ -274,23 +183,16 @@ impl Operations for SIMD256Vector { zeta2: i16, zeta3: i16, ) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3), } } - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector)"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $vector) $out"))] #[inline(always)] fn serialize_1(vector: Self) -> [u8; 2] { serialize::serialize_1(vector.elements) } - #[requires(bytes.len() == 2)] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $bytes (impl.f_repr $out)"))] #[inline(always)] fn deserialize_1(bytes: &[u8]) -> Self { Self { @@ -298,17 +200,11 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector)"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $vector) $out"))] #[inline(always)] fn serialize_4(vector: Self) -> [u8; 8] { serialize::serialize_4(vector.elements) } - #[requires(bytes.len() == 8)] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $bytes (impl.f_repr $out)"))] #[inline(always)] fn deserialize_4(bytes: &[u8]) -> Self { Self { @@ -318,30 +214,21 @@ impl Operations for SIMD256Vector { #[inline(always)] fn serialize_5(vector: Self) -> [u8; 10] { - hax_lib::fstar!("admit()"); serialize::serialize_5(vector.elements) } - #[requires(bytes.len() == 10)] #[inline(always)] fn deserialize_5(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_5(bytes), } } - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector)"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $vector) $out"))] #[inline(always)] fn serialize_10(vector: Self) -> [u8; 20] { serialize::serialize_10(vector.elements) } - #[requires(bytes.len() == 20)] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $bytes (impl.f_repr $out)"))] #[inline(always)] fn deserialize_10(bytes: &[u8]) -> Self { Self { @@ -354,7 +241,6 @@ impl Operations for SIMD256Vector { serialize::serialize_11(vector.elements) } - #[requires(bytes.len() == 22)] #[inline(always)] fn deserialize_11(bytes: &[u8]) -> Self { Self { @@ -362,17 +248,11 @@ impl Operations for SIMD256Vector { } } - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector)"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $vector) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $vector) $out"))] #[inline(always)] fn serialize_12(vector: Self) -> [u8; 24] { serialize::serialize_12(vector.elements) } - #[requires(bytes.len() == 24)] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| fstar!("sz (Seq.length $bytes) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $bytes (impl.f_repr $out)"))] #[inline(always)] fn deserialize_12(bytes: &[u8]) -> Self { Self { @@ -380,10 +260,6 @@ impl Operations for SIMD256Vector { } } - #[requires(input.len() == 24 && output.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $output_future == Seq.length $output /\\ v $result <= 16") - )] #[inline(always)] fn rej_sample(input: &[u8], output: &mut [i16]) -> usize { sampling::rejection_sample(input, output) diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs index 1032ee28d..a980eb75d 100644 --- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs @@ -3,95 +3,28 @@ use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS}; use super::*; #[inline(always)] -#[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")] -#[hax_lib::fstar::before( - " -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) - (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"))] pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_add_epi16(lhs, rhs); - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))"); - result + mm256_add_epi16(lhs, rhs) } #[inline(always)] -#[hax_lib::fstar::before( - " -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"))] pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_sub_epi16(lhs, rhs); - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))"); - result + mm256_sub_epi16(lhs, rhs) } #[inline(always)] -#[hax_lib::fstar::before( - " -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) - (ensures (v (mul_mod (get_lane lhs i) c) == - (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $vector i) * v constant)"))] pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { - let cv = mm256_set1_epi16(constant); - let result = mm256_mullo_epi16(vector, cv); - hax_lib::fstar!("Seq.lemma_eq_intro (vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane vector i *. constant); - assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); - assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"); - result + mm256_mullo_epi16(vector, mm256_set1_epi16(constant)) } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 { - let cv = mm256_set1_epi16(constant); - let result = mm256_and_si256(vector, cv); - hax_lib::fstar!("Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - result + mm256_and_si256(vector, mm256_set1_epi16(constant)) } #[inline(always)] -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn shift_right(vector: Vec256) -> Vec256 { - let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector); - hax_lib::fstar!( - "Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))" - ); - result + mm256_srai_epi16::<{ SHIFT_BY }>(vector) } // #[inline(always)] @@ -100,36 +33,17 @@ pub(crate) fn shift_right(vector: Vec256) -> Vec256 { // } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - get_lane $result i == - (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"))] pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $field_modulus i == 3329s)"); + // Compute v_i - Q and crate a mask from the sign bit of each of these // quantities. let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus); - hax_lib::fstar!( - "assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. 3329s)" - ); - let sign_mask = mm256_srai_epi16::<15>(v_minus_field_modulus); - hax_lib::fstar!( - "assert (forall i. get_lane $sign_mask i == (get_lane $v_minus_field_modulus i >>! 15l))" - ); // If v_i - Q < 0 then add back Q to (v_i - Q). let conditional_add_field_modulus = mm256_and_si256(sign_mask, field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $conditional_add_field_modulus i == (get_lane $sign_mask i &. 3329s))"); - - let result = mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $result i == (get_lane $v_minus_field_modulus i +. get_lane $conditional_add_field_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.cond_sub (get_lane $vector i)); - assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i))"); - - result + mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus) } const BARRETT_MULTIPLIER: i16 = 20159; @@ -137,145 +51,57 @@ const BARRETT_MULTIPLIER: i16 = 20159; /// See Section 3.2 of the implementation notes document for an explanation /// of this code. #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - (v (get_lane $vector i) % 3329))")))] pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { - let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); - hax_lib::fstar!("assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))"); - let t512 = mm256_set1_epi16(512); - hax_lib::fstar!("assert (forall i. get_lane $t512 i == 512s)"); - let t1 = mm256_add_epi16(t0, t512); - hax_lib::fstar!("assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"); - let quotient = mm256_srai_epi16::<10>(t1); - hax_lib::fstar!( - "assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))" - ); + let t = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); + let t = mm256_add_epi16(t, mm256_set1_epi16(512)); + + let quotient = mm256_srai_epi16::<10>(t); + let quotient_times_field_modulus = mm256_mullo_epi16(quotient, mm256_set1_epi16(FIELD_MODULUS)); - hax_lib::fstar!( - "assert (forall i. get_lane $quotient_times_field_modulus i == - get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)" - ); - let result = mm256_sub_epi16(vector, quotient_times_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $result i == - get_lane $vector i -. get_lane $quotient_times_field_modulus i); - assert (forall i. get_lane $result i == Spec.Utils.barrett_red (get_lane $vector i)); - assert (forall i. v (get_lane $result i) % 3329 == v (get_lane $vector i) % 3329); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))"); - result + + mm256_sub_epi16(vector, quotient_times_field_modulus) } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 constant")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vector i) * v constant * 169) % 3329))")))] pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { - let vec_constant = mm256_set1_epi16(constant); - hax_lib::fstar!("assert (forall i. get_lane $vec_constant i == $constant)"); - let value_low = mm256_mullo_epi16(vector, vec_constant); - hax_lib::fstar!("assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)"); + let constant = mm256_set1_epi16(constant); + let value_low = mm256_mullo_epi16(vector, constant); + let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); - let modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); - let k_times_modulus = mm256_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == - (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm256_mulhi_epi16(vector, vec_constant); - hax_lib::fstar!("assert (forall i. get_lane $value_high i == - (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! 16l) <: i16))"); + let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS)); - let result = mm256_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vector i) $constant); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))"); - result + let value_high = mm256_mulhi_epi16(vector, constant); + + mm256_sub_epi16(value_high, k_times_modulus) } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))")))] -pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 { - let value_low = mm256_mullo_epi16(vec, constants); - hax_lib::fstar!( - "assert (forall i. get_lane $value_low i == get_lane $vec i *. get_lane $constants i)" - ); +pub(crate) fn montgomery_multiply_by_constants(v: Vec256, c: Vec256) -> Vec256 { + let value_low = mm256_mullo_epi16(v, c); let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); + let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS)); - let modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); + let value_high = mm256_mulhi_epi16(v, c); - let k_times_modulus = mm256_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == - (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm256_mulhi_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane $value_high i == - (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))"); - - let result = mm256_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vec i) (get_lane $constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"); - result + mm256_sub_epi16(value_high, k_times_modulus) } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (3328 * pow2 16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (Spec.Utils.is_i16b_array (3328 * pow2 15) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec) ==> - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vec i) * 169) % 3329))")))] -pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { +pub(crate) fn montgomery_reduce_i32s(v: Vec256) -> Vec256 { let k = mm256_mullo_epi16( - vec, + v, mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32), ); let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi32(FIELD_MODULUS as i32)); - let value_high = mm256_srli_epi32::<16>(vec); + let value_high = mm256_srli_epi32::<16>(v); let result = mm256_sub_epi16(value_high, k_times_modulus); @@ -285,49 +111,16 @@ pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\\ - (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == - ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))")))] -pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 { - let value_low = mm_mullo_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)"); +pub(crate) fn montgomery_multiply_m128i_by_constants(v: Vec128, c: Vec128) -> Vec128 { + let value_low = mm_mullo_epi16(v, c); let k = mm_mullo_epi16( value_low, mm_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!( - "assert (forall i. get_lane128 $k i == get_lane128 $value_low i *. (neg 3327s))" - ); + let k_times_modulus = mm_mulhi_epi16(k, mm_set1_epi16(FIELD_MODULUS)); + + let value_high = mm_mulhi_epi16(v, c); - let modulus = mm_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane128 $modulus i == 3329s)"); - - let k_times_modulus = mm_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $modulus)); - assert (forall i. get_lane128 $k_times_modulus i == - (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm_mulhi_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane128 $value_high i == - (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))"); - - let result = mm_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane128 $result i == (get_lane128 $value_high i) -. (get_lane128 $k_times_modulus i)); - assert (forall i. get_lane128 $result i == Spec.Utils.mont_mul_red_i16 (get_lane128 $vec i) (get_lane128 $constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 $result i)); - assert (forall (i:nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $result)); - assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"); - - result + mm_sub_epi16(value_high, k_times_modulus) } diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs index 9d02e9730..fc5464957 100644 --- a/libcrux-ml-kem/src/vector/avx2/compress.rs +++ b/libcrux-ml-kem/src/vector/avx2/compress.rs @@ -38,8 +38,6 @@ pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 { } #[inline(always)] -#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype /\\ - range (v (1l <( vector: Vec256, ) -> Vec256 { @@ -105,7 +103,6 @@ pub(crate) fn compress_ciphertext_coefficient( } #[inline(always)] -#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype"))] pub(crate) fn decompress_ciphertext_coefficient( vector: Vec256, ) -> Vec256 { diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs index 437c6a473..b571b0ee7 100644 --- a/libcrux-ml-kem/src/vector/avx2/ntt.rs +++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs @@ -1,7 +1,6 @@ use super::*; #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn ntt_layer_1_step( vector: Vec256, zeta0: i16, @@ -23,7 +22,6 @@ pub(crate) fn ntt_layer_1_step( } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))] pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let zetas = mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, @@ -39,7 +37,6 @@ pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))] pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let rhs = mm256_extracti128_si256::<1>(vector); let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta)); @@ -56,8 +53,6 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn inv_ntt_layer_1_step( vector: Vec256, zeta0: i16, @@ -87,7 +82,6 @@ pub(crate) fn inv_ntt_layer_1_step( } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))] pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector); @@ -109,7 +103,6 @@ pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Ve } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))] pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let lhs = mm256_extracti128_si256::<1>(vector); let rhs = mm256_castsi256_si128(vector); @@ -127,7 +120,6 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn ntt_multiply( lhs: Vec256, rhs: Vec256, diff --git a/libcrux-ml-kem/src/vector/avx2/sampling.rs b/libcrux-ml-kem/src/vector/avx2/sampling.rs index 1f3565b40..9ce5c20f8 100644 --- a/libcrux-ml-kem/src/vector/avx2/sampling.rs +++ b/libcrux-ml-kem/src/vector/avx2/sampling.rs @@ -5,11 +5,6 @@ use super::{ }; #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(input.len() == 24 && output.len() == 16)] -#[hax_lib::ensures(|res| - fstar!("Seq.length $output_future == Seq.length $output /\\ v $res <= 16") - )] pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); @@ -31,14 +26,6 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { // each lane in the register to tell us what coefficients to keep and what // to throw-away. Combine all the bits (there are 16) into two bytes. let good = serialize_1(compare_with_field_modulus); - hax_lib::fstar!("assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256); - assert (v (cast (${good}.[ sz 1 ] <: u8) <: usize) < 256); - // We need to provide a definition or post-condition for Core.Num.impl__u8__count_ones - assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) <= 8); - assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 1 ]) <: usize) <= 8); - assume (Core.Ops.Index.f_index_pre output ({ - Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize; - Core.Ops.Range.f_end = (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) +! sz 8 }))"); // Each bit (and its corresponding position) represents an element we // want to sample. We'd like all such elements to be next to each other starting diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 693bb1bf8..5b2a4fae5 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -2,9 +2,6 @@ use super::*; use crate::vector::portable::PortableVector; #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")] -#[hax_lib::requires(fstar!("forall i. i % 16 >= 1 ==> vector i == 0"))] -#[hax_lib::ensures(|result| fstar!("forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"))] pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // Suppose |vector| is laid out as follows (superscript number indicates the // corresponding bit is duplicated that many times): @@ -46,139 +43,79 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // 0xFF 0x00 0x00 0x00 | 0xFF 0x00 0x00 0x00 | 0x00 0x00 0x00 0x00 | 0x00 0x00 0x00 0xFF let msbs = mm_packs_epi16(low_msbs, high_msbs); - hax_lib::fstar!( - r#" -let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in - assert (forall (i: nat{i < 16}). bits_packed' i = $vector ((i / 1) * 16 + i % 1)) - by ( - Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync () - ) - ) -"# - ); - // Now that every element is either 0xFF or 0x00, we just extract the most // significant bit from each element and collate them into two bytes. let bits_packed = mm_movemask_epi8(msbs); - let result = [bits_packed as u8, (bits_packed >> 8) as u8]; + let mut serialized = [0u8; 2]; + serialized[0] = bits_packed as u8; + serialized[1] = (bits_packed >> 8) as u8; - hax_lib::fstar!( - r#" -assert (forall (i: nat {i < 8}). get_bit ($bits_packed >>! 8l <: i32) (sz i) == get_bit $bits_packed (sz (i + 8))) -"# - ); - - result + serialized } #[inline(always)] -#[hax_lib::requires(bytes.len() == 2)] -#[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 2)) 8 j)) -"# -))] -#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) -"# - ))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - #[inline(always)] - pub(crate) fn deserialize_1_u8s(a: u8, b: u8) -> Vec256 { - deserialize_1_i16s(a as i16, b as i16) - } - - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - pub(crate) fn deserialize_1_i16s(a: i16, b: i16) -> Vec256 { - // We need to take each bit from the 2 bytes of input and put them - // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, - // duplicate them, and right-shift the 0th element by 0 bits, - // the first element by 1 bit, the second by 2 bits and so on before AND-ing - // with 0x1 to leave only the least signifinicant bit. - // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a - // workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bit we're interested in becomes the most - // significant bit. - // The coefficients are loaded as follows: - let coefficients = mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); - - // And this vector, when multiplied with the previous one, ensures that the - // bit we'd like to keep in each lane becomes the most significant bit upon - // multiplication. - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - ), - ); - - // Now that they're all in the most significant bit position, shift them - // down to the least significant bit. - mm256_srli_epi16::<15>(coefficients_in_msb) - } - - deserialize_1_u8s(bytes[0], bytes[1]) -} + // We need to take each bit from the 2 bytes of input and put them + // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, + // duplicate them, and right-shift the 0th element by 0 bits, + // the first element by 1 bit, the second by 2 bits and so on before AND-ing + // with 0x1 to leave only the least signifinicant bit. + // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a + // workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bit we're interested in becomes the most + // significant bit. + + // The coefficients are loaded as follows: + let coefficients = mm256_set_epi16( + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + ); -/// `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets -/// of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of -/// 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last -/// `n` bits are non-zero). -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_concat_pairs_n}")] -#[inline(always)] -fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { - let n = 1 << n; - mm256_madd_epi16( - x, - mm256_set_epi16(n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1), - ) + // And this vector, when multiplied with the previous one, ensures that the + // bit we'd like to keep in each lane becomes the most significant bit upon + // multiplication. + let shift_lsb_to_msb = mm256_set_epi16( + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + ); + let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsb_to_msb); + + // Now that they're all in the most significant bit position, shift them + // down to the least significant bit. + mm256_srli_epi16::<15>(coefficients_in_msb) } -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires( - fstar!( - r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"# - ) -)] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"))] #[inline(always)] pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; @@ -191,7 +128,27 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // as follows: // // 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... - let adjacent_2_combined = mm256_concat_pairs_n(4, vector); + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + ), + ); // Recall that |adjacent_2_combined| goes as follows: // @@ -219,131 +176,71 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // ... so that we can read them out in one go. mm_storeu_bytes_si128(&mut serialized, combined); - hax_lib::fstar!( - r#" -assert (forall (i: nat{i < 64}). $combined i == bit_vec_of_int_t_array serialized 8 i); - introduce forall (i: nat {i < 64}). $combined i = vector ((i / 4) * 16 + i % 4) - with assert_norm (BitVec.Utils.forall64 (fun i -> $combined i = $vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). bit_vec_of_int_t_array serialized 8 i == $vector ((i / 4) * 16 + i % 4)) -"# - ); - serialized[0..8].try_into().unwrap() } #[inline(always)] -#[hax_lib::requires(bytes.len() == 8)] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 4 then 0 - else let j = (i / 16) * 4 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 8)) 8 j)"#))] -#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 < 4 - then let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit $b0 (sz j) - | 1 -> get_bit $b1 (sz (j - 8)) - | 2 -> get_bit $b2 (sz (j - 16)) - | 3 -> get_bit $b3 (sz (j - 24)) - | 4 -> get_bit $b4 (sz (j - 32)) - | 5 -> get_bit $b5 (sz (j - 40)) - | 6 -> get_bit $b6 (sz (j - 48)) - | 7 -> get_bit $b7 (sz (j - 56))) - else 0) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_4_u8s(b0: u8, b1: u8, b2: u8, b3: u8, b4: u8, b5: u8, b6: u8, b7: u8) -> Vec256 { - deserialize_4_i16s( - b0 as i16, b1 as i16, b2 as i16, b3 as i16, b4 as i16, b5 as i16, b6 as i16, b7 as i16, - ) - } - - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 < 4 - then let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit $b0 (sz j) - | 1 -> get_bit $b1 (sz (j - 8)) - | 2 -> get_bit $b2 (sz (j - 16)) - | 3 -> get_bit $b3 (sz (j - 24)) - | 4 -> get_bit $b4 (sz (j - 32)) - | 5 -> get_bit $b5 (sz (j - 40)) - | 6 -> get_bit $b6 (sz (j - 48)) - | 7 -> get_bit $b7 (sz (j - 56))) - else 0) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_4_i16s( - b0: i16, - b1: i16, - b2: i16, - b3: i16, - b4: i16, - b5: i16, - b6: i16, - b7: i16, - ) -> Vec256 { - // Every 4 bits from each byte of input should be put into its own 16-bit lane. - // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bits we're interested in become the most - // significant bits (of an 8-bit value). - let coefficients = mm256_set_epi16( - // In this lane, the 4 bits we need to put are already the most - // significant bits of |bytes[7]| (that is, b7). - b7, - // In this lane, the 4 bits we need to put are the least significant bits, - // so we need to shift the 4 least-significant bits of |b7| to the - // most significant bits (of an 8-bit value). - b7, // and so on ... - b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0, - ); - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - // These constants are chosen to shift the bits of the values - // that we loaded into |coefficients|. - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - - // Once the 4-bit coefficients are in the most significant positions (of - // an 8-bit value), shift them all down by 4. - let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); - - // Zero the remaining bits. - mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) - } - - deserialize_4_u8s( - bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7], - ) + // Every 4 bits from each byte of input should be put into its own 16-bit lane. + // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bits we're interested in become the most + // significant bits (of an 8-bit value). + let coefficients = mm256_set_epi16( + // In this lane, the 4 bits we need to put are already the most + // significant bits of |bytes[7]|. + bytes[7] as i16, + // In this lane, the 4 bits we need to put are the least significant bits, + // so we need to shift the 4 least-significant bits of |bytes[7]| to the + // most significant bits (of an 8-bit value). + bytes[7] as i16, + // and so on ... + bytes[6] as i16, + bytes[6] as i16, + bytes[5] as i16, + bytes[5] as i16, + bytes[4] as i16, + bytes[4] as i16, + bytes[3] as i16, + bytes[3] as i16, + bytes[2] as i16, + bytes[2] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[0] as i16, + bytes[0] as i16, + ); + + let shift_lsbs_to_msbs = mm256_set_epi16( + // These constants are chosen to shift the bits of the values + // that we loaded into |coefficients|. + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ); + + let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + + // Once the 4-bit coefficients are in the most significant positions (of + // an 8-bit value), shift them all down by 4. + let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); + + // Zero the remaining bits. + mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) } #[inline(always)] @@ -443,31 +340,15 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { serialized[0..10].try_into().unwrap() } -/// We cannot model `mm256_inserti128_si256` on its own: it produces a -/// Vec256 where the upper 128 bits are undefined. Thus -/// `mm256_inserti128_si256` is not pure. -/// -/// Luckily, we always call `mm256_castsi128_si256` right after -/// `mm256_inserti128_si256`: this composition sets the upper bits, -/// making the whole computation pure again. -#[inline(always)] -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_si256_from_two_si128 as ${mm256_si256_from_two_si128}}" -)] -fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 { - mm256_inserti128_si256::<1>(mm256_castsi128_si256(lower), upper) -} - #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 10"#))] pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { let coefficients = mm_set_epi8( bytes[9], bytes[8], bytes[8], bytes[7], bytes[7], bytes[6], bytes[6], bytes[5], bytes[4], bytes[3], bytes[3], bytes[2], bytes[2], bytes[1], bytes[1], bytes[0], ); - let coefficients_loaded = mm256_si256_from_two_si128(coefficients, coefficients); + let coefficients_loaded = mm256_castsi128_si256(coefficients); + let coefficients_loaded = mm256_inserti128_si256::<1>(coefficients_loaded, coefficients); let coefficients = mm256_shuffle_epi8( coefficients_loaded, @@ -502,172 +383,137 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))] pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { - #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] - #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] - #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( - r#" - forall (i: nat{i < 160}). - vector ((i/10) * 16 + i%10) == (if i < 80 then $lower_8 i else $upper_8 (i - 80)) - ) - "# - ))] - fn serialize_10_vec(vector: Vec256) -> (Vec128, Vec128) { - // If |vector| is laid out as follows (superscript number indicates the - // corresponding bit is duplicated that many times): - // - // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ - // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ - // ... - // - // |adjacent_2_combined| will be laid out as a series of 32-bit integers, - // as follows: - // - // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // .... - let adjacent_2_combined = mm256_concat_pairs_n(10, vector); - - // Shifting up the values at the even indices by 12, we get: - // - // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // ... - let adjacent_4_combined = mm256_sllv_epi32( - adjacent_2_combined, - mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), - ); - - // Viewing this as a set of 64-bit integers we get: - // - // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ - // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ - // ... - // - // Shifting down by 12 gives us: - // - // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ - // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ - // ... - let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); - - // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped - // into bytes, looks like: - // - // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ - // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ - // - // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after - // bytes 0, 1, 2, 3 to allow for sequential reading. - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, - 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, - ), - ); - // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - // and 64 bits starting at position 0 in the upper 128-bit lane. - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - introduce forall (i:nat{i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i:nat{i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - "# - ); - (lower_8, upper_8) - } - - let (lower_8, upper_8) = serialize_10_vec(vector); - let mut serialized = [0u8; 32]; + + // If |vector| is laid out as follows (superscript number indicates the + // corresponding bit is duplicated that many times): + // + // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ + // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ + // ... + // + // |adjacent_2_combined| will be laid out as a series of 32-bit integers, + // as follows: + // + // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // .... + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + ), + ); + + // Shifting up the values at the even indices by 12, we get: + // + // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // ... + let adjacent_4_combined = mm256_sllv_epi32( + adjacent_2_combined, + mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), + ); + + // Viewing this as a set of 64-bit integers we get: + // + // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ + // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ + // ... + // + // Shifting down by 12 gives us: + // + // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ + // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ + // ... + let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); + + // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped + // into bytes, looks like: + // + // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ + // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ + // + // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after + // bytes 0, 1, 2, 3 to allow for sequential reading. + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12, + 11, 10, 9, 8, 4, 3, 2, 1, 0, + ), + ); + + // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); + + // and 64 bits starting at position 0 in the upper 128-bit lane. + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); serialized[0..20].try_into().unwrap() } #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 20"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 10 then 0 - else let j = (i / 16) * 10 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 20)) 8 j)"#))] pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 { - #[inline(always)] - #[hax_lib::ensures(|coefficients| fstar!(r#" -forall (i: nat {i < 256}). - $coefficients i - = ( if i % 16 >= 10 then 0 - else let j = (i / 16) * 10 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32))) -"#))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_10_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, - mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), - ); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, - mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), - ); - - let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - ), - ); - let coefficients = mm256_srli_epi16::<6>(coefficients); - // Here I can prove this `and` is not useful - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); - hax_lib::fstar!( - r#" -assert_norm(BitVec.Utils.forall256 (fun i -> - $coefficients i - = ( if i % 16 < 10 - then let j = (i / 16) * 10 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32) - else 0))) -"# - ); - coefficients - } - - let lower_coefficients = &bytes[0..16]; - let upper_coefficients = &bytes[4..20]; - deserialize_10_vec( - mm_loadu_si128(lower_coefficients), - mm_loadu_si128(upper_coefficients), - ) + let shift_lsbs_to_msbs = mm256_set_epi16( + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + ); + + let lower_coefficients = mm_loadu_si128(&bytes[0..16]); + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients, + mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), + ); + let upper_coefficients = mm_loadu_si128(&bytes[4..20]); + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients, + mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), + ); + + let coefficients = mm256_castsi128_si256(lower_coefficients); + let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + let coefficients = mm256_srli_epi16::<6>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); + + coefficients } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { let mut array = [0i16; 16]; mm256_storeu_si256_i16(&mut array, vector); @@ -676,7 +522,6 @@ pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { let output = PortableVector::deserialize_11(bytes); let array = PortableVector::to_i16_array(output); @@ -684,49 +529,46 @@ pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"))] pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { - #[inline(always)] - #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] - #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] - #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( - r#" - forall (i: nat{i < 192}). - vector ((i/12) * 16 + i%12) == (if i < 96 then $lower_8 i else $upper_8 (i - 96)) - ) - "# - ))] - fn serialize_12_vec(vector: Vec256) -> (Vec128, Vec128) { - let adjacent_2_combined = mm256_concat_pairs_n(12, vector); - let adjacent_4_combined = - mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); - let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); - - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, - 10, 9, 8, 5, 4, 3, 2, 1, 0, - ), - ); - - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - introduce forall (i:nat{i < 96}). lower_8_ i = vector ((i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i:nat{i < 96}). upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) - "# - ); - (lower_8, upper_8) - } - let mut serialized = [0u8; 32]; - let (lower_8, upper_8) = serialize_12_vec(vector); + + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + ), + ); + + let adjacent_4_combined = + mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); + let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); + + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, 10, + 9, 8, 5, 4, 3, 2, 1, 0, + ), + ); + + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); mm_storeu_bytes_si128(&mut serialized[12..28], upper_8); @@ -734,69 +576,43 @@ pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { } #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 24"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 24)) 8 j)"#))] pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 { - #[inline(always)] - #[hax_lib::ensures(|coefficients| fstar!(r#" -forall (i: nat {i < 256}). - $coefficients i - = ( if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64))) -"#))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_12_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, - mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), - ); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, - mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), - ); - - let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - let coefficients = mm256_srli_epi16::<4>(coefficients); - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); - hax_lib::fstar!( - r#" -assert_norm(BitVec.Utils.forall256 (fun i -> - $coefficients i - = ( if i % 16 < 12 - then let j = (i / 16) * 12 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64) - else 0))) -"# - ); - coefficients - } + let shift_lsbs_to_msbs = mm256_set_epi16( + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ); + let lower_coefficients = mm_loadu_si128(&bytes[0..16]); + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients, + mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), + ); let upper_coefficients = mm_loadu_si128(&bytes[8..24]); - deserialize_12_vec(lower_coefficients, upper_coefficients) + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients, + mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), + ); + + let coefficients = mm256_castsi128_si256(lower_coefficients); + let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + let coefficients = mm256_srli_epi16::<4>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); + + coefficients } diff --git a/libcrux-ml-kem/src/vector/neon.rs b/libcrux-ml-kem/src/vector/neon.rs index bd3be862a..68539971e 100644 --- a/libcrux-ml-kem/src/vector/neon.rs +++ b/libcrux-ml-kem/src/vector/neon.rs @@ -16,28 +16,16 @@ use serialize::*; pub(crate) use vector_type::SIMD128Vector; use vector_type::*; -#[cfg(hax)] -impl crate::vector::traits::Repr for SIMD128Vector { - fn repr(x: Self) -> [i16; 16] { - to_i16_array(x) - } -} - -#[hax_lib::attributes] impl Operations for SIMD128Vector { #[inline(always)] - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { ZERO() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] fn from_i16_array(array: &[i16]) -> Self { from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] fn to_i16_array(x: Self) -> [i16; 16] { to_i16_array(x) } diff --git a/libcrux-ml-kem/src/vector/neon/vector_type.rs b/libcrux-ml-kem/src/vector/neon/vector_type.rs index d711e7d6e..61b4d319d 100644 --- a/libcrux-ml-kem/src/vector/neon/vector_type.rs +++ b/libcrux-ml-kem/src/vector/neon/vector_type.rs @@ -1,15 +1,20 @@ use libcrux_intrinsics::arm64::*; #[derive(Clone, Copy)] -#[hax_lib::fstar::after(interface,"val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16)")] -#[hax_lib::fstar::after("let repr (x:t_SIMD128Vector) = admit()")] pub struct SIMD128Vector { pub low: _int16x8_t, pub high: _int16x8_t, } +#[allow(non_snake_case)] +#[inline(always)] +pub(crate) fn ZERO() -> SIMD128Vector { + SIMD128Vector { + low: _vdupq_n_s16(0), + high: _vdupq_n_s16(0), + } +} + #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { let mut out = [0i16; 16]; _vst1q_s16(&mut out[0..8], v.low); @@ -18,22 +23,9 @@ pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == $array"))] pub(crate) fn from_i16_array(array: &[i16]) -> SIMD128Vector { SIMD128Vector { low: _vld1q_s16(&array[0..8]), high: _vld1q_s16(&array[8..16]), } } - -#[allow(non_snake_case)] -#[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr result == Seq.create 16 0s"))] -pub(crate) fn ZERO() -> SIMD128Vector { - SIMD128Vector { - low: _vdupq_n_s16(0), - high: _vdupq_n_s16(0), - } -} \ No newline at end of file diff --git a/libcrux-ml-kem/src/vector/portable.rs b/libcrux-ml-kem/src/vector/portable.rs index b8e46b460..2ed759d54 100644 --- a/libcrux-ml-kem/src/vector/portable.rs +++ b/libcrux-ml-kem/src/vector/portable.rs @@ -1,4 +1,5 @@ use super::Operations; + mod arithmetic; mod compress; mod ntt; @@ -10,250 +11,92 @@ use arithmetic::*; use compress::*; use ntt::*; use sampling::*; +use serialize::*; use vector_type::*; pub(crate) use vector_type::PortableVector; -#[cfg(hax)] -impl crate::vector::traits::Repr for PortableVector { - fn repr(x: Self) -> [i16; 16] { - to_i16_array(x) - } -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))] -fn serialize_1(a: PortableVector) -> [u8; 2] { - hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a"); - serialize::serialize_1(a) -} - -#[hax_lib::requires(a.len() == 2)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))] -fn deserialize_1(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma $a"); - serialize::deserialize_1(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))] -fn serialize_4(a: PortableVector) -> [u8; 8] { - hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a"); - serialize::serialize_4(a) -} - -#[hax_lib::requires(a.len() == 8)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))] -fn deserialize_4(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma $a"); - serialize::deserialize_4(a) -} - -fn serialize_5(a: PortableVector) -> [u8; 10] { - serialize::serialize_5(a) -} - -#[hax_lib::requires(a.len() == 10)] -fn deserialize_5(a: &[u8]) -> PortableVector { - serialize::deserialize_5(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))] -fn serialize_10(a: PortableVector) -> [u8; 20] { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a"); - serialize::serialize_10(a) -} - -#[hax_lib::requires(a.len() == 20)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))] -fn deserialize_10(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma $a"); - serialize::deserialize_10(a) -} - -fn serialize_11(a: PortableVector) -> [u8; 22] { - serialize::serialize_11(a) -} - -#[hax_lib::requires(a.len() == 22)] -fn deserialize_11(a: &[u8]) -> PortableVector { - serialize::deserialize_11(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))] -fn serialize_12(a: PortableVector) -> [u8; 24] { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a"); - serialize::serialize_12(a) -} - -#[hax_lib::requires(a.len() == 24)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))] -fn deserialize_12(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma $a"); - serialize::deserialize_12(a) -} - -#[hax_lib::fstar::before(interface, r#"#push-options "--z3rlimit 400 --split_queries always""#)] -#[hax_lib::fstar::after(interface, r#"#pop-options"#)] -#[hax_lib::attributes] impl Operations for PortableVector { - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { zero() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] fn from_i16_array(array: &[i16]) -> Self { from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] fn to_i16_array(x: Self) -> [i16; 16] { to_i16_array(x) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] fn add(lhs: Self, rhs: &Self) -> Self { add(lhs, rhs) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] fn sub(lhs: Self, rhs: &Self) -> Self { sub(lhs, rhs) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${vec}.f_elements i) * v c)"))] - fn multiply_by_constant(vec: Self, c: i16) -> Self { - multiply_by_constant(vec, c) + fn multiply_by_constant(v: Self, c: i16) -> Self { + multiply_by_constant(v, c) } - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $v)"))] fn bitwise_and_with_constant(v: Self, c: i16) -> Self { bitwise_and_with_constant(v, c) } - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|out| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $v)"))] fn shift_right(v: Self) -> Self { shift_right::<{ SHIFT_BY }>(v) } - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"))] - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $v)"))] fn cond_subtract_3329(v: Self) -> Self { cond_subtract_3329(v) } - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${v})"))] fn barrett_reduce(v: Self) -> Self { barrett_reduce(v) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 $r"))] fn montgomery_multiply_by_constant(v: Self, r: i16) -> Self { montgomery_multiply_by_constant(v, r) } - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\ - v (Seq.index (impl.f_repr $a) i) < 3329"))] - #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))] - fn compress_1(a: Self) -> Self { - compress_1(a) + fn compress_1(v: Self) -> Self { + compress_1(v) } - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\ - v (Seq.index (impl.f_repr $a) i) < 3329)"))] - #[ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))] - fn compress(a: Self) -> Self { - compress::(a) + fn compress(v: Self) -> Self { + compress::(v) } - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] fn decompress_ciphertext_coefficient(v: Self) -> Self { decompress_ciphertext_coefficient::(v) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { ntt_layer_2_step(a, zeta0, zeta1) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] fn ntt_layer_3_step(a: Self, zeta: i16) -> Self { ntt_layer_3_step(a, zeta) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { inv_ntt_layer_2_step(a, zeta0, zeta1) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self { inv_ntt_layer_3_step(a, zeta) } - - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn ntt_multiply( lhs: &Self, rhs: &Self, @@ -265,26 +108,18 @@ impl Operations for PortableVector { ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))] fn serialize_1(a: Self) -> [u8; 2] { serialize_1(a) } - #[requires(a.len() == 2)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))] fn deserialize_1(a: &[u8]) -> Self { deserialize_1(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))] fn serialize_4(a: Self) -> [u8; 8] { - serialize_4(a) + serialize_4(a) } - #[requires(a.len() == 8)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))] fn deserialize_4(a: &[u8]) -> Self { deserialize_4(a) } @@ -293,19 +128,14 @@ impl Operations for PortableVector { serialize_5(a) } - #[requires(a.len() == 10)] fn deserialize_5(a: &[u8]) -> Self { deserialize_5(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))] fn serialize_10(a: Self) -> [u8; 20] { serialize_10(a) } - #[requires(a.len() == 20)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))] fn deserialize_10(a: &[u8]) -> Self { deserialize_10(a) } @@ -314,27 +144,18 @@ impl Operations for PortableVector { serialize_11(a) } - #[requires(a.len() == 22)] fn deserialize_11(a: &[u8]) -> Self { deserialize_11(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))] fn serialize_12(a: Self) -> [u8; 24] { serialize_12(a) } - #[requires(a.len() == 24)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))] fn deserialize_12(a: &[u8]) -> Self { deserialize_12(a) } - #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16") - )] fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { rej_sample(a, out) } diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs index 54a7b150f..ec2a1cbe7 100644 --- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs @@ -1,5 +1,7 @@ use super::vector_type::*; -use crate::vector::traits::{FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, BARRETT_SHIFT, BARRETT_R, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}; +use crate::vector::{ + traits::FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, +}; /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). @@ -14,145 +16,83 @@ pub type FieldElementTimesMontgomeryR = i16; pub(crate) const MONTGOMERY_SHIFT: u8 = 16; pub(crate) const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT; +pub(crate) const BARRETT_SHIFT: i32 = 26; +pub(crate) const BARRETT_R: i32 = 1 << BARRETT_SHIFT; /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ pub(crate) const BARRETT_MULTIPLIER: i32 = 20159; -#[hax_lib::fstar::options("--z3rlimit 150 --split_queries always")] -#[cfg_attr(hax, hax_lib::requires(n <= 16))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("v result == v value % pow2(v n)")))] +#[cfg_attr(hax, hax_lib::requires(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT))] +#[cfg_attr(hax, hax_lib::ensures(|result| result < 2u32.pow(n.into())))] #[inline(always)] pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 { - let res = value & ((1 << n) - 1); - hax_lib::fstar!("calc (==) { - v res; - (==) { } - v (logand value ((1ul < - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { - let _lhs0 = lhs; for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == - (Seq.index ${_lhs0}.f_elements j) +! (Seq.index ${rhs}.f_elements j)) /\\ - (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))") }); lhs.elements[i] += rhs.elements[i]; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${lhs}.f_elements i) == - v (Seq.index ${_lhs0}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"); + lhs } #[inline(always)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { - let _lhs0 = lhs; for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == - (Seq.index ${_lhs0}.f_elements j) -! (Seq.index ${rhs}.f_elements j)) /\\ - (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))") }); lhs.elements[i] -= rhs.elements[i]; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${lhs}.f_elements i) == - v (Seq.index ${_lhs0}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"); + lhs } #[inline(always)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${vec}.f_elements i) * v c)"))] -pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub fn multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == - (Seq.index ${_vec0}.f_elements j) *! c) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))") }); - vec.elements[i] *= c; + v.elements[i] *= c; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${vec}.f_elements i) == - v (Seq.index ${_vec0}.f_elements i) * v c)"); - vec + + v } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"))] -pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub fn bitwise_and_with_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (Seq.index ${_vec0}.f_elements j &. c)) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - vec.elements[i] &= c; + v.elements[i] &= c; } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)"); - vec + + v } #[inline(always)] -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> - ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"))] -pub fn shift_right(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub fn shift_right(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (Seq.index ${_vec0}.f_elements j >>! ${SHIFT_BY})) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - vec.elements[i] = vec.elements[i] >> SHIFT_BY; + v.elements[i] = v.elements[i] >> SHIFT_BY; } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)"); - vec + + v } -/// Note: This function is not secret independent -/// Only use with public values. +// #[inline(always)] +// pub fn shift_left(mut lhs: PortableVector) -> PortableVector { +// for i in 0..FIELD_ELEMENTS_IN_VECTOR { +// lhs.elements[i] = lhs.elements[i] << SHIFT_BY; +// } + +// lhs +// } + #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array - (fun x -> if x >=. 3329s then x -! 3329s else x) (${vec}.f_elements)"))] -pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub fn cond_subtract_3329(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (let x = Seq.index ${_vec0}.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - if vec.elements[i] >= 3329 { - vec.elements[i] -= 3329 + debug_assert!(v.elements[i] >= 0 && v.elements[i] < 4096); + if v.elements[i] >= 3329 { + v.elements[i] -= 3329 } } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array - (fun x -> if x >=. 3329s then x -! 3329s else x) ${_vec0}.f_elements)"); - vec + v } /// Signed Barrett Reduction @@ -164,60 +104,36 @@ pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { /// - the absolute value of `result` is bound as follows: /// /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) -/// -/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS -/// -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 28296 value")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\ - v result % 3329 == v value % 3329")))] +/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +#[cfg_attr(hax, hax_lib::requires((i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R)))] +#[cfg_attr(hax, hax_lib::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))] pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement { + // hax_debug_assert!( + // i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R, + // "value is {value}" + // ); + let t = (i32::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1); - hax_lib::fstar!("assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2*3329)); - assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)"); - hax_lib::fstar!("assert (v t / pow2 26 < 9)"); - hax_lib::fstar!("assert (v t / pow2 26 > - 9)"); let quotient = (t >> BARRETT_SHIFT) as i16; - hax_lib::fstar!("assert (v quotient = v t / pow2 26)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 9 quotient)"); + let result = value - (quotient * FIELD_MODULUS); - hax_lib::fstar!("calc (==) { - v result % 3329; - (==) { } - (v value - (v quotient * 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329} - (v value - (v quotient * 3329) % 3329) % 3329; - (==) {Math.Lemmas.cancel_mul_mod (v quotient) 3329} - (v value - 0) % 3329; - (==) {} - (v value) % 3329; - }"); + + // hax_debug_assert!( + // result > -FIELD_MODULUS && result < FIELD_MODULUS, + // "value is {value}" + // ); + result } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 ${vec}.f_elements")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ - (forall i. (v (Seq.index ${result}.f_elements i) % 3329) == - (v (Seq.index ${vec}.f_elements i) % 3329))")))] -pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub(crate) fn barrett_reduce(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements j) /\\ - v (Seq.index ${vec}.f_elements j) % 3329 == (v (Seq.index ${_vec0}.f_elements j) % 3329))) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j /\\ - Spec.Utils.is_i16b 28296 (Seq.index ${vec}.f_elements j)))") }); - let vi = barrett_reduce_element(vec.elements[i]); - vec.elements[i] = vi; - hax_lib::fstar!("assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert(Spec.Utils.is_i16b 3328 vi); - assert(Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))"); + v.elements[i] = barrett_reduce_element(v.elements[i]); } - vec + + v } /// Signed Montgomery Reduction @@ -228,84 +144,29 @@ pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) /// - the absolute value of `o` is bound as follows: /// -/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) /// -/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`. -/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664 -/// -#[hax_lib::fstar::options("--z3rlimit 500 --split_queries always")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i32b (3328 * pow2 16) value ")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b (3328 + 1665) result /\\ - (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\\ - v result % 3329 == (v value * 169) % 3329")))] +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. +#[cfg_attr(hax, hax_lib::requires(value >= -(FIELD_MODULUS as i32) * MONTGOMERY_R && value <= (FIELD_MODULUS as i32) * MONTGOMERY_R))] +#[cfg_attr(hax, hax_lib::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))] pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement { // This forces hax to extract code for MONTGOMERY_R before it extracts code // for this function. The removal of this line is being tracked in: // https://github.com/cryspen/libcrux/issues/134 let _ = MONTGOMERY_R; + //hax_debug_assert!( + // value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R, + // "value is {value}" + //); + let k = (value as i16) as i32 * (INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); - hax_lib::fstar!("assert(v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16); - assert(v k == (v value @% pow2 16) * 62209); - assert(v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16); - assert(v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15); - assert(v (cast (cast (k <: i32) <: i16) <: i32) >= -pow2 15); - assert(v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)"); let k_times_modulus = (k as i16 as i32) * (FIELD_MODULUS as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (3329) (cast (k <: i32) <: i16) Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS; - assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)"); + let c = (k_times_modulus >> MONTGOMERY_SHIFT) as i16; - hax_lib::fstar!("assert (v k_times_modulus < pow2 31); - assert (v k_times_modulus / pow2 16 < pow2 15); - assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert(v c == v k_times_modulus / pow2 16); - assert(Spec.Utils.is_i16b 1665 c)"); let value_high = (value >> MONTGOMERY_SHIFT) as i16; - hax_lib::fstar!("assert (v value < pow2 31); - assert (v value / pow2 16 < pow2 15); - assert (v value_high == (v value / pow2 16) @% pow2 16); - Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); - assert(Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); - assert(Spec.Utils.is_i16b 3328 value_high)"); - let res = value_high - c; - hax_lib::fstar!("assert(Spec.Utils.is_i16b (3328 + 1665) res)"); - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)"); - hax_lib::fstar!("calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v k @% pow2 16) * 3329) % pow2 16; - ( == ) { assert (v k = (v value @% pow2 16) * 62209) } - ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) (pow2 16) 3329 } - ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) } - ((((v value @% pow2 16) * 62209) * 3329) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) } - ((v value @% pow2 16) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 } - (v value) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus); - assert ((v value - v k_times_modulus) % pow2 16 == 0)"); - hax_lib::fstar!("calc ( == ) { - v res % 3329; - ( == ) { assert (v res == v value_high - v c) } - (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329 ; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) (pow2 16 * 169) 3329} - (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16)} - ((v value - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169)} - (v value * 169) % 3329; - }"); - res + + value_high - c } /// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to @@ -317,37 +178,17 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement { /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 300")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 fer")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\ - v result % 3329 == (v fe * v fer * 169) % 3329")))] pub(crate) fn montgomery_multiply_fe_by_fer( fe: FieldElement, fer: FieldElementTimesMontgomeryR, ) -> FieldElement { - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer"); - let product = (fe as i32) * (fer as i32); - montgomery_reduce_element(product) + montgomery_reduce_element((fe as i32) * (fer as i32)) } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 c")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(" -Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ -(forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) % 3329 == - (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))")))] -pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub(crate) fn montgomery_multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> - (let vecj = Seq.index ${vec}.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\\ - v vecj % 3329 == (v (Seq.index ${_vec0}.f_elements j) * v c * 169) % 3329))) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))") }); - vec.elements[i] = montgomery_multiply_fe_by_fer(vec.elements[i], c) + v.elements[i] = montgomery_multiply_fe_by_fer(v.elements[i], c) } - vec + v } diff --git a/libcrux-ml-kem/src/vector/portable/compress.rs b/libcrux-ml-kem/src/vector/portable/compress.rs index fa8e5a0ee..dab3e8190 100644 --- a/libcrux-ml-kem/src/vector/portable/compress.rs +++ b/libcrux-ml-kem/src/vector/portable/compress.rs @@ -84,66 +84,21 @@ pub(crate) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) -> } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::before(" -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\ - v (cast (compress_message_coefficient fe) <: i16) < 2) -"))] -#[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")] -#[hax_lib::requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\ - v (Seq.index ${a}.f_elements i) < 3329"))] -#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${result}.f_elements.[ sz i ] <: i16) < 2"))] -pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector { - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. - (cast ($FIELD_MODULUS) <: u16))"); +pub(crate) fn compress_1(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==> - v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\ - (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz j ] <: i16) < 2)") }); - hax_lib::fstar!("compress_message_coefficient_range_helper (cast (${a}.f_elements.[ $i ]) <: u16)"); - a.elements[i] = compress_message_coefficient(a.elements[i] as u16) as i16; - hax_lib::fstar!("assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ $i ] <: i16) < 2)"); + v.elements[i] = compress_message_coefficient(v.elements[i] as u16) as i16; } - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz i ] <: i16) < 2)"); - a + v } #[inline(always)] -#[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")] -#[hax_lib::requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\ - v (Seq.index ${a}.f_elements i) < 3329)"))] -#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${result}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"))] -pub(crate) fn compress(mut a: PortableVector) -> PortableVector { - hax_lib::fstar!("assert (v (cast ($COEFFICIENT_BITS) <: u8) == v $COEFFICIENT_BITS); - assert (v (cast ($COEFFICIENT_BITS) <: u32) == v $COEFFICIENT_BITS)"); - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. - (cast ($FIELD_MODULUS) <: u16))"); +pub(crate) fn compress(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==> - v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\ - (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz j ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))") }); - a.elements[i] = - compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, a.elements[i] as u16) as i16; - hax_lib::fstar!("assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ $i ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"); + v.elements[i] = + compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, v.elements[i] as u16) as i16; } - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"); - a + v } #[inline(always)] diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs index 656b462a5..d6eb66396 100644 --- a/libcrux-ml-kem/src/vector/portable/ntt.rs +++ b/libcrux-ml-kem/src/vector/portable/ntt.rs @@ -2,229 +2,111 @@ use super::arithmetic::*; use super::vector_type::*; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ - Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\\ - Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\\ - Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"))] -#[hax_lib::ensures(|result| fstar!("(forall k. (k <> v i /\\ k <> v j) ==> - Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\ - (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\\ - Spec.Utils.is_i16b b ${vec}.f_elements.[j]) ==> - (Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[i] /\\ - Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[j])) /\\ - Spec.Utils.ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))] -pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) { - let t = montgomery_multiply_fe_by_fer(vec.elements[j], zeta); - hax_lib::fstar!("assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))"); - let a_minus_t = vec.elements[i] - t; - hax_lib::fstar!(" - calc (==) { - v $a_minus_t % 3329; - (==) {} - (v (Seq.index vec.f_elements (v i)) - v ${t}) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329} - (v (Seq.index vec.f_elements (v $i)) - (v $t % 3329)) % 3329; - (==) {} - (v (Seq.index vec.f_elements (v i)) - ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329} - (v (Seq.index vec.f_elements (v $i)) - (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329; - }"); - let a_plus_t = vec.elements[i] + t; - hax_lib::fstar!(" - calc (==) { - v a_plus_t % 3329; - (==) {} - (v (Seq.index vec.f_elements (v $i)) + v $t) % 3329; - (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329} - (v (Seq.index vec.f_elements (v $i)) + (v $t % 3329)) % 3329; - (==) {} - (v (Seq.index vec.f_elements (v $i)) + ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329} - (v (Seq.index vec.f_elements (v $i)) + (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329; - }"); - vec.elements[j] = a_minus_t; - vec.elements[i] = a_plus_t; - hax_lib::fstar!("assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t)"); +pub(crate) fn ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) { + let t = montgomery_multiply_fe_by_fer(v.elements[j], zeta); + v.elements[j] = v.elements[i] - t; + v.elements[i] = v.elements[i] + t; } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib ::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"))] pub(crate) fn ntt_layer_1_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, ) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 2); - ntt_step(&mut vec, zeta0, 1, 3); - ntt_step(&mut vec, zeta1, 4, 6); - ntt_step(&mut vec, zeta1, 5, 7); - ntt_step(&mut vec, zeta2, 8, 10); - ntt_step(&mut vec, zeta2, 9, 11); - ntt_step(&mut vec, zeta3, 12, 14); - ntt_step(&mut vec, zeta3, 13, 15); - vec + ntt_step(&mut v, zeta0, 0, 2); + ntt_step(&mut v, zeta0, 1, 3); + ntt_step(&mut v, zeta1, 4, 6); + ntt_step(&mut v, zeta1, 5, 7); + ntt_step(&mut v, zeta2, 8, 10); + ntt_step(&mut v, zeta2, 9, 11); + ntt_step(&mut v, zeta3, 12, 14); + ntt_step(&mut v, zeta3, 13, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"))] -pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 4); - ntt_step(&mut vec, zeta0, 1, 5); - ntt_step(&mut vec, zeta0, 2, 6); - ntt_step(&mut vec, zeta0, 3, 7); - ntt_step(&mut vec, zeta1, 8, 12); - ntt_step(&mut vec, zeta1, 9, 13); - ntt_step(&mut vec, zeta1, 10, 14); - ntt_step(&mut vec, zeta1, 11, 15); - vec +pub(crate) fn ntt_layer_2_step(mut v: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { + ntt_step(&mut v, zeta0, 0, 4); + ntt_step(&mut v, zeta0, 1, 5); + ntt_step(&mut v, zeta0, 2, 6); + ntt_step(&mut v, zeta0, 3, 7); + ntt_step(&mut v, zeta1, 8, 12); + ntt_step(&mut v, zeta1, 9, 13); + ntt_step(&mut v, zeta1, 10, 14); + ntt_step(&mut v, zeta1, 11, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"))] -pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - ntt_step(&mut vec, zeta, 0, 8); - ntt_step(&mut vec, zeta, 1, 9); - ntt_step(&mut vec, zeta, 2, 10); - ntt_step(&mut vec, zeta, 3, 11); - ntt_step(&mut vec, zeta, 4, 12); - ntt_step(&mut vec, zeta, 5, 13); - ntt_step(&mut vec, zeta, 6, 14); - ntt_step(&mut vec, zeta, 7, 15); - vec +pub(crate) fn ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector { + ntt_step(&mut v, zeta, 0, 8); + ntt_step(&mut v, zeta, 1, 9); + ntt_step(&mut v, zeta, 2, 10); + ntt_step(&mut v, zeta, 3, 11); + ntt_step(&mut v, zeta, 4, 12); + ntt_step(&mut v, zeta, 5, 13); + ntt_step(&mut v, zeta, 6, 14); + ntt_step(&mut v, zeta, 7, 15); + v } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ - Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\\ - (forall k. (k <> v i /\\ k <> v j) ==> - Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\ - Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\\ - Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v j)) /\\ - Spec.Utils.inv_ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))] -pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) { - let a_minus_b = vec.elements[j] - vec.elements[i]; - let a_plus_b = vec.elements[j] + vec.elements[i]; - hax_lib::fstar!("assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))); - assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))"); - let o0 = barrett_reduce_element(a_plus_b); - let o1 = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - hax_lib::fstar!(" - calc (==) { - v o0 % 3329; - (==) { } - v a_plus_b % 3329; - (==) { } - (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329; - }; - calc (==) { - v o1 % 3329; - (==) { } - (v a_minus_b * v zeta * 169) % 3329; - (==) { } - ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % 3329; - }"); - vec.elements[i] = o0; - vec.elements[j] = o1; - hax_lib::fstar!("assert (Seq.index vec.f_elements (v i) == o0); - assert (Seq.index vec.f_elements (v j) == o1)"); +pub(crate) fn inv_ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) { + let a_minus_b = v.elements[j] - v.elements[i]; + v.elements[i] = barrett_reduce_element(v.elements[i] + v.elements[j]); + v.elements[j] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 200")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] pub(crate) fn inv_ntt_layer_1_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, ) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 2); - inv_ntt_step(&mut vec, zeta0, 1, 3); - inv_ntt_step(&mut vec, zeta1, 4, 6); - inv_ntt_step(&mut vec, zeta1, 5, 7); - inv_ntt_step(&mut vec, zeta2, 8, 10); - inv_ntt_step(&mut vec, zeta2, 9, 11); - inv_ntt_step(&mut vec, zeta3, 12, 14); - inv_ntt_step(&mut vec, zeta3, 13, 15); - hax_lib::fstar!( - "assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 13)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 15)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 12)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 14)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 9)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 11)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 8)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 10)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 5)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 7)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 4)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 6)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 1)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 3)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 0)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 2)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))"); - vec + inv_ntt_step(&mut v, zeta0, 0, 2); + inv_ntt_step(&mut v, zeta0, 1, 3); + inv_ntt_step(&mut v, zeta1, 4, 6); + inv_ntt_step(&mut v, zeta1, 5, 7); + inv_ntt_step(&mut v, zeta2, 8, 10); + inv_ntt_step(&mut v, zeta2, 9, 11); + inv_ntt_step(&mut v, zeta3, 12, 14); + inv_ntt_step(&mut v, zeta3, 13, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] pub(crate) fn inv_ntt_layer_2_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, ) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 4); - inv_ntt_step(&mut vec, zeta0, 1, 5); - inv_ntt_step(&mut vec, zeta0, 2, 6); - inv_ntt_step(&mut vec, zeta0, 3, 7); - inv_ntt_step(&mut vec, zeta1, 8, 12); - inv_ntt_step(&mut vec, zeta1, 9, 13); - inv_ntt_step(&mut vec, zeta1, 10, 14); - inv_ntt_step(&mut vec, zeta1, 11, 15); - vec + inv_ntt_step(&mut v, zeta0, 0, 4); + inv_ntt_step(&mut v, zeta0, 1, 5); + inv_ntt_step(&mut v, zeta0, 2, 6); + inv_ntt_step(&mut v, zeta0, 3, 7); + inv_ntt_step(&mut v, zeta1, 8, 12); + inv_ntt_step(&mut v, zeta1, 9, 13); + inv_ntt_step(&mut v, zeta1, 10, 14); + inv_ntt_step(&mut v, zeta1, 11, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] -pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - inv_ntt_step(&mut vec, zeta, 0, 8); - inv_ntt_step(&mut vec, zeta, 1, 9); - inv_ntt_step(&mut vec, zeta, 2, 10); - inv_ntt_step(&mut vec, zeta, 3, 11); - inv_ntt_step(&mut vec, zeta, 4, 12); - inv_ntt_step(&mut vec, zeta, 5, 13); - inv_ntt_step(&mut vec, zeta, 6, 14); - inv_ntt_step(&mut vec, zeta, 7, 15); - vec +pub(crate) fn inv_ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector { + inv_ntt_step(&mut v, zeta, 0, 8); + inv_ntt_step(&mut v, zeta, 1, 9); + inv_ntt_step(&mut v, zeta, 2, 10); + inv_ntt_step(&mut v, zeta, 3, 11); + inv_ntt_step(&mut v, zeta, 4, 12); + inv_ntt_step(&mut v, zeta, 5, 13); + inv_ntt_step(&mut v, zeta, 6, 14); + inv_ntt_step(&mut v, zeta, 7, 15); + v } /// Compute the product of two Kyber binomials with respect to the @@ -248,109 +130,25 @@ pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> Portab /// The NIST FIPS 203 standard can be found at /// . #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::fstar::options("--z3rlimit 250 --split_queries always --query_stats --ext context_prune")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 8 /\\ Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${out}.f_elements "))] -#[hax_lib::ensures(|()| fstar!(" - Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\\ - (forall k. (k <> 2 * v $i /\\ k <> 2 * v $i + 1) ==> - Seq.index ${out}_future.f_elements k == Seq.index ${out}.f_elements k) /\\ - (let ai = Seq.index ${a}.f_elements (2 * v $i) in - let aj = Seq.index ${a}.f_elements (2 * v $i + 1) in - let bi = Seq.index ${b}.f_elements (2 * v $i) in - let bj = Seq.index ${b}.f_elements (2 * v $i + 1) in - let oi = Seq.index out_future.f_elements (2 * v $i) in - let oj = Seq.index out_future.f_elements (2 * v $i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))"))] pub(crate) fn ntt_multiply_binomials( a: &PortableVector, b: &PortableVector, zeta: FieldElementTimesMontgomeryR, i: usize, + j: usize, out: &mut PortableVector, ) { - let ai = a.elements[2*i]; - let bi = b.elements[2*i]; - let aj = a.elements[2*i+1]; - let bj = b.elements[2*i+1]; - hax_lib::fstar!("assert(Spec.Utils.is_i16b 3328 $ai); - assert(Spec.Utils.is_i16b 3328 $bi); - assert(Spec.Utils.is_i16b 3328 $aj); - assert(Spec.Utils.is_i16b 3328 $bj); - assert_norm (3328 * 3328 < pow2 31)"); - - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bi"); - let ai_bi = (ai as i32) * (bi as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bj"); - let aj_bj_ = (aj as i32) * (bj as i32); - hax_lib::fstar!("assert_norm (3328 * 3328 <= 3328 * pow2 15)"); - let aj_bj = montgomery_reduce_element(aj_bj_); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 1664 $aj_bj $zeta"); - let aj_bj_zeta = (aj_bj as i32) * (zeta as i32); - let ai_bi_aj_bj = ai_bi + aj_bj_zeta; - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*1664) $ai_bi_aj_bj)"); - hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15)"); - let o0 = montgomery_reduce_element(ai_bi_aj_bj); - hax_lib::fstar!("calc ( == ) { - v $o0 % 3329; - ( == ) { () } - (v $ai_bi_aj_bj * 169) % 3329; - ( == ) { assert(v $ai_bi_aj_bj == v $ai_bi + v $aj_bj_zeta) } - ((v $ai_bi + v $aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v $ai_bi == v $ai * v $bi) } - (((v $ai * v $bi) + v $aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v $aj_bj_zeta == v $aj_bj * v $zeta) } - (((v $ai * v $bi) + (v $aj_bj * v $zeta)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 } - ((((v $ai * v $bi) + (v $aj_bj * v $zeta)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 } - (((v $ai * v $bi) + ((v $aj_bj * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 } - (((v $ai * v $bi) + ((v $aj_bj % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { assert(v aj_bj % 3329 == (v $aj_bj_ * 169) % 3329) } - (((v $ai * v $bi) + (((v $aj_bj_ * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { assert(v $aj_bj_ == v $aj * v $bj) } - (((v $ai * v $bi) + (((v $aj * v $bj * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v $aj * v $bj * 169) (v $zeta) 3329 } - (((v $ai * v $bi) + (((v $aj * v $bj * 169 * v $zeta) % 3329))) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v $ai * v $bi) (v $aj * v $bj * 169 * v $zeta) 3329 } - (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) 169 3329 } - (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) * 169) % 3329; - }"); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bj"); - let ai_bj = (ai as i32) * (bj as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bi"); - let aj_bi = (aj as i32) * (bi as i32); - let ai_bj_aj_bi = ai_bj + aj_bi; - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*3328) ai_bj_aj_bi) "); - hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15)"); - let o1 = montgomery_reduce_element(ai_bj_aj_bi); - hax_lib::fstar!("calc ( == ) { - v $o1 % 3329; - ( == ) { () } - (v $ai_bj_aj_bi * 169) % 3329; - ( == ) { assert(v $ai_bj_aj_bi == v $ai_bj + v $aj_bi) } - ((v $ai_bj + v $aj_bi) * 169) % 3329; - ( == ) { assert (v ai_bj == v ai * v bj) } - ((v ai * v bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v aj_bi == v aj * v bi) } - ((v ai * v bj + v aj * v bi) * 169) % 3329; - }"); - let _out0 = out.elements; - out.elements[2*i] = o0; - out.elements[2*i+1] = o1; - hax_lib::fstar!("assert (Seq.index out.f_elements (2 * v i) == o0); - assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); - assert (forall k. (k <> 2 * v i /\\ k <> 2 * v i + 1) ==> - Seq.index out.f_elements k == - Seq.index ${_out0} k)"); + let o0 = montgomery_reduce_element( + (a.elements[i] as i32) * (b.elements[i] as i32) + + (montgomery_reduce_element((a.elements[j] as i32) * (b.elements[j] as i32)) as i32) + * (zeta as i32), + ); + let o1 = montgomery_reduce_element( + (a.elements[i] as i32) * (b.elements[j] as i32) + + (a.elements[j] as i32) * (b.elements[i] as i32), + ); + out.elements[i] = o0; + out.elements[j] = o1; } // #[inline(always)] @@ -369,25 +167,6 @@ pub(crate) fn ntt_multiply_binomials( // } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta0 /\\ - Spec.Utils.is_i16b 1664 $zeta1 /\\ - Spec.Utils.is_i16b 1664 $zeta2 /\\ - Spec.Utils.is_i16b 1664 $zeta3 /\\ - Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ - (let zetas = Seq.seq_of_list [v zeta0; - v zeta0; v zeta1; - v zeta1; v zeta2; - v zeta2; v zeta3; - v zeta3] in - (forall (i:nat). i < 8 ==> - (let ai = Seq.index lhs.f_elements (2 * i) in - let aj = Seq.index lhs.f_elements (2 * i + 1) in - let bi = Seq.index rhs.f_elements (2 * i) in - let bj = Seq.index rhs.f_elements (2 * i + 1) in - let oi = Seq.index result.f_elements (2 * i) in - let oj = Seq.index result.f_elements (2 * i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))"))] pub(crate) fn ntt_multiply( lhs: &PortableVector, rhs: &PortableVector, @@ -396,31 +175,14 @@ pub(crate) fn ntt_multiply( zeta2: i16, zeta3: i16, ) -> PortableVector { - let nzeta0 = -zeta0; - let nzeta1 = -zeta1; - let nzeta2 = -zeta2; - let nzeta3 = -zeta3; - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta0)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta1)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta2)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta3)"); let mut out = zero(); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta0, 0, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta0, 1, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta1, 2, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta1, 3, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta2, 4, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta2, 5, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta3, 6, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta3, 7, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); + ntt_multiply_binomials(lhs, rhs, zeta0, 0, 1, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta0, 2, 3, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta1, 4, 5, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta1, 6, 7, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta2, 8, 9, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta2, 10, 11, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta3, 12, 13, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta3, 14, 15, &mut out); out } diff --git a/libcrux-ml-kem/src/vector/portable/sampling.rs b/libcrux-ml-kem/src/vector/portable/sampling.rs index 13f6f9f33..87dacce97 100644 --- a/libcrux-ml-kem/src/vector/portable/sampling.rs +++ b/libcrux-ml-kem/src/vector/portable/sampling.rs @@ -1,11 +1,6 @@ use crate::vector::FIELD_MODULUS; #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(a.len() == 24 && result.len() == 16)] -#[hax_lib::ensures(|res| - fstar!("Seq.length $result_future == Seq.length $result /\\ v $res <= 16") - )] pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize { let mut sampled = 0; for i in 0..a.len() / 3 { diff --git a/libcrux-ml-kem/src/vector/portable/serialize.rs b/libcrux-ml-kem/src/vector/portable/serialize.rs index 151c1b31b..e0818dc28 100644 --- a/libcrux-ml-kem/src/vector/portable/serialize.rs +++ b/libcrux-ml-kem/src/vector/portable/serialize.rs @@ -13,135 +13,33 @@ // and code that updates arrays (in the outer functions). use super::vector_type::*; +use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR; -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_1_lemma inputs = - serialize_1_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1)) - : squash ( - let inputs = bit_vec_of_int_t_array v 1 in - let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_1(v: PortableVector) -> [u8; 2] { - let result0 = (v.elements[0] as u8) | ((v.elements[1] as u8) << 1) | - ((v.elements[2] as u8) << 2) | ((v.elements[3] as u8) << 3) | - ((v.elements[4] as u8) << 4) | ((v.elements[5] as u8) << 5) | - ((v.elements[6] as u8) << 6) | ((v.elements[7] as u8) << 7); - let result1 = (v.elements[8] as u8) | ((v.elements[9] as u8) << 1) | - ((v.elements[10] as u8) << 2) | ((v.elements[11] as u8) << 3) | - ((v.elements[12] as u8) << 4) | ((v.elements[13] as u8) << 5) | - ((v.elements[14] as u8) << 6) | ((v.elements[15] as u8) << 7); - [ - result0, - result1 - ] + let mut result = [0u8; 2]; + for i in 0..8 { + result[0] |= (v.elements[i] as u8) << i; + } + for i in 8..16 { + result[1] |= (v.elements[i] as u8) << (i - 8); + } + result } -//deserialize_1_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_1} inputs).f_elements i) 1) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_1_bounded_lemma inputs = - admit() -"))] -//deserialize_1_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_1_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_1} v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 2} -"#))] #[inline(always)] pub(crate) fn deserialize_1(v: &[u8]) -> PortableVector { - let result0 = (v[0] & 0x1) as i16; - let result1 = ((v[0] >> 1) & 0x1) as i16; - let result2 = ((v[0] >> 2) & 0x1) as i16; - let result3 = ((v[0] >> 3) & 0x1) as i16; - let result4 = ((v[0] >> 4) & 0x1) as i16; - let result5 = ((v[0] >> 5) & 0x1) as i16; - let result6 = ((v[0] >> 6) & 0x1) as i16; - let result7 = ((v[0] >> 7) & 0x1) as i16; - let result8 = (v[1] & 0x1) as i16; - let result9 = ((v[1] >> 1) & 0x1) as i16; - let result10 = ((v[1] >> 2) & 0x1) as i16; - let result11 = ((v[1] >> 3) & 0x1) as i16; - let result12 = ((v[1] >> 4) & 0x1) as i16; - let result13 = ((v[1] >> 5) & 0x1) as i16; - let result14 = ((v[1] >> 6) & 0x1) as i16; - let result15 = ((v[1] >> 7) & 0x1) as i16; - PortableVector { elements: [ - result0, - result1, - result2, - result3, - result4, - result5, - result6, - result7, - result8, - result9, - result10, - result11, - result12, - result13, - result14, - result15, - ] } + let mut result = zero(); + for i in 0..8 { + result.elements[i] = ((v[0] >> i) & 0x1) as i16; + } + for i in 8..FIELD_ELEMENTS_IN_VECTOR { + result.elements[i] = ((v[1] >> (i - 8)) & 0x1) as i16; + } + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) { let result0 = ((v[1] as u8) << 4) | (v[0] as u8); let result1 = ((v[3] as u8) << 4) | (v[2] as u8); @@ -150,55 +48,23 @@ pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) { (result0, result1, result2, result3) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_4_lemma inputs = - serialize_4_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4)) - : squash ( - let inputs = bit_vec_of_int_t_array v 4 in - let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_4(v: PortableVector) -> [u8; 8] { let result0_3 = serialize_4_int(&v.elements[0..8]); let result4_7 = serialize_4_int(&v.elements[8..16]); - [ - result0_3.0, - result0_3.1, - result0_3.2, - result0_3.3, - result4_7.0, - result4_7.1, - result4_7.2, - result4_7.3, - ] + let mut result = [0u8; 8]; + result[0] = result0_3.0; + result[1] = result0_3.1; + result[2] = result0_3.2; + result[3] = result0_3.3; + result[4] = result4_7.0; + result[5] = result4_7.1; + result[6] = result4_7.2; + result[7] = result4_7.3; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 4} -"#))] pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let v0 = (bytes[0] & 0x0F) as i16; let v1 = ((bytes[0] >> 4) & 0x0F) as i16; @@ -211,75 +77,31 @@ pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (v0, v1, v2, v3, v4, v5, v6, v7) } -//deserialize_4_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_4} inputs).f_elements i) 4) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_4_bounded_lemma inputs = - admit() -"))] -//deserialize_4_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_4_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 8} -"#))] #[inline(always)] pub(crate) fn deserialize_4(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_4_int(&bytes[0..4]); let v8_15 = deserialize_4_int(&bytes[4..8]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] | v[1] << 5) as u8; let r1 = (v[1] >> 3 | v[2] << 2 | v[3] << 7) as u8; @@ -289,57 +111,25 @@ pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { (r0, r1, r2, r3, r4) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val serialize_5_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma -// (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 5)) -// (ensures bit_vec_of_int_t_array (${serialize_5} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 5) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let serialize_5_lemma inputs = -// serialize_5_bit_vec_lemma inputs.f_elements (); -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_5} inputs) 8) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 5)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let serialize_5_bit_vec_lemma (v: t_Array i16 (sz 16)) -// (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 5)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 5 in -// let outputs = bit_vec_of_int_t_array (${serialize_5} ({ f_elements = v })) 8 in -// (forall (i: nat {i < 80}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] #[inline(always)] pub(crate) fn serialize_5(v: PortableVector) -> [u8; 10] { let r0_4 = serialize_5_int(&v.elements[0..8]); let r5_9 = serialize_5_int(&v.elements[8..16]); - [ - r0_4.0, - r0_4.1, - r0_4.2, - r0_4.3, - r0_4.4, - r5_9.0, - r5_9.1, - r5_9.2, - r5_9.3, - r5_9.4, - ] + let mut result = [0u8; 10]; + result[0] = r0_4.0; + result[1] = r0_4.1; + result[2] = r0_4.2; + result[3] = r0_4.3; + result[4] = r0_4.4; + result[5] = r5_9.0; + result[6] = r5_9.1; + result[7] = r5_9.2; + result[8] = r5_9.3; + result[9] = r5_9.4; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 5} -"#))] pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let v0 = (bytes[0] & 0x1F) as i16; let v1 = ((bytes[1] & 0x3) << 3 | (bytes[0] >> 5)) as i16; @@ -352,64 +142,31 @@ pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (v0, v1, v2, v3, v4, v5, v6, v7) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val deserialize_5_lemma (inputs: t_Array u8 (sz 10)) : Lemma -// (ensures bit_vec_of_int_t_array (${deserialize_5} inputs).f_elements 5 == bit_vec_of_int_t_array inputs 8) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let deserialize_5_lemma inputs = -// deserialize_5_bit_vec_lemma inputs; -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_5} inputs).f_elements 5) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let deserialize_5_bit_vec_lemma (v: t_Array u8 (sz 10)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 8 in -// let outputs = bit_vec_of_int_t_array (${deserialize_5} v).f_elements 5 in -// (forall (i: nat {i < 80}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 10} -"#))] #[inline(always)] pub(crate) fn deserialize_5(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_5_int(&bytes[0..5]); let v8_15 = deserialize_5_int(&bytes[5..10]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 4} -"#))] pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] & 0xFF) as u8; let r1 = ((v[1] & 0x3F) as u8) << 2 | ((v[0] >> 8) & 0x03) as u8; @@ -419,51 +176,43 @@ pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { (r0, r1, r2, r3, r4) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_10_lemma inputs = - serialize_10_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10)) - : squash ( - let inputs = bit_vec_of_int_t_array v 10 in - let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_10(v: PortableVector) -> [u8; 20] { let r0_4 = serialize_10_int(&v.elements[0..4]); let r5_9 = serialize_10_int(&v.elements[4..8]); let r10_14 = serialize_10_int(&v.elements[8..12]); let r15_19 = serialize_10_int(&v.elements[12..16]); - [ - r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, r10_14.0, - r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4, - ] + // Here we could also do, the following, but it slows F* down: + // [r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, + // r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, + // r10_14.0, r10_14.1, r10_14.2, r10_14.3, r10_14.4, + // r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4 ] + // If we can fix the F* for this, the code would be more compact. + let mut result = [0u8; 20]; + result[0] = r0_4.0; + result[1] = r0_4.1; + result[2] = r0_4.2; + result[3] = r0_4.3; + result[4] = r0_4.4; + result[5] = r5_9.0; + result[6] = r5_9.1; + result[7] = r5_9.2; + result[8] = r5_9.3; + result[9] = r5_9.4; + result[10] = r10_14.0; + result[11] = r10_14.1; + result[12] = r10_14.2; + result[13] = r10_14.3; + result[14] = r10_14.4; + result[15] = r15_19.0; + result[16] = r15_19.1; + result[17] = r15_19.2; + result[18] = r15_19.3; + result[19] = r15_19.4; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 10} -"#))] pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let r0 = ((bytes[1] as i16 & 0x03) << 8 | (bytes[0] as i16 & 0xFF)) as i16; let r1 = ((bytes[2] as i16 & 0x0F) << 6 | (bytes[1] as i16 >> 2)) as i16; @@ -476,75 +225,31 @@ pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (r0, r1, r2, r3, r4, r5, r6, r7) } -//deserialize_10_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_10} inputs).f_elements i) 10) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_10_bounded_lemma inputs = - admit() -"))] -//deserialize_10_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_10_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 20} -"#))] #[inline(always)] pub(crate) fn deserialize_10(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_10_int(&bytes[0..10]); let v8_15 = deserialize_10_int(&bytes[10..20]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) { let r0 = v[0] as u8; let r1 = ((v[1] & 0x1F) as u8) << 3 | ((v[0] >> 8) as u8); @@ -560,119 +265,76 @@ pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8 (r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val serialize_11_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma -// (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 11)) -// (ensures bit_vec_of_int_t_array (${serialize_11} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 11) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let serialize_11_lemma inputs = -// serialize_11_bit_vec_lemma inputs.f_elements (); -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_11} inputs) 8) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 11)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let serialize_11_bit_vec_lemma (v: t_Array i16 (sz 16)) -// (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 11)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 11 in -// let outputs = bit_vec_of_int_t_array (${serialize_11} ({ f_elements = v })) 8 in -// (forall (i: nat {i < 176}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] #[inline(always)] pub(crate) fn serialize_11(v: PortableVector) -> [u8; 22] { let r0_10 = serialize_11_int(&v.elements[0..8]); let r11_21 = serialize_11_int(&v.elements[8..16]); - [ - r0_10.0, r0_10.1, r0_10.2, r0_10.3, r0_10.4, r0_10.5, r0_10.6, r0_10.7, r0_10.8, r0_10.9, r0_10.10, - r11_21.0, r11_21.1, r11_21.2, r11_21.3, r11_21.4, r11_21.5, r11_21.6, r11_21.7, r11_21.8, r11_21.9, r11_21.10, - ] + let mut result = [0u8; 22]; + result[0] = r0_10.0; + result[1] = r0_10.1; + result[2] = r0_10.2; + result[3] = r0_10.3; + result[4] = r0_10.4; + result[5] = r0_10.5; + result[6] = r0_10.6; + result[7] = r0_10.7; + result[8] = r0_10.8; + result[9] = r0_10.9; + result[10] = r0_10.10; + result[11] = r11_21.0; + result[12] = r11_21.1; + result[13] = r11_21.2; + result[14] = r11_21.3; + result[15] = r11_21.4; + result[16] = r11_21.5; + result[17] = r11_21.6; + result[18] = r11_21.7; + result[19] = r11_21.8; + result[20] = r11_21.9; + result[21] = r11_21.10; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 11} -"#))] pub(crate) fn deserialize_11_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { - let r0 = (bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16; - let r1 = (bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3); - let r2 = (bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6); - let r3 = (bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1); - let r4 = (bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4); - let r5 = (bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7); - let r6 = (bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2); - let r7 = ((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5); + let r0 = ((bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16) as i16; + let r1 = ((bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3)) as i16; + let r2 = ((bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6)) + as i16; + let r3 = ((bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1)) as i16; + let r4 = ((bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4)) as i16; + let r5 = + ((bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7)) as i16; + let r6 = ((bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2)) as i16; + let r7 = (((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5)) as i16; (r0, r1, r2, r3, r4, r5, r6, r7) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val deserialize_11_lemma (inputs: t_Array u8 (sz 22)) : Lemma -// (ensures bit_vec_of_int_t_array (${deserialize_11} inputs).f_elements 11 == bit_vec_of_int_t_array inputs 8) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let deserialize_11_lemma inputs = -// deserialize_11_bit_vec_lemma inputs; -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_11} inputs).f_elements 11) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let deserialize_11_bit_vec_lemma (v: t_Array u8 (sz 22)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 8 in -// let outputs = bit_vec_of_int_t_array (${deserialize_11} v).f_elements 11 in -// (forall (i: nat {i < 176}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 22} -"#))] #[inline(always)] pub(crate) fn deserialize_11(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_11_int(&bytes[0..11]); let v8_15 = deserialize_11_int(&bytes[11..22]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 2} -"#))] pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) { let r0 = (v[0] & 0xFF) as u8; let r1 = ((v[0] >> 8) | ((v[1] & 0x0F) << 4)) as u8; @@ -680,35 +342,6 @@ pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) { (r0, r1, r2) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_12_lemma inputs = - serialize_12_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12)) - : squash ( - let inputs = bit_vec_of_int_t_array v 12 in - let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] { let r0_2 = serialize_12_int(&v.elements[0..2]); @@ -719,22 +352,35 @@ pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] { let r15_17 = serialize_12_int(&v.elements[10..12]); let r18_20 = serialize_12_int(&v.elements[12..14]); let r21_23 = serialize_12_int(&v.elements[14..16]); - [ - r0_2.0, r0_2.1, r0_2.2, - r3_5.0, r3_5.1, r3_5.2, - r6_8.0, r6_8.1, r6_8.2, - r9_11.0, r9_11.1, r9_11.2, - r12_14.0, r12_14.1, r12_14.2, - r15_17.0, r15_17.1, r15_17.2, - r18_20.0, r18_20.1, r18_20.2, - r21_23.0, r21_23.1, r21_23.2, - ] + let mut result = [0u8; 24]; + result[0] = r0_2.0; + result[1] = r0_2.1; + result[2] = r0_2.2; + result[3] = r3_5.0; + result[4] = r3_5.1; + result[5] = r3_5.2; + result[6] = r6_8.0; + result[7] = r6_8.1; + result[8] = r6_8.2; + result[9] = r9_11.0; + result[10] = r9_11.1; + result[11] = r9_11.2; + result[12] = r12_14.0; + result[13] = r12_14.1; + result[14] = r12_14.2; + result[15] = r15_17.0; + result[16] = r15_17.1; + result[17] = r15_17.2; + result[18] = r18_20.0; + result[19] = r18_20.1; + result[20] = r18_20.2; + result[21] = r21_23.0; + result[22] = r21_23.1; + result[23] = r21_23.2; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 3} -"#))] pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) { let byte0 = bytes[0] as i16; let byte1 = bytes[1] as i16; @@ -744,47 +390,6 @@ pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) { (r0, r1) } -//deserialize_12_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_12} inputs).f_elements i) 12) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_12_bounded_lemma inputs = - admit() -"))] -//deserialize_12_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_12_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 24} -"#))] #[inline(always)] pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector { let v0_1 = deserialize_12_int(&bytes[0..3]); @@ -795,22 +400,22 @@ pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector { let v10_11 = deserialize_12_int(&bytes[15..18]); let v12_13 = deserialize_12_int(&bytes[18..21]); let v14_15 = deserialize_12_int(&bytes[21..24]); - PortableVector { elements: [ - v0_1.0, - v0_1.1, - v2_3.0, - v2_3.1, - v4_5.0, - v4_5.1, - v6_7.0, - v6_7.1, - v8_9.0, - v8_9.1, - v10_11.0, - v10_11.1, - v12_13.0, - v12_13.1, - v14_15.0, - v14_15.1, - ] } + let mut re = zero(); + re.elements[0] = v0_1.0; + re.elements[1] = v0_1.1; + re.elements[2] = v2_3.0; + re.elements[3] = v2_3.1; + re.elements[4] = v4_5.0; + re.elements[5] = v4_5.1; + re.elements[6] = v6_7.0; + re.elements[7] = v6_7.1; + re.elements[8] = v8_9.0; + re.elements[9] = v8_9.1; + re.elements[10] = v10_11.0; + re.elements[11] = v10_11.1; + re.elements[12] = v12_13.0; + re.elements[13] = v12_13.1; + re.elements[14] = v14_15.0; + re.elements[15] = v14_15.1; + re } diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs index 94dde4e71..75b3b30c6 100644 --- a/libcrux-ml-kem/src/vector/portable/vector_type.rs +++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs @@ -9,8 +9,8 @@ pub struct PortableVector { pub(crate) elements: [FieldElement; FIELD_ELEMENTS_IN_VECTOR], } +#[allow(non_snake_case)] #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Seq.create 16 0s"))] pub fn zero() -> PortableVector { PortableVector { elements: [0i16; FIELD_ELEMENTS_IN_VECTOR], @@ -18,16 +18,13 @@ pub fn zero() -> PortableVector { } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result} == ${x}.f_elements"))] -pub fn to_i16_array(x: PortableVector) -> [i16; 16] { - x.elements -} - -#[inline(always)] -#[hax_lib::requires(array.len() == 16)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == $array"))] pub fn from_i16_array(array: &[i16]) -> PortableVector { PortableVector { elements: array[0..16].try_into().unwrap(), } } + +#[inline(always)] +pub fn to_i16_array(x: PortableVector) -> [i16; 16] { + x.elements +} diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs index 208e58b51..48c77ca6d 100644 --- a/libcrux-ml-kem/src/vector/traits.rs +++ b/libcrux-ml-kem/src/vector/traits.rs @@ -2,259 +2,84 @@ pub const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353; pub const FIELD_MODULUS: i16 = 3329; pub const FIELD_ELEMENTS_IN_VECTOR: usize = 16; pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMERY_R -pub const BARRETT_SHIFT: i32 = 26; -pub const BARRETT_R: i32 = 1 << BARRETT_SHIFT; -#[cfg(hax)] -#[hax_lib::attributes] -pub trait Repr: Copy + Clone { - #[requires(true)] - fn repr(x: Self) -> [i16; 16]; -} - -#[cfg(hax)] -#[hax_lib::attributes] -pub trait Operations: Copy + Clone + Repr { +pub trait Operations: Copy + Clone { #[allow(non_snake_case)] - #[requires(true)] - #[ensures(|result| fstar!("f_repr $result == Seq.create 16 0s"))] fn ZERO() -> Self; - - #[requires(array.len() == 16)] - #[ensures(|result| fstar!("f_repr $result == $array"))] + fn from_i16_array(array: &[i16]) -> Self; - - #[requires(true)] - #[ensures(|result| fstar!("f_repr $x == $result"))] fn to_i16_array(x: Self) -> [i16; 16]; // Basic arithmetic - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))] fn add(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))] fn sub(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${vec}) i) * v c)"))] - fn multiply_by_constant(vec: Self, c: i16) -> Self; + fn multiply_by_constant(v: Self, c: i16) -> Self; // Bitwise operations - #[requires(true)] - #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> x &. c) (f_repr $v)"))] fn bitwise_and_with_constant(v: Self, c: i16) -> Self; - - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> f_repr $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (f_repr $v)"))] fn shift_right(v: Self) -> Self; // fn shift_left(v: Self) -> Self; // Modular operations - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"))] - #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr $v)"))] fn cond_subtract_3329(v: Self) -> Self; - - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (f_repr $vector)"))] - fn barrett_reduce(vector: Self) -> Self; - - #[requires(fstar!("Spec.Utils.is_i16b 1664 c"))] + fn barrett_reduce(v: Self) -> Self; fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self; // Compression - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\ - v (Seq.index (f_repr $a) i) < 3329"))] - #[ensures(|result| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"))] - fn compress_1(a: Self) -> Self; - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\ - v (Seq.index (f_repr $a) i) < 3329)"))] - #[ensures(|result| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"))] - fn compress(a: Self) -> Self; - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] + fn compress_1(v: Self) -> Self; + fn compress(v: Self) -> Self; fn decompress_ciphertext_coefficient(v: Self) -> Self; // NTT - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"))] fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"))] fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"))] fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta/\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; // Serialization and deserialization - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"))] fn serialize_1(a: Self) -> [u8; 2]; - #[requires(a.len() == 2)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"))] fn deserialize_1(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"))] fn serialize_4(a: Self) -> [u8; 8]; - #[requires(a.len() == 8)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"))] fn deserialize_4(a: &[u8]) -> Self; fn serialize_5(a: Self) -> [u8; 10]; - #[requires(a.len() == 10)] fn deserialize_5(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"))] fn serialize_10(a: Self) -> [u8; 20]; - #[requires(a.len() == 20)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"))] fn deserialize_10(a: &[u8]) -> Self; fn serialize_11(a: Self) -> [u8; 22]; - #[requires(a.len() == 22)] fn deserialize_11(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"))] fn serialize_12(a: Self) -> [u8; 24]; - #[requires(a.len() == 24)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"))] fn deserialize_12(a: &[u8]) -> Self; - #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16") - )] - fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; -} - -#[cfg(not(hax))] -pub trait Operations: Copy + Clone { - #[allow(non_snake_case)] - fn ZERO() -> Self; - fn from_i16_array(array: &[i16]) -> Self; - fn to_i16_array(x: Self) -> [i16; 16]; - fn add(lhs: Self, rhs: &Self) -> Self; - fn sub(lhs: Self, rhs: &Self) -> Self; - fn multiply_by_constant(v: Self, c: i16) -> Self; - fn bitwise_and_with_constant(v: Self, c: i16) -> Self; - fn shift_right(v: Self) -> Self; - fn cond_subtract_3329(v: Self) -> Self; - fn barrett_reduce(vector: Self) -> Self; - fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self; - fn compress_1(v: Self) -> Self; - fn compress(v: Self) -> Self; - fn decompress_ciphertext_coefficient(v: Self) -> Self; - fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) - -> Self; - fn serialize_1(a: Self) -> [u8; 2]; - fn deserialize_1(a: &[u8]) -> Self; - fn serialize_4(a: Self) -> [u8; 8]; - fn deserialize_4(a: &[u8]) -> Self; - fn serialize_5(a: Self) -> [u8; 10]; - fn deserialize_5(a: &[u8]) -> Self; - fn serialize_10(a: Self) -> [u8; 20]; - fn deserialize_10(a: &[u8]) -> Self; - fn serialize_11(a: Self) -> [u8; 22]; - fn deserialize_11(a: &[u8]) -> Self; - fn serialize_12(a: Self) -> [u8; 24]; - fn deserialize_12(a: &[u8]) -> Self; fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; } // hax does not support trait with default implementations, so we use the following pattern -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $fer"))] #[inline(always)] pub fn montgomery_multiply_fe(v: T, fer: i16) -> T { T::montgomery_multiply_by_constant(v, fer) } - #[inline(always)] pub fn to_standard_domain(v: T) -> T { T::montgomery_multiply_by_constant(v, MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS as i16) } - -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 3328 (i1._super_8706949974463268012.f_repr a)"))] -#[hax_lib::ensures(|result| fstar!("forall i. - (let x = Seq.index (i1._super_8706949974463268012.f_repr ${a}) i in - let y = Seq.index (i1._super_8706949974463268012.f_repr ${result}) i in - (v y >= 0 /\\ v y <= 3328 /\\ (v y % 3329 == v x % 3329)))"))] #[inline(always)] pub fn to_unsigned_representative(a: T) -> T { let t = T::shift_right::<15>(a); let fm = T::bitwise_and_with_constant(t, FIELD_MODULUS); T::add(a, &fm) } - -#[hax_lib::fstar::options("--z3rlimit 200 --split_queries always")] -#[hax_lib::requires(fstar!("forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in - (x == 0s \\/ x == 1s)"))] #[inline(always)] -pub fn decompress_1(vec: T) -> T { - let z = T::ZERO(); - hax_lib::fstar!("assert(forall i. Seq.index (i1._super_8706949974463268012.f_repr ${z}) i == 0s)"); - hax_lib::fstar!("assert(forall i. let x = Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i in - ((0 - v x) == 0 \\/ (0 - v x) == -1))"); - hax_lib::fstar!("assert(forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (0 - v (Seq.index (i1._super_8706949974463268012.f_repr ${vec}) i)))"); - - let s = T::sub(z, &vec); - hax_lib::fstar!("assert(forall i. Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == 0s \\/ - Seq.index (i1._super_8706949974463268012.f_repr ${s}) i == -1s)"); - hax_lib::fstar!("assert (i1.f_bitwise_and_with_constant_pre ${s} 1665s)"); - let res = T::bitwise_and_with_constant(s, 1665); - res +pub fn decompress_1(v: T) -> T { + T::bitwise_and_with_constant(T::sub(T::ZERO(), &v), 1665) } From 5cf60727109a95cd8fd006cd450b1c353d80424b Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 20:10:48 +0100 Subject: [PATCH 20/74] cleanup --- .github/workflows/mlkem.yml | 5 - Cargo.lock | 2 +- fstar-helpers/Makefile.base | 14 - fstar-helpers/Makefile.generic | 271 -- fstar-helpers/README.md | 5 - .../fstar-bitvec/BitVec.Equality.fst | 48 - .../fstar-bitvec/BitVec.Equality.fsti | 17 - .../BitVec.Intrinsics.Constants.fst | 264 -- .../BitVec.Intrinsics.TestShuffle.fst | 203 -- .../fstar-bitvec/BitVec.Intrinsics.fsti | 425 --- fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 67 - fstar-helpers/fstar-bitvec/BitVecEq.fst | 12 - fstar-helpers/fstar-bitvec/BitVecEq.fsti | 293 --- fstar-helpers/fstar-bitvec/Makefile | 1 - fstar-helpers/fstar-bitvec/MkSeq.fst | 59 - fstar-helpers/fstar-bitvec/RwLemmas.fst | 71 - fstar-helpers/fstar-bitvec/Tactics.Folds.fst | 82 - fstar-helpers/fstar-bitvec/Tactics.GetBit.fst | 66 - .../fstar-bitvec/Tactics.MachineInts.fst | 273 -- fstar-helpers/fstar-bitvec/Tactics.Pow2.fst | 58 - fstar-helpers/fstar-bitvec/Tactics.Seq.fst | 123 - fstar-helpers/fstar-bitvec/Tactics.Utils.fst | 328 --- fstar-helpers/fstar-bitvec/dep.graph | 2316 ----------------- libcrux-sha3/Cargo.toml | 2 +- libcrux-sha3/src/generic_keccak.rs | 2 +- proofs/fstar/extraction-edited/Makefile | 151 +- .../extraction-secret-independent/Makefile | 135 +- proofs/fstar/extraction/Makefile | 128 +- .../extraction/Libcrux_platform.Platform.fsti | 2 +- .../extraction/Libcrux_platform.X86.fsti | 2 +- sys/pqclean/src/bindings.rs | 2 +- 31 files changed, 417 insertions(+), 5010 deletions(-) delete mode 100644 fstar-helpers/Makefile.base delete mode 100644 fstar-helpers/Makefile.generic delete mode 100644 fstar-helpers/README.md delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Equality.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Equality.fsti delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Utils.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVecEq.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVecEq.fsti delete mode 100644 fstar-helpers/fstar-bitvec/Makefile delete mode 100644 fstar-helpers/fstar-bitvec/MkSeq.fst delete mode 100644 fstar-helpers/fstar-bitvec/RwLemmas.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Folds.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.GetBit.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Pow2.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Seq.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Utils.fst delete mode 100644 fstar-helpers/fstar-bitvec/dep.graph diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index 575339c5d..aa1767182 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -87,11 +87,6 @@ jobs: rustc --print=cfg cargo build --verbose $RUST_TARGET_FLAG --features pre-verification - - name: 🔨 Build unpacked - run: | - rustc --print=cfg - cargo build --verbose $RUST_TARGET_FLAG --features pre-verification,unpacked - - name: 🔨 Build Release run: cargo build --verbose --release $RUST_TARGET_FLAG --features pre-verification diff --git a/Cargo.lock b/Cargo.lock index 9c1fcd717..dc42f03bd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1089,7 +1089,7 @@ version = "0.0.2-beta.2" dependencies = [ "cavp", "criterion", - "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", diff --git a/fstar-helpers/Makefile.base b/fstar-helpers/Makefile.base deleted file mode 100644 index b4e0d962b..000000000 --- a/fstar-helpers/Makefile.base +++ /dev/null @@ -1,14 +0,0 @@ -# Base Makefile for F* in libcrux. -# This inherits from Makefile.generic, and adds the `specs` folder from HACL and the `libcrux-ml-kem/proofs/fstar/spec` folder. - -VERIFY_SLOW_MODULES ?= no -ifeq (${VERIFY_SLOW_MODULES},no) - ADMIT_MODULES += ${SLOW_MODULES} -endif - -EXTRA_HELPMESSAGE += printf "Libcrux specifics:\n"; -EXTRA_HELPMESSAGE += target SLOW_MODULES 'a list of modules to verify fully only when `VERIFY_SLOW_MODULES` is set to `yes`. When `VERIFY_SLOW_MODULES`, those modules are admitted.'; -EXTRA_HELPMESSAGE += target VERIFY_SLOW_MODULES '`yes` or `no`, defaults to `no`'; - -FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.generic diff --git a/fstar-helpers/Makefile.generic b/fstar-helpers/Makefile.generic deleted file mode 100644 index a7264458b..000000000 --- a/fstar-helpers/Makefile.generic +++ /dev/null @@ -1,271 +0,0 @@ -# This is a generically useful Makefile for F* that is self-contained -# -# We expect: -# 1. `fstar.exe` to be in PATH (alternatively, you can also set -# $FSTAR_HOME to be set to your F* repo/install directory) -# -# 2. `cargo`, `rustup`, `hax` and `jq` to be installed and in PATH. -# -# 3. the extracted Cargo crate to have "hax-lib" as a dependency: -# `hax-lib = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax"}` -# -# Optionally, you can set `HACL_HOME`. -# -# ROOTS contains all the top-level F* files you wish to verify -# The default target `verify` verified ROOTS and its dependencies -# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line -# -# To make F* emacs mode use the settings in this file, you need to -# add the following lines to your .emacs -# -# (setq-default fstar-executable "/bin/fstar.exe") -# (setq-default fstar-smt-executable "/bin/z3") -# -# (defun my-fstar-compute-prover-args-using-make () -# "Construct arguments to pass to F* by calling make." -# (with-demoted-errors "Error when constructing arg string: %S" -# (let* ((fname (file-name-nondirectory buffer-file-name)) -# (target (concat fname "-in")) -# (argstr (car (process-lines "make" "--quiet" target)))) -# (split-string argstr)))) -# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) -# - -PATH_TO_CHILD_MAKEFILE := "$(abspath $(firstword $(MAKEFILE_LIST)))" -PATH_TO_TEMPLATE_MAKEFILE := "$(abspath $(lastword $(MAKEFILE_LIST)))" - -HACL_HOME ?= $(HOME)/.hax/hacl_home -# Expand variable FSTAR_BIN_DETECT now, so that we don't run this over and over - -FSTAR_BIN_DETECT := $(if $(shell command -v fstar.exe), fstar.exe, $(FSTAR_HOME)/bin/fstar.exe) -FSTAR_BIN ?= $(FSTAR_BIN_DETECT) - -GIT_ROOT_DIR := $(shell git rev-parse --show-toplevel)/ -CACHE_DIR ?= ${GIT_ROOT_DIR}.fstar-cache/checked -HINT_DIR ?= ${GIT_ROOT_DIR}.fstar-cache/hints - -# Makes command quiet by default -Q ?= @ - -# Verify the required executable are in PATH -EXECUTABLES = cargo cargo-hax jq -K := $(foreach exec,$(EXECUTABLES),\ - $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) - -export ANSI_COLOR_BLUE=\033[34m -export ANSI_COLOR_RED=\033[31m -export ANSI_COLOR_BBLUE=\033[1;34m -export ANSI_COLOR_GRAY=\033[90m -export ANSI_COLOR_TONE=\033[35m -export ANSI_COLOR_RESET=\033[0m - -ifdef NO_COLOR -export ANSI_COLOR_BLUE= -export ANSI_COLOR_RED= -export ANSI_COLOR_BBLUE= -export ANSI_COLOR_GRAY= -export ANSI_COLOR_TONE= -export ANSI_COLOR_RESET= -endif - -# The following is a bash script that discovers F* libraries. -# Due to incompatibilities with make 4.3, I had to make a "oneliner" bash script... -define FINDLIBS - : "Prints a path if and only if it exists. Takes one argument: the path."; \ - function print_if_exists() { \ - if [ -d "$$1" ]; then \ - echo "$$1"; \ - fi; \ - } ; \ - : "Asks Cargo all the dependencies for the current crate or workspace,"; \ - : "and extract all "root" directories for each. Takes zero argument."; \ - function dependencies() { \ - cargo metadata --format-version 1 | \ - jq -r ".packages | .[] | .manifest_path | split(\"/\") | .[:-1] | join(\"/\")"; \ - } ; \ - : "Find hax libraries *around* a given path. Takes one argument: the"; \ - : "path."; \ - function find_hax_libraries_at_path() { \ - path="$$1" ; \ - : "if there is a [proofs/fstar/extraction] subfolder, then that s a F* library" ; \ - print_if_exists "$$path/proofs/fstar/extraction" ; \ - : "Maybe the [proof-libs] folder of hax is around?" ; \ - MAYBE_PROOF_LIBS=$$(realpath -q "$$path/../proof-libs/fstar") ; \ - if [ $$? -eq 0 ]; then \ - print_if_exists "$$MAYBE_PROOF_LIBS/core" ; \ - print_if_exists "$$MAYBE_PROOF_LIBS/rust_primitives" ; \ - fi ; \ - } ; \ - { while IFS= read path; do \ - find_hax_libraries_at_path "$$path"; \ - done < <(dependencies) ; } | sort -u -endef -export FINDLIBS - -FSTAR_INCLUDE_DIRS_EXTRA ?= -FINDLIBS_OUTPUT := $(shell bash -c '${FINDLIBS}') -FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(FSTAR_INCLUDE_DIRS_EXTRA) $(FINDLIBS_OUTPUT) - -# Make sure FSTAR_INCLUDE_DIRS has the `proof-libs`, print hints and -# an error message otherwise -ifneq (,$(findstring proof-libs/fstar,$(FSTAR_INCLUDE_DIRS))) -else - K += $(info ) - ERROR := $(shell printf '${ANSI_COLOR_RED}Error: could not detect `proof-libs`!${ANSI_COLOR_RESET}') - K += $(info ${ERROR}) - ERROR := $(shell printf ' > Do you have `${ANSI_COLOR_BLUE}hax-lib${ANSI_COLOR_RESET}` in your `${ANSI_COLOR_BLUE}Cargo.toml${ANSI_COLOR_RESET}` as a ${ANSI_COLOR_BLUE}git${ANSI_COLOR_RESET} or ${ANSI_COLOR_BLUE}path${ANSI_COLOR_RESET} dependency?') - K += $(info ${ERROR}) - ERROR := $(shell printf ' ${ANSI_COLOR_BLUE}> Tip: you may want to run `cargo add --git https://github.com/hacspec/hax hax-lib`${ANSI_COLOR_RESET}') - K += $(info ${ERROR}) - K += $(info ) - K += $(error Fatal error: `proof-libs` is required.) -endif - -.PHONY: all verify clean - -all: - $(Q)rm -f .depend - $(Q)$(MAKE) .depend hax.fst.config.json verify - -all-keep-going: - $(Q)rm -f .depend - $(Q)$(MAKE) --keep-going .depend hax.fst.config.json verify - -# If $HACL_HOME doesn't exist, clone it -${HACL_HOME}: - $(Q)mkdir -p "${HACL_HOME}" - $(info Clonning Hacl* in ${HACL_HOME}...) - git clone --depth 1 https://github.com/hacl-star/hacl-star.git "${HACL_HOME}" - $(info Clonning Hacl* in ${HACL_HOME}... done!) - -# If no any F* file is detected, we run hax -ifeq "$(wildcard *.fst *fsti)" "" -$(shell cargo hax into fstar) -endif - -# By default, we process all the files in the current directory -ROOTS ?= $(wildcard *.fst *fsti) -ADMIT_MODULES ?= - -ADMIT_MODULE_FLAGS ?= --admit_smt_queries true - -# Can be useful for debugging purposes -FINDLIBS.sh: - $(Q)echo '${FINDLIBS}' > FINDLIBS.sh -include-dirs: - $(Q)bash -c '${FINDLIBS}' - -FSTAR_FLAGS = \ - --warn_error -321-331-241-274-239-271 \ - --cache_checked_modules --cache_dir $(CACHE_DIR) \ - --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ - $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) - -FSTAR := $(FSTAR_BIN) $(FSTAR_FLAGS) - -.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) $(HACL_HOME) - @$(FSTAR) --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ - -include .depend - -$(HINT_DIR) $(CACHE_DIR): - $(Q)mkdir -p $@ - -define HELPMESSAGE -echo "hax' default Makefile for F*" -echo "" -echo "The available targets are:" -echo "" -function target() { - printf ' ${ANSI_COLOR_BLUE}%-20b${ANSI_COLOR_RESET} %s\n' "$$1" "$$2" -} -target "all" "Verify every F* files (stops whenever an F* fails first)" -target "all-keep-going" "Verify every F* files (tries as many F* module as possible)" -target "" "" -target "run/${ANSI_COLOR_TONE} " 'Runs F* on `MyModule.fst` only' -target "" "" -target "vscode" 'Generates a `hax.fst.config.json` file' -target "${ANSI_COLOR_TONE}${ANSI_COLOR_BLUE}-in " 'Useful for Emacs, outputs the F* prefix command to be used' -target "" "" -target "clean" 'Cleanup the target' -target "include-dirs" 'List the F* include directories' -target "" "" -target "describe" 'List the F* root modules, and describe the environment.' -echo "" -echo "Variables:" -target "NO_COLOR" "Set to anything to disable colors" -target "ADMIT_MODULES" "List of modules where F* will assume every SMT query" -target "FSTAR_INCLUDE_DIRS_EXTRA" "List of extra include F* dirs" -${EXTRA_HELPMESSAGE} -endef -export HELPMESSAGE - -describe: - @printf '${ANSI_COLOR_BBLUE}F* roots:${ANSI_COLOR_RESET}\n' - @for root in ${ROOTS}; do \ - filename=$$(basename -- "$$root") ;\ - ext="$${filename##*.}" ;\ - noext="$${filename%.*}" ;\ - printf "${ANSI_COLOR_GRAY}$$(dirname -- "$$root")/${ANSI_COLOR_RESET}%s${ANSI_COLOR_GRAY}.${ANSI_COLOR_TONE}%s${ANSI_COLOR_RESET}%b\n" "$$noext" "$$ext" $$([[ "${ADMIT_MODULES}" =~ (^| )$$root($$| ) ]] && echo '${ANSI_COLOR_RED}\t[ADMITTED]${ANSI_COLOR_RESET}'); \ - done - @printf '\n${ANSI_COLOR_BBLUE}Environment:${ANSI_COLOR_RESET}\n' - @printf ' - ${ANSI_COLOR_BLUE}HACL_HOME${ANSI_COLOR_RESET} = %s\n' '${HACL_HOME}' - @printf ' - ${ANSI_COLOR_BLUE}FSTAR_BIN${ANSI_COLOR_RESET} = %s\n' '${FSTAR_BIN}' - @printf ' - ${ANSI_COLOR_BLUE}GIT_ROOT_DIR${ANSI_COLOR_RESET} = %s\n' '${GIT_ROOT_DIR}' - @printf ' - ${ANSI_COLOR_BLUE}CACHE_DIR${ANSI_COLOR_RESET} = %s\n' '${CACHE_DIR}' - @printf ' - ${ANSI_COLOR_BLUE}HINT_DIR${ANSI_COLOR_RESET} = %s\n' '${HINT_DIR}' - @printf ' - ${ANSI_COLOR_BLUE}ADMIT_MODULE_FLAGS${ANSI_COLOR_RESET} = %s\n' '${ADMIT_MODULE_FLAGS}' - @printf ' - ${ANSI_COLOR_BLUE}FSTAR_INCLUDE_DIRS_EXTRA${ANSI_COLOR_RESET} = %s\n' '${FSTAR_INCLUDE_DIRS_EXTRA}' - -help: ;@bash -c "$$HELPMESSAGE" -h: ;@bash -c "$$HELPMESSAGE" - -HEADER = $(Q)printf '${ANSI_COLOR_BBLUE}[CHECK] %s ${ANSI_COLOR_RESET}\n' "$(basename $(notdir $@))" - -run/%: | .depend $(HINT_DIR) $(CACHE_DIR) $(HACL_HOME) - ${HEADER} - $(Q)$(FSTAR) $(OTHERFLAGS) $(@:run/%=%) - -VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(ROOTS))) -ADMIT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(ADMIT_MODULES))) - -$(ADMIT_CHECKED): - $(Q)printf '${ANSI_COLOR_BBLUE}[${ANSI_COLOR_TONE}ADMIT${ANSI_COLOR_BBLUE}] %s ${ANSI_COLOR_RESET}\n' "$(basename $(notdir $@))" - $(Q)$(FSTAR) $(OTHERFLAGS) $(ADMIT_MODULE_FLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints || { \ - echo "" ; \ - exit 1 ; \ - } - $(Q)printf "\n\n" - -$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) $(HACL_HOME) - ${HEADER} - $(Q)$(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints || { \ - echo "" ; \ - exit 1 ; \ - } - touch $@ - $(Q)printf "\n\n" - -verify: $(VERIFIED_CHECKED) $(ADMIT_CHECKED) - -# Targets for Emacs -%.fst-in: - $(info $(FSTAR_FLAGS) $(OTHERFLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) -%.fsti-in: - $(info $(FSTAR_FLAGS) $(OTHERFLAGS) \ - $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) - -# Targets for VSCode -hax.fst.config.json: .depend - $(Q)echo "$(FSTAR_INCLUDE_DIRS)" | jq --arg fstar "$(FSTAR_BIN)" -R 'split(" ") | {fstar_exe: $$fstar | gsub("^\\s+|\\s+$$";""), include_dirs: .}' > $@ -vscode: - $(Q)rm -f .depend - $(Q)$(MAKE) hax.fst.config.json - -SHELL=bash - -# Clean target -clean: - rm -rf $(CACHE_DIR)/* - rm *.fst diff --git a/fstar-helpers/README.md b/fstar-helpers/README.md deleted file mode 100644 index 122ed5b03..000000000 --- a/fstar-helpers/README.md +++ /dev/null @@ -1,5 +0,0 @@ -This folder provides F* helpers: - - - `Makefile.generic` is the generic hax Makefile, available here: https://gist.github.com/W95Psp/4c304132a1f85c5af4e4959dd6b356c3. `Makefile.generic` is not supposed to be edited. - - `Makefile.base` is the base file that adds a couple of include folders that are useful generally in the scope of libcrux verification with F*. - - `fstar-bitvec` F* modules related to bitvectors. diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst deleted file mode 100644 index 5e21832c7..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst +++ /dev/null @@ -1,48 +0,0 @@ -module BitVec.Equality - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality - -private let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f - -let rec bv_equality'' #n (bv1 bv2: bit_vec n) - : r: bool {r <==> feq bv1 bv2} - = if n = 0 then true - else let n' = n - 1 in - if bv1 n' = bv2 n' - then - ( - let bv1' = mk_bv (fun i -> bv1 i) in - let bv2' = mk_bv (fun i -> bv2 i) in - if bv_equality'' #n' bv1' bv2' - then ( - assert (forall (x: nat{x < n'}). bv1' x == bv1 x); - assert (forall (x: nat{x < n'}). bv2' x == bv2 x); - true - ) - else false - ) - else false - -let bv_equality' #n (bv1 bv2: bit_vec n) - : r: bool {r <==> bv1 == bv2} - = extensionality _ _ bv1 bv2; - bv_equality'' bv1 bv2 - - -let bv_equality #n (bv1 bv2: bit_vec n) = bv_equality' bv1 bv2 - -let bv_equality_elim #n (bv1 bv2: bit_vec n) - : Lemma (requires bv_equality bv1 bv2) - (ensures bv1 == bv2) - = () -let bv_equality_intro #n (bv1 bv2: bit_vec n) - : Lemma (requires bv1 == bv2) - (ensures bv_equality bv1 bv2) - = () - -let rewrite n (bv1: bit_vec n) - : Lemma (bv_equality #n bv1 bv1 == true) - = () diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti deleted file mode 100644 index 5340903b4..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti +++ /dev/null @@ -1,17 +0,0 @@ -module BitVec.Equality - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality - -val bv_equality #n (bv1 bv2: bit_vec n): bool -val bv_equality_elim #n (bv1 bv2: bit_vec n) - : Lemma (requires bv_equality bv1 bv2) - (ensures bv1 == bv2) -val bv_equality_intro #n (bv1 bv2: bit_vec n) - : Lemma (requires bv1 == bv2) - (ensures bv_equality bv1 bv2) -val rewrite n (bv1: bit_vec n): Lemma (bv_equality #n bv1 bv1 == true) - - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst deleted file mode 100644 index 9d2614842..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst +++ /dev/null @@ -1,264 +0,0 @@ -module BitVec.Intrinsics.Constants - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality -open BitVec.Utils -open BitVec.Equality - -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let offset = i % 16 in - match i / 16 with - | 0 -> get_bit x15 (sz offset) - | 1 -> get_bit x14 (sz offset) - | 2 -> get_bit x13 (sz offset) - | 3 -> get_bit x12 (sz offset) - | 4 -> get_bit x11 (sz offset) - | 5 -> get_bit x10 (sz offset) - | 6 -> get_bit x9 (sz offset) - | 7 -> get_bit x8 (sz offset) - | 8 -> get_bit x7 (sz offset) - | 9 -> get_bit x6 (sz offset) - | 10 -> get_bit x5 (sz offset) - | 11 -> get_bit x4 (sz offset) - | 12 -> get_bit x3 (sz offset) - | 13 -> get_bit x2 (sz offset) - | 14 -> get_bit x1 (sz offset) - | 15 -> get_bit x0 (sz offset) - ) - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s < bit_vec 256 = admit () - -open Tactics.Utils - -open FStar.Tactics - -(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are -unification variables. This returns a list of terms to substitute `x1` -... `xN` with. *) -let unify_app (t fn: term) norm_steps: Tac (option (list term)) - = let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in - let _fake_goal = - (* create a goal `b1 -> ... -> bn -> squash True` *) - let trivial = pack_comp (C_Total (`squash True)) in - unshelve (fresh_uvar (Some (mk_arr bds trivial))) - in - (* get back the binders `b1`, ..., `bn` *) - let bds = intros () in - let args = map (fun (b: binder) -> b <: term) bds in - let norm_term = norm_term (hnf::norm_steps) in - let fn, t = norm_term (mk_e_app fn args), norm_term t in - let vars = map (fun b -> - let b = inspect_binder b in - let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in - let nv: namedv_view = {uniq; ppname; sort = seal (`_)} in - (FStar.Reflection.V2.pack_namedv nv, b.binder_sort) - ) bds in - let?# substs = fst (try_unify (cur_env ()) vars fn t) in - if List.Tot.length substs <> List.Tot.length bds - then fail "unify_app: inconsistent lengths"; - (* solve the trivial goal introduced at the begining *) - trivial (); - Some (List.Tot.rev (map (fun (_, t) -> t) substs)) - -irreducible let add (x y: int): int = x + y - -let f (a b c d: int): int = add (add (add a b) c) d - -// #push-options "--print_full_names --print_implicits --print_bound_var_types" -let _ = assert true by ( - let r = - unify_app - (quote (f 1 2 3 4)) - (quote f) - [delta_only [`%f]] - in - let s = term_to_string (quote r) - in - print s - ) - -let test x y (#[( - let n = fresh_namedv () in - let y = quote y in - let y' = `(madd_rhs (`#n)) in - let n = FStar.Reflection.V2.pack_namedv n in - let t = match try_unify (cur_env ()) [(n,`(n: nat {n < 16}))] y y' with - | (Some [v, t'], _) -> - `(stupid (`#t')) - | _ -> `(stupid (`#y)) in - exact t -)]f: bit_vec 256 -> bit_vec 256) = f x - -let xx = fun x -> test x (madd_rhs 12) - -irreducible let vec256_to_i16s (bv: bit_vec 256) - : (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - = admit () - -irreducible let rw_vec256_to_i16_ints - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : Lemma ( - vec256_to_i16s (mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15) - == ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) - ) = admit () - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s <= 1 - && v x0 = v x2 && v x0 = v x4 && v x0 = v x6 && v x0 = v x8 - && v x0 = v x10 && v x0 = v x12 && v x0 = v x14 - && v x1 = 1 && v x3 = 1 && v x5 = 1 && v x7 = 1 - && v x9 = 1 && v x11= 1 && v x13= 1 && v x15= 1 - then match Tactics.Pow2.log2 (v x0 <: nat) with - | Some coef -> - if coef < 16 - then ( - assert (v ((1s < None - else None -#pop-options - -open FStar.Tactics.V2 -[@@FStar.Tactics.V2.postprocess_with (fun _ -> - compute (); - Tactics.Seq.norm_index (); - compute (); - fail "x" -)] -let aa = - let n = 12 in - let tuple = ( - ( (1s < n | None -> 0 in - x - -open Tactics.Utils -open FStar.Tactics.V2 -module Visit = FStar.Tactics.Visit - -let rec any (f: 'a -> bool) (l: list 'a): bool - = match l with - | [] -> false - | hd::tl -> if f hd - then true - else any f tl - -exception FoundFreeLocalVar -let is_closed_term (x: term): Tac bool - = try - let _ = FStar.Tactics.Visit.visit_tm ( - function - | Tv_Var _ | Tv_BVar _ -> raise FoundFreeLocalVar - | x -> x - ) x - in true - with | FoundFreeLocalVar -> false - | e -> raise e - -let rw_mm256_set_epi16 t = - let?# (f, [arg,_]) = expect_app_n t 1 in - let?# _ = expect_free_var f (`%vec256_to_i16_ints) in - let?? _ = is_closed_term arg in - let?# (f, args) = expect_app_n arg 16 in - let?# _ = expect_free_var f (`%mm256_set_epi16) in - pointwise' (fun _ -> - let _ = let?# (lhs, _, _) = expect_lhs_eq_rhs () in - Some (if any (fun (arg, _) -> term_eq lhs arg) args - then norm [primops; iota; delta; zeta_full] - else ()) - in trefl () - ); - Some () - -let rec expect_madd_rhs' (bv: bit_vec 256) (n:nat {n < 16}) - : result: option (n: nat {n < 16}) { match result with - | Some n -> bv == madd_rhs n - | _ -> True - } - = if bv_equality bv (madd_rhs n) - then ( bv_equality_elim bv (madd_rhs n); - Some n ) - else if n = 0 then None - else expect_madd_rhs' bv (n - 1) - -irreducible let expect_madd_rhs (bv: bit_vec 256): option (n: nat {n < 16}) - = expect_madd_rhs' bv 15 - -// let rewrite_expect_madd_rhs -// (bv: bit_vec 256) (n: nat {n < 16}) -// : Lemma (requires bv == madd_rhs n) -// (ensures ) -// = () - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst deleted file mode 100644 index 0c60d6587..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst +++ /dev/null @@ -1,203 +0,0 @@ -module BitVec.Intrinsics.TestShuffle - -open Rust_primitives -open FStar.Mul -open BitVec.Utils -open BitVec.Intrinsics - -assume val stuck: #a:Type -> #b:Type -> a -> b - -let index64 l (i: nat {i < List.Tot.length l}) = - match l with - | [x0;x1;x2;x3] -> - (match i with - | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3) - | [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31;x32;x33;x34;x35;x36;x37;x38;x39;x40;x41;x42;x43;x44;x45;x46;x47;x48;x49;x50;x51;x52;x53;x54;x55;x56;x57;x58;x59;x60;x61;x62;x63] -> - (match i with - | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3 | 4 -> x4 | 5 -> x5 | 6 -> x6 | 7 -> x7 | 8 -> x8 | 9 -> x9 | 10 -> x10 | 11 -> x11 | 12 -> x12 | 13 -> x13 | 14 -> x14 | 15 -> x15 - | 16 -> x16 | 17 -> x17 | 18 -> x18 | 19 -> x19 | 20 -> x20 | 21 -> x21 | 22 -> x22 | 23 -> x23 | 24 -> x24 | 25 -> x25 | 26 -> x26 | 27 -> x27 | 28 -> x28 | 29 -> x29 | 30 -> x30 | 31 -> x31 - | 32 -> x32 | 33 -> x33 | 34 -> x34 | 35 -> x35 | 36 -> x36 | 37 -> x37 | 38 -> x38 | 39 -> x39 | 40 -> x40 | 41 -> x41 | 42 -> x42 | 43 -> x43 | 44 -> x44 | 45 -> x45 | 46 -> x46 | 47 -> x47 - | 48 -> x48 | 49 -> x49 | 50 -> x50 | 51 -> x51 | 52 -> x52 | 53 -> x53 | 54 -> x54 | 55 -> x55 | 56 -> x56 | 57 -> x57 | 58 -> x58 | 59 -> x59 | 60 -> x60 | 61 -> x61 | 62 -> x62 | 63 -> x63) - | _ -> stuck "index" - -assume val nth: list bit -> nat -> bit - -let bv_of_list_list (n: pos) (l: list (l: list bit {List.Tot.length l == n})): bit_vec (List.Tot.length l * n) - = mk_bv (fun i -> nth (index64 l (i / n)) (i % n)) - -let z: l: list bit {List.Tot.length l == 4} = [0;0;0;0] - -type result #t0 #t1 #t2 #t3 #t4 = { - vector: t0; - adjacent_2_combined: t1; - adjacent_8_combined: t2; - combined': t3; - combined: t4; - } - -// /// We view `x` as a sequence of pairs of 16 bits, of the shape -// /// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. -// /// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. -// let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = -// mk_bv (fun i -> let j = i % 32 in -// // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` -// // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` -// let is_zero = -// // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` -// j >= n * 2 -// in -// if is_zero -// then 0 -// else if j < n -// then x i // we want to produce the bit `aⱼ` -// else -// // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` -// x (i - n + 16) -// ) - -// let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = -// mk_bv (fun i -> -// let j = i / 32 in -// let index = (List.Tot.index b (7 - j) % 8) * 32 in -// a (index + i % 32)) - -let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_madd_epi16_specialized' vector 4 - // Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - // (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127;f 128;f 129;f 130;f 131;f 132;f 133;f 134;f 135;f 136;f 137;f 138;f 139;f 140;f 141;f 142;f 143;f 144;f 145;f 146;f 147;f 148;f 149;f 150;f 151;f 152;f 153;f 154;f 155;f 156;f 157;f 158;f 159;f 160;f 161;f 162;f 163;f 164;f 165;f 166;f 167;f 168;f 169;f 170;f 171;f 172;f 173;f 174;f 175;f 176;f 177;f 178;f 179;f 180;f 181;f 182;f 183;f 184;f 185;f 186;f 187;f 188;f 189;f 190;f 191;f 192;f 193;f 194;f 195;f 196;f 197;f 198;f 199;f 200;f 201;f 202;f 203;f 204;f 205;f 206;f 207;f 208;f 209;f 210;f 211;f 212;f 213;f 214;f 215;f 216;f 217;f 218;f 219;f 220;f 221;f 222;f 223;f 224;f 225;f 226;f 227;f 228;f 229;f 230;f 231;f 232;f 233;f 234;f 235;f 236;f 237;f 238;f 239;f 240;f 241;f 242;f 243;f 244;f 245;f 246;f 247;f 248;f 249;f 250;f 251;f 252;f 253;f 254;f 255] -let map128 (f: (i: nat {i < 128}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127] - -let test (a b c d e f g h i j k l m n o p: (l: list bit {List.Tot.length l == 4})) = - let input = bv_of_list_list 4 [ - a;z;z;z; b;z;z;z; c;z;z;z; d;z;z;z; - e;z;z;z; f;z;z;z; g;z;z;z; h;z;z;z; - i;z;z;z; j;z;z;z; k;z;z;z; l;z;z;z; - m;z;z;z; n;z;z;z; o;z;z;z; p;z;z;z; - - // z;z;z;a; z;z;z;b; z;z;z;c; z;z;z;d; - // z;z;z;e; z;z;z;f; z;z;z;g; z;z;z;h; - // z;z;z;i; z;z;z;j; z;z;z;k; z;z;z;l; - // z;z;z;m; z;z;z;n; z;z;z;o; z;z;z;p; - ] in - serialize_4_ input - - -// let xx a b c d e f g h i j k l m n o p = -// Pervasives.norm [iota; primops; zeta_full; delta] ( -// Pervasives.norm [iota; primops; zeta; delta] ( -// let {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} = test a b c d e f g h i j k l m n o p in -// let vector = map256 (fun (idx: nat{idx < 256}) -> vector idx) in -// let adjacent_2_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_2_combined idx) in -// let adjacent_8_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_8_combined idx) in -// let combined' = map256 (fun (idx: nat{idx < 256}) -> combined' idx) in -// let combined = map128 (fun (idx: nat{idx < 128}) -> combined idx) in -// // map128 (fun (idx: nat {idx < 128}) -> test a b c d e f g h i j k l m n o p idx) -// {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} -// // (vector, adjacent_2_combined) -// ) -// ) - - - -open FStar.Tactics.V2 -open Tactics.Utils - - -open Libcrux_intrinsics.Avx2_extract {t_Vec256, t_Vec128} -// open BitVec.Intrinsics { - -// } - -#push-options "--compat_pre_core 0" -let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - BitVec.Intrinsics.mm256_madd_epi16 vector - (BitVec.Intrinsics.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); - assert (forall (i: nat {i < 64}). - // let local_i = i / 4 in - combined i == vector ((i / 4) * 16 + i % 4) - ) by ( - // unfold wrappers - norm [primops; iota; zeta; delta_namespace [ - `%BitVec.Intrinsics.mm256_shuffle_epi8; - `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; - `%BitVec.Intrinsics.mm256_madd_epi16; - `%BitVec.Intrinsics.mm256_castsi256_si128; - "BitVec.Utils"; - ]]; - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> - let reduce t = - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.FunctionalExtensionality"; - t; - `%BitVec.Utils.mk_bv; - `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]]; - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]] - in - reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); - reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); - flip (); smt (); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); - // focus (fun _ -> dump' "Goal!!"); - trivial () - )) - ); - combined diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti deleted file mode 100644 index a101013a6..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ /dev/null @@ -1,425 +0,0 @@ -module BitVec.Intrinsics - -open Core -open Rust_primitives -open FStar.Mul -open BitVec.Utils -open BitVec.Equality -open Tactics.Utils - -(*** The intrinsics *) -let mm256_slli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit >= v shift then vec (i - v shift) else 0) - -let mm256_srli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit < 16 - v shift then vec (i + v shift) else 0) - -let mm256_srli_epi64 (shift: i32 {v shift >= 0 /\ v shift <= 64}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 64 in - if nth_bit < 64 - v shift then vec (i + v shift) else 0) - -let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 - = mk_bv (fun i -> vec i) -let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 - = mk_bv (fun i -> vec (i + 128)) - -let mm256_si256_from_two_si128 (lower upper: bit_vec 128): bit_vec 256 - = mk_bv (fun i -> if i < 128 then lower i else upper (i - 128)) - -let mm_loadu_si128 (bytes: t_Array u8 (sz 16)): bit_vec 128 - = mk_bv (fun i -> get_bit (Seq.index bytes (i / 8)) (sz (i % 8))) - -let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i32) = get_bit x (sz (i % 32)) in - match i / 32 with - | 0 -> h x7 | 1 -> h x6 | 2 -> h x5 | 3 -> h x4 - | 4 -> h x3 | 5 -> h x2 | 6 -> h x1 | 7 -> h x0) - -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i16) = get_bit x (sz (i % 16)) in - match i / 16 with - | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 - | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 - | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 - | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 - ) - -let mm_set_epi8 - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: u8) - : bit_vec 128 - = mk_bv (fun i -> - let h (x: u8) = get_bit x (sz (i % 8)) in - match i / 8 with - | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 - | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 - | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 - | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 - ) - -let mm256_set_epi8 - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i8) = get_bit x (sz (i % 8)) in - match i / 8 with - | 0 -> h x31 | 1 -> h x30 | 2 -> h x29 | 3 -> h x28 - | 4 -> h x27 | 5 -> h x26 | 6 -> h x25 | 7 -> h x24 - | 8 -> h x23 | 9 -> h x22 | 10 -> h x21 | 11 -> h x20 - | 12 -> h x19 | 13 -> h x18 | 14 -> h x17 | 15 -> h x16 - | 16 -> h x15 | 17 -> h x14 | 18 -> h x13 | 19 -> h x12 - | 20 -> h x11 | 21 -> h x10 | 22 -> h x9 | 23 -> h x8 - | 24 -> h x7 | 25 -> h x6 | 26 -> h x5 | 27 -> h x4 - | 28 -> h x3 | 29 -> h x2 | 30 -> h x1 | 31 -> h x0 - ) - -val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 -let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 - = mk_bv (fun i -> if i % 16 < n then 1 else 0) - -let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> if y i = 0 then 0 else x i) - -let mm256_set1_epi16 (constant: i16) - (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < `(mm256_set1_epi16_pow2_minus_one (`#x)) - | _ -> (quote (mm256_set1_epi16_no_semantics constant)) - )]result: bit_vec 256) - : bit_vec 256 = result - -private let saturate8 (v: bit_vec 16): bit_vec 8 - = let on_upper_bits (+) (f: (n:nat{n >= 8 && n <= 15}) -> _) - = f 8 + f 9 + f 10 + f 11 + f 12 + f 13 + f 14 + f 15 - in - let any1 = on_upper_bits ( || ) (fun i -> v i = 1) in - let all1 = on_upper_bits ( && ) (fun i -> v i = 1) in - let negative = v 15 = 1 in - mk_bv (fun i -> - let last_bit = i = 7 in - if negative - then if last_bit - then 1 - else if all1 - then v i - else 0 - else if any1 - then if last_bit - then 0 - else 1 - else v i - ) - -let mm_movemask_epi8_bv (a: bit_vec 128): bit_vec 128 - = mk_bv (fun j -> - if j < 16 - then a ((j * 8) + 7) - else 0 - ) - -let mm_movemask_epi8 (a: bit_vec 128): i32 - = bit_vec_to_int_t 32 (mk_bv (fun i -> mm_movemask_epi8_bv a i)) - -let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128 - = mk_bv (fun i -> - let nth_block = i / 8 in - let offset8 = nth_block * 8 in - let offset16' = nth_block * 16 in - let offset16 = offset16' % 128 in - let vec: bit_vec 128 = if offset16' < 128 then a else b in - saturate8 (mk_bv (fun j -> vec (offset16 + j))) (i - offset8) - ) - - - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = if nth_i16 % 2 = 0 then 4 else 0 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized3 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = 6 - (nth_i16 % 4) * 2 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This term will be stuck, we don't know anything about it -val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256 - -open FStar.Tactics.V2 - - - -let mm256_mullo_epi16 - (a count: bit_vec 256) - (#[( - if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized1 a)) - else if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a)) - else - if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized3 a)) - else - Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) - )]result: bit_vec 256): bit_vec 256 = result - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s < bit_vec 256 -> bit_vec 256 - -let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool) - : r:bool {r <==> (forall i. f i)} - = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = - match n with - | 0 -> true - | _ -> f (n - 1) && h (n - 1) - in h max - -/// We view `x` as a sequence of pairs of 16 bits, of the shape -/// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. -/// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. -let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = - mk_bv (fun i -> let j = i % 32 in - // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` - // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` - let is_zero = - // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` - j >= n * 2 - in - if is_zero - then 0 - else if j < n - then x i // we want to produce the bit `aⱼ` - else - // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` - x (i - n + 16) - ) - -let mm256_concat_pairs_n - (n: u8 {v n < 16}) - (x: bit_vec 256 {forall (i: nat {i < 256}). i % 16 < v n || x i = 0}) = - mm256_madd_epi16_specialized' x (v n) - -let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = - if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0) - then mm256_madd_epi16_specialized' x n - else mm256_madd_epi16_no_semantic x (madd_rhs n) - -val mm_shuffle_epi8_no_semantics (a b: bit_vec 128): bit_vec 128 -let mm_shuffle_epi8_u8 (a: bit_vec 128) (b: list int {List.Tot.length b == 16}): bit_vec 128 = - mk_bv (fun i -> - let nth = i / 8 in - let index = List.Tot.index b (15 - nth) in - if index < 0 then 0 - else let index = index % 16 in - a (index * 8 + i % 8 + i / 128 * 128)) - -let mm_shuffle_epi8 - (x y: bit_vec 128) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 -> - mm_set_epi8 - (UInt8.uint_to_t x0 ) (UInt8.uint_to_t x1 ) (UInt8.uint_to_t x2 ) (UInt8.uint_to_t x3 ) (UInt8.uint_to_t x4 ) (UInt8.uint_to_t x5 ) (UInt8.uint_to_t x6 ) (UInt8.uint_to_t x7 ) - (UInt8.uint_to_t x8 ) (UInt8.uint_to_t x9 ) (UInt8.uint_to_t x10) (UInt8.uint_to_t x11) (UInt8.uint_to_t x12) (UInt8.uint_to_t x13) (UInt8.uint_to_t x14) (UInt8.uint_to_t x15))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] -> - `(mm_shuffle_epi8_u8 (`@x) - (mk_list_16 - (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) - (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15))) - | _ -> quote (mm_shuffle_epi8_no_semantics x y) in - exact t - )]result: bit_vec 128) - : bit_vec 128 - = result - -val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 -let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 = - mk_bv (fun i -> - let nth = i / 8 in - let index = List.Tot.index b (31 - nth) in - if index < 0 then 0 - else let index = index % 16 in - a (index * 8 + i % 8 + i / 128 * 128)) - -let mm256_shuffle_epi8 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31 -> - mm256_set_epi8 - (Int8.int_to_t x0 ) (Int8.int_to_t x1 ) (Int8.int_to_t x2 ) (Int8.int_to_t x3 ) (Int8.int_to_t x4 ) (Int8.int_to_t x5 ) (Int8.int_to_t x6 ) (Int8.int_to_t x7 ) - (Int8.int_to_t x8 ) (Int8.int_to_t x9 ) (Int8.int_to_t x10) (Int8.int_to_t x11) (Int8.int_to_t x12) (Int8.int_to_t x13) (Int8.int_to_t x14) (Int8.int_to_t x15) - (Int8.int_to_t x16) (Int8.int_to_t x17) (Int8.int_to_t x18) (Int8.int_to_t x19) (Int8.int_to_t x20) (Int8.int_to_t x21) (Int8.int_to_t x22) (Int8.int_to_t x23) - (Int8.int_to_t x24) (Int8.int_to_t x25) (Int8.int_to_t x26) (Int8.int_to_t x27) (Int8.int_to_t x28) (Int8.int_to_t x29) (Int8.int_to_t x30) (Int8.int_to_t x31))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] -> - `(mm256_shuffle_epi8_i8 (`@x) - (mk_list_32 - (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) - (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15) - (`#x16) (`#x17) (`#x18) (`#x19) (`#x20) (`#x21) (`#x22) (`#x23) - (`#x24) (`#x25) (`#x26) (`#x27) (`#x28) (`#x29) (`#x30) (`#x31))) - | _ -> quote (mm256_shuffle_epi8_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm256_permutevar8x32_epi32_no_semantics (a b: bit_vec 256): bit_vec 256 -let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = - mk_bv (fun i -> - let j = i / 32 in - let index = (List.Tot.index b (7 - j) % 8) * 32 in - a (index + i % 32)) - -let mm256_permutevar8x32_epi32 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> - mm256_set_epi32 - (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) - (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> - `(mm256_permutevar8x32_epi32_i32 (`@x) - (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) - | _ -> quote (mm256_permutevar8x32_epi32_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm256_sllv_epi32_no_semantics (x y: bit_vec 256): bit_vec 256 -let mm256_sllv_epi32_i32 (vec: bit_vec 256) (counts: list _ {List.Tot.length counts == 8}): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 32 in - let shift = List.Tot.index counts (7 - i / 32) in - if shift >= 0 && nth_bit >= shift then vec (i - shift) else 0) - -let mm256_sllv_epi32 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> - mm256_set_epi32 - (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) - (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> - `(mm256_sllv_epi32_i32 (`@x) - (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) - | _ -> quote (mm256_sllv_epi32_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - - -let mm256_madd_epi16 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with - | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n)) - | _ -> quote (mm256_madd_epi16_no_semantic x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128) - // : r: t_Array u8 (sz 16) {forall i. vec i == get_bit (Seq.index r (i / 8)) (sz (i % 8))} - : r: t_Array u8 (sz 16) {forall i. vec i == bit_vec_of_int_t_array r 8 i} - -open FStar.Stubs.Tactics.V2.Builtins -open FStar.Stubs.Tactics.V2 -open FStar.Tactics.V2.Derived -open FStar.Tactics.V2 - -let rec bv_to_string #len (bv: bit_vec len): string - = if len = 0 then "" - else string_of_int (bv (len - 1)) - ^ bv_to_string #(len - 1) (mk_bv (fun i -> bv i)) - -let bv_of_string #len (s: string): Tac (bit_vec len) - = let l = FStar.String.list_of_string s - |> filter (function ' ' | '\n' -> false | _ -> true) - |> map #_ #bit (function '1' -> 1 <: bit | '0' -> 0 | c -> fail ("expected 0 or 1, got [" ^ String.string_of_char c ^ "]")) in - if FStar.List.Tot.length l = len - then mk_bv (fun (i: nat {i < len}) -> List.Tot.index l i) - else fail ("expected a bv of length " ^ string_of_int len ^ ", got a bv of length " ^ string_of_int (FStar.List.Tot.length l)) - -let call_native_intrinsic' #ilen name raw_args (bitvecs: list (bit_vec ilen)) : Tac string = - let bitvecs = List.Tot.map bv_to_string bitvecs in - let args = List.Tot.append raw_args bitvecs in - let result = launch_process "bash" ("/tmp/run.sh"::name::args) "" in - print ("process stdout is [" ^ result ^ "]"); - FStar.String.list_of_string result - |> filter (function ' ' | '\n' -> false | _ -> true) - |> String.string_of_list - -let call_native_intrinsic #ilen olen name raw_args (bitvecs: list (bit_vec ilen)) : Tac (bit_vec olen) = - bv_of_string (call_native_intrinsic' #ilen name raw_args bitvecs) - -let random_bv len: Tac (bit_vec len) - = call_native_intrinsic #1 _ "rand" [string_of_int len] [] - -let tassert (x: bool): Tac unit - = if x then () else fail "tassert" - - -private let example: bit_vec 256 = mk_bv (fun i -> if i % 16 = 15 then 1 else 0) - -private let x = bv_to_string example -private let y = bv_to_string (mm256_srli_epi16 15l example) - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst deleted file mode 100644 index 3d2d19c98..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst +++ /dev/null @@ -1,67 +0,0 @@ -module BitVec.Utils - -open Core -open FStar.FunctionalExtensionality -open BitVec.Equality -open Rust_primitives.BitVectors - -let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f - -let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) - : (l:list a {List.Tot.length l == 32}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in - assert_norm (List.Tot.length l == 32); - l - -let mk_list_16 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: a) - : (l:list a {List.Tot.length l == 16}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] in - assert_norm (List.Tot.length l == 16); - l - -let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) - : (l:list a {List.Tot.length l == 8}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in - assert_norm (List.Tot.length l == 8); - l - -let rw_get_bit_cast #t #u - (x: int_t t) (nth: usize) - : Lemma (requires v nth < bits u /\ v nth < bits u) - (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) - [SMTPat (get_bit (cast_mod #t #u x) nth)] - = () - -let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) - : Lemma (requires v y >= 0 /\ v y < bits t) - (ensures eq2 #bit (get_bit (x >>! y) i ) - (if v i < bits t - v y - then get_bit x (mk_int (v i + v y)) - else if signed t - then get_bit x (mk_int (bits t - 1)) - else 0)) - = () - -unfold type forall_sig (n: nat) = pred: ((i:nat{i < n}) -> bool) - -> r: bool {r <==> (forall i. pred i)} - -let forall8: forall_sig 8 = fun pred -> pred 0 && pred 1 && pred 2 && pred 3 - && pred 4 && pred 5 && pred 6 && pred 7 - -#push-options "--z3rlimit 400" -let forall16: forall_sig 16 = fun pred -> forall8 pred && forall8 (fun i -> pred (i + 8)) -let forall32: forall_sig 32 = fun pred -> forall16 pred && forall16 (fun i -> pred (i + 16)) -let forall64: forall_sig 64 = fun pred -> forall32 pred && forall32 (fun i -> pred (i + 32)) -let forall128: forall_sig 128 = fun pred -> forall64 pred && forall64 (fun i -> pred (i + 64)) -let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i -> pred (i + 128)) -#pop-options - -let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true) - -let bit_vec_to_int_t_lemma - #t (d: num_bits t) (bv: bit_vec d) - i - : Lemma (get_bit (bit_vec_to_int_t d bv) (sz i) == bv i) - [SMTPat (get_bit (bit_vec_to_int_t d bv) (sz i))] - = bit_vec_to_int_t_lemma d bv i - diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fst b/fstar-helpers/fstar-bitvec/BitVecEq.fst deleted file mode 100644 index c89f2fe35..000000000 --- a/fstar-helpers/fstar-bitvec/BitVecEq.fst +++ /dev/null @@ -1,12 +0,0 @@ -module BitVecEq - -open Core -open FStar.Mul -open FStar.FunctionalExtensionality - -let bit_vec_equal #n bv1 bv2 = forall i. bv1 i == bv2 i - -let bit_vec_equal_intro bv1 bv2 = () -let bit_vec_equal_elim bv1 bv2 = assert (feq bv1 bv2) - - diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fsti b/fstar-helpers/fstar-bitvec/BitVecEq.fsti deleted file mode 100644 index c370f28bf..000000000 --- a/fstar-helpers/fstar-bitvec/BitVecEq.fsti +++ /dev/null @@ -1,293 +0,0 @@ -module BitVecEq -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul -open MkSeq -open FStar.FunctionalExtensionality - -val bit_vec_equal (#n: nat) (bv1 bv2: bit_vec n): Type0 -val bit_vec_equal_intro (#n: nat) (bv1 bv2: bit_vec n) - : Lemma (requires forall i. bv1 i == bv2 i) - (ensures bit_vec_equal bv1 bv2) -val bit_vec_equal_elim (#n: nat) (bv1 bv2: bit_vec n) - : Lemma (requires bit_vec_equal #n bv1 bv2) - (ensures bv1 == bv2) - [SMTPat (bit_vec_equal #n bv1 bv2)] - -let bit_vec_equal_intro_principle () - : Lemma (forall n (bv1 bv2: bit_vec n). (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2) - = introduce forall n (bv1 bv2: bit_vec n). _ - with introduce (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2 - with _. bit_vec_equal_intro #n bv1 bv2 - -let bit_vec_equal_elim_principle () - : Lemma (forall n (bv1 bv2: bit_vec n). bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i)) - = introduce forall n (bv1 bv2: bit_vec n). _ - with introduce bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i) - with _. bit_vec_equal_elim #n bv1 bv2 - -let bit_vec_equal_trivial (bv1 bv2: bit_vec 0): Lemma (bv1 == bv2) - [SMTPat (eq2 #(bit_vec 0) bv1 bv2)] - = bit_vec_equal_intro bv1 bv2 - -let bit_vec_sub #n (bv: bit_vec n) (start: nat) (len: nat {start + len <= n}) - : bit_vec len - = on (i: nat {i < len}) - (fun i -> bv (start + i)) - -let bit_vec_equal_trivial_sub_smtpat (bv1: bit_vec 'n) - : Lemma (forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2) - [SMTPat (bit_vec_sub bv1 0 0)] - = introduce forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2 - with bit_vec_equal_trivial (bit_vec_sub bv1 0 0) bv2 - -unfold let retype #a #b (#_:unit{a == b}) - (x: a): b - = x - -let bit_vec_sub_all_lemma #n (bv: bit_vec n) - : Lemma (bit_vec_sub bv 0 n == bv) - [SMTPat (bit_vec_sub bv 0 n)] - = bit_vec_equal_intro (bit_vec_sub bv 0 n) bv - -let int_t_array_bitwise_eq' - #t1 #t2 #n1 #n2 - (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) - (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = bit_vec_equal (bit_vec_of_int_t_array arr1 d1) - (retype (bit_vec_of_int_t_array arr2 d2)) - -let int_t_array_bitwise_eq - #t1 #t2 #n1 #n2 - (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) - (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = bit_vec_of_int_t_array arr1 d1 == bit_vec_of_int_t_array arr2 d2 - -// let get_bit_intro () -// : Lemma (forall (#n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). -// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) -// else get_bit_nat (pow2 (bits n) + v x) (v nth))) -// = introduce forall (n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). -// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) -// else get_bit_nat (pow2 (bits n) + v x) (v nth)) -// with get_bit_intro #n x nth - -#push-options "--fuel 0 --ifuel 0 --z3rlimit 80" -/// Rewrite a `bit_vec_of_int_t_array (Seq.slice arr ...)` into a `bit_vec_sub ...` -let int_t_seq_slice_to_bv_sub_lemma #t #n - (arr: t_Array (int_t t) n) - (start: nat) (len: usize {start + v len <= v n}) - (d: num_bits t) - : Lemma ( bit_vec_of_int_t_array (Seq.slice arr start (start + v len) <: t_Array _ len) d - `bit_vec_equal` bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d)) - [SMTPat (bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d))] - = let bv1 = bit_vec_of_int_t_array #_ #len (Seq.slice arr start (start + v len)) d in - let bv2 = bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d) in - introduce forall i. bv1 i == bv2 i - with ( Seq.lemma_index_slice arr start (start + v len) (i / d); - Math.Lemmas.lemma_div_plus i start d; - Math.Lemmas.lemma_mod_plus i start d); - bit_vec_equal_intro bv1 bv2 - -#push-options "--split_queries always" -let int_t_eq_seq_slice_bv_sub_lemma #t #n1 #n2 - (arr1: t_Array (int_t t) n1) (arr2: t_Array (int_t t) n2) (d: num_bits t) - (start1 start2: nat) (len: nat {start1 + len <= v n1 /\ start2 + len <= v n2}) - : Lemma (requires Seq.slice arr1 start1 (start1 + len) == Seq.slice arr2 start2 (start2 + len)) - (ensures bit_vec_equal - (bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) - (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d))) - [SMTPat ((bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) == - (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d)))] - = let len = sz len in - int_t_seq_slice_to_bv_sub_lemma arr1 start1 len d; - int_t_seq_slice_to_bv_sub_lemma arr2 start2 len d; - // bit_vec_equal_elim_principle (); - bit_vec_equal_intro_principle () -#pop-options - -let bit_vec_equal_extend #n1 #n2 - (bv1: bit_vec n1) (bv2: bit_vec n2) (start1 start2: nat) - (len1: nat) - (len2: nat { start1 + len1 + len2 <= n1 /\ start2 + len1 + len2 <= n2}) - : Lemma - (requires - bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1 - /\ bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2) - (ensures bit_vec_sub bv1 start1 (len1+len2) == bit_vec_sub bv2 start2 (len1+len2)) - // [SMTPat (bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1); - // SMTPat () - // ] - // SMTPat (bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2)] - = let left1 = bit_vec_sub bv1 start1 len1 in - let left2 = bit_vec_sub bv2 start2 len1 in - let right1 = bit_vec_sub bv1 (start1 + len1) len2 in - let right2 = bit_vec_sub bv2 (start2 + len1) len2 in - // () - // bit_vec_equal_elim left1 left2 ; - // bit_vec_equal_elim right1 right2; - let entire1 = bit_vec_sub bv1 start1 (len1 + len2) in - let entire2 = bit_vec_sub bv2 start2 (len1 + len2) in - assert (forall (i:nat). i < len1 ==> left1 i == left2 i); - assert (forall (i:nat). i < len2 ==> right1 i == right2 i); - introduce forall (i:nat). i < len1 + len2 ==> entire1 i == entire2 i - with introduce i < len1 + len2 ==> entire1 i == entire2 i - with _. if i < len1 then assert (left1 i == left2 i) - else assert (entire1 i == right1 (i - len1)); - bit_vec_equal_intro entire1 entire2 -#pop-options - -// let bit_vec_equal_trans (#n: nat) (bv1 bv2 bv3: bit_vec n) -// : Lemma (requires bv1 `bit_vec_equal` bv2 /\ bv2 `bit_vec_equal` bv3) -// (ensures bv1 `bit_vec_equal` bv3) -// = bit_vec_equal_elim_principle (); -// bit_vec_equal_intro_principle () - -(* -let int_arr_bitwise_eq_range - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (offset1 offset2: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - }) - = bit_vec_equal #bits (fun i -> bit_vec_of_int_t_array arr1 d1 (i + offset1)) - = forall (k: nat). k < bits ==> - bit_vec_of_int_t_array arr1 d1 (offset1 + k) - == bit_vec_of_int_t_array arr2 d2 (offset2 + k) - -let int_arr_bitwise_eq_range_comm - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (offset1 offset2: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - }) - : Lemma (requires int_arr_bitwise_eq_range arr1 d1 arr2 d2 offset1 offset2 bits) - (ensures int_arr_bitwise_eq_range arr2 d2 arr1 d1 offset2 offset1 bits) - = () - -// kill that function in favor of range -let int_arr_bitwise_eq_up_to - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - (max: nat {max <= v n1 * d1}) - - = forall i. i < max - ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i - -let int_arr_bitwise_eq_ - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = int_arr_bitwise_eq_up_to arr1 d1 arr2 d2 (v n1 * d1) - -// move to fsti -let bit_vec_equal #n (bv1 bv2: bit_vec n) - = forall i. i < n ==> bv1 i == bv2 i - -let int_arr_bitwise_eq - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = forall i. i < v n1 * d1 - ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i - -let int_arr_bitwise_eq_range_transitivity - #t1 #t2 #t3 #n1 #n2 #n3 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement3: int_t t3 -> Type0) - (arr3: t_Array (x: int_t t3 {refinement3 x}) n3) - (d3: num_bits t3) - (offset1 offset2 offset3: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - /\ offset3 + bits <= v n3 * d3 - }) - : Lemma - (requires int_arr_bitwise_eq_range #t1 #t2 #n1 #n2 arr1 d1 arr2 d2 offset1 offset2 bits - /\ int_arr_bitwise_eq_range #t2 #t3 #n2 #n3 arr2 d2 arr3 d3 offset2 offset3 bits) - (ensures int_arr_bitwise_eq_range #t1 #t3 #n1 #n3 arr1 d1 arr3 d3 offset1 offset3 bits) - = () - - -let int_arr_bitwise_eq_range_intro - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - : Lemma - (requires int_arr_bitwise_eq arr1 d1 arr2 d2) - (ensures int_arr_bitwise_eq_range arr1 d1 arr2 d2 0 0 (v n1 * d1)) - = admit () - -let int_arr_bitwise_eq_range_intro_eq_slice - #t #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t -> Type0) - (arr1: t_Array (x: int_t t {refinement x}) n1) - (arr2: t_Array (x: int_t t {refinement x}) n2) - (d: num_bits t) - (offset1 offset2: nat) - (n: nat {offset1 + n < v n1 /\ offset2 + n < v n2}) - (bits: nat { - offset1 + bits <= v n1 * d - /\ offset2 + bits <= v n2 * d - /\ bits <= n * d - }) - : Lemma (requires Seq.slice arr1 offset1 (offset1 + n) == Seq.slice arr2 offset2 (offset2 + n)) - (ensures int_arr_bitwise_eq_range arr1 d arr2 d offset1 offset2 bits) - = admit () - -let int_arr_bitwise_eq_range_intro_eq - #t #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t -> Type0) - (arr1: t_Array (x: int_t t {refinement1 x}) n1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t -> Type0) - (arr2: t_Array (x: int_t t {refinement2 x}) n2) - (d: num_bits t) - (n_offset1 n_offset2: nat) - (n: nat {n_offset1 + n <= v n1 /\ n_offset2 + n <= v n2}) - // (offset1 offset2: nat) - (bits: nat { - n_offset1 * d + bits <= v n1 * d - /\ n_offset2 * d + bits <= v n2 * d - /\ bits <= n * d - }) - : Lemma (requires forall (i: nat). i < n ==> Seq.index arr1 (i + n_offset1) == Seq.index arr2 (i + n_offset2)) - (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits) - = admit () -*) diff --git a/fstar-helpers/fstar-bitvec/Makefile b/fstar-helpers/fstar-bitvec/Makefile deleted file mode 100644 index b4ce70a38..000000000 --- a/fstar-helpers/fstar-bitvec/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/fstar-helpers/fstar-bitvec/MkSeq.fst b/fstar-helpers/fstar-bitvec/MkSeq.fst deleted file mode 100644 index 89c8e0216..000000000 --- a/fstar-helpers/fstar-bitvec/MkSeq.fst +++ /dev/null @@ -1,59 +0,0 @@ -module MkSeq -open Core - -open FStar.Tactics.V2 - -private let init (len: nat) (f: (i:nat{i < len}) -> Tac 'a): Tac (list 'a) - = let rec h (i: nat {i <= len}): Tac (list 'a) - = if i = len then [] else f i :: h (i + 1) - in h 0 - -private let tuple_proj (n: nat) (i: nat): Tac term - = if n = 1 then `(id) else - let name = "__proj__Mktuple" ^ string_of_int n ^ "__item___" ^ string_of_int (i + 1) in - Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) - -private let tuple_type (n: nat): Tac term - = if n = 1 then `(id) else - let name = "tuple" ^ string_of_int n in - Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) - -open Rust_primitives.Integers - -private let create_gen_tac (n: nat): Tac sigelt - = let typ_bd = {fresh_binder_named "t" (`Type0) with qual = FStar.Reflection.V2.Q_Implicit} in - let typ = binder_to_term typ_bd in - let input_typ = mk_e_app (tuple_type n) (init n (fun _ -> typ)) in - let input_bd = fresh_binder_named "tup" input_typ in - let output_type = `t_Array (`#typ) (sz (`@n)) in - let nth i = `((`#(tuple_proj n i)) (`#input_bd)) in - let mk_and: term -> term -> Tac term = fun t u -> `(`#t /\ `#u) in - let post = - let mk_inv s i = `(Seq.index (`#s) (`@i) == (`#(tuple_proj n i)) (`#input_bd)) in - let invs s = Tactics.fold_left mk_and (`(Seq.length (`#s) == (`@n))) (init n (mk_inv s)) in - let bd = fresh_binder_named "s" output_type in - mk_abs [bd] (invs bd) - in - let comp = C_Eff [] ["Prims"; "Pure"] - (`t_Array (`#typ) (sz (`@n))) - [ (`(requires True), Q_Explicit); (post, Q_Explicit)] [] - in - let args = [typ_bd; input_bd] in - let l = Tactics.fold_right (fun hd tl -> `((`#hd)::(`#tl))) (init n nth) (`[]) in - let indexes = - let f i = `((`#(nth i)) == List.Tot.index (`#l) (`@i)) in - Tactics.fold_left mk_and (`True) (init n f) - in - let lb_def = mk_abs args (`( - let l = `#l in - let s = Seq.createL l <: t_Array (`#typ) (sz (`@n)) in - FStar.Classical.forall_intro (Seq.lemma_index_is_nth s); - assert (`#indexes) by (Tactics.norm [primops; iota; delta; zeta]); - s - )) in - let lb_typ = mk_arr args (pack_comp comp) in - let open FStar.List.Tot in - let lb_fv = pack_fv (cur_module () @ ["create" ^ string_of_int n]) in - Sg_Let { isrec = false; lbs = [{ lb_fv; lb_us = []; lb_typ; lb_def }] } - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff --git a/fstar-helpers/fstar-bitvec/RwLemmas.fst b/fstar-helpers/fstar-bitvec/RwLemmas.fst deleted file mode 100644 index 1fc1e00de..000000000 --- a/fstar-helpers/fstar-bitvec/RwLemmas.fst +++ /dev/null @@ -1,71 +0,0 @@ -module RwLemmas - -open Core -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -open BitVecEq {} - -let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) - -#push-options "--z3rlimit 40" -let deserialize_10_int (bytes: t_Array u8 (sz 10)) = - let r0:i16 = - (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r2:i16 = - (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r3:i16 = - ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) - in - let r4:i16 = - (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r6:i16 = - (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r7:i16 = - ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) - in - let result:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - in - result -#pop-options - -let deserialize_10_int' (bytes: t_Array u8 (sz 10)): t_Array i16 (sz 8) - = MkSeq.create8 (deserialize_10_int bytes) - -#push-options "--compat_pre_core 0" -#push-options "--z3rlimit 80" -let fff_ (bytes: t_Array u8 (sz 10)) x: unit = - let bv1 = bit_vec_of_int_t_array bytes 8 in - let out = deserialize_10_int' bytes in - let bv2 = bit_vec_of_int_t_array out 10 in - assert (forall (i: nat { i < 80 }). bv1 i == bv2 i) by ( - Tactics.GetBit.prove_bit_vector_equality () - ) -#pop-options - diff --git a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst deleted file mode 100644 index c5ead30b0..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst +++ /dev/null @@ -1,82 +0,0 @@ -module Tactics.Folds - -open Core -module L = FStar.List.Tot -module S = FStar.Seq.Base -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Rust_primitives.Hax.Folds - -open Tactics.Utils - -// let unfold_fold_range -// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) -// (start_: int_t u) -// (end_: int_t u) -// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) -// (init: acc_t {inv init start_}) -// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} -// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) -// = if v start_ < v end_ -// then fold_range (start_ +! mk_int 1) end_ inv (f init start_) f -// else init - - -// #push-options "--z3rlimit 100" -// let unfold_fold_range -// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) -// (start_: int_t u) -// (end_: int_t u) -// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) -// (init: acc_t {inv init start_}) -// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} -// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) -// : Lemma ( fold_range start_ end_ inv init f -// == ( if v start_ < v end_ -// then -// fold_range (start_ +! mk_int 1) end_ inv (f init start_) f -// else init ) -// ) -// = admit () -// #pop-options - -// let expect_fold_range t -// = let?# (fr, [acc_t,_;u,_;start_,_;end_,_;inv,_;init,_;f,_]) = expect_app_n t 7 in -// let _ = expect_free_var fr (`%fold_range) in -// Some (acc_t, u, start_, end_, inv, init, f) - -// let make_fold_range_lemma (start_: nat) (end_: nat): Tac _ = -// let _ = tcut (quote (squash (forall acc_t u inv init f. -// fold_range #acc_t #u start_ end_ inv init f -// == fold_range #acc_t #u start_ end_ inv init f -// ))) in -// flip (); -// let acc_t = forall_intro () in -// let u = forall_intro () in -// let inv = forall_intro () in -// let init = forall_intro () in -// let f = forall_intro () in -// fail "xx"; -// let _ = rewrite_rhs () in -// flip (); -// focus (fun _ -> -// fail "xx"; -// apply_lemma_rw (`unfold_fold_range) -// ); -// () -// // rewrite_lhs -// // let aux start_ = - -// jlet _ = -// assert true by (make_fold_range_lemma 1 10) - -// in - - -// let tactic_fold_range t -// = let?# expect_fold_range _ = - diff --git a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst deleted file mode 100644 index abec9b4fe..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst +++ /dev/null @@ -1,66 +0,0 @@ -/// Provides tactics around `get_bit _ _ == get_bit _ _` goals -module Tactics.GetBit - -open Core -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -open BitVecEq -open Tactics.Seq - - -let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) - -/// Does one round of computation -let compute_one_round (): Tac _ = - norm [ iota; zeta; reify_ - ; delta_namespace [ - "FStar" - ; "BitVecEq" - ; implode_qn (cur_module ()) - ; "MkSeq" - ; `%Rust_primitives.Hax.array_of_list - ; `%Libcrux_ml_kem.Vector.Portable.Vector_type.__proj__Mkt_PortableVector__item__f_elements - ] - ; primops; unmeta]; - trace "compute_one_round: norm_pow2" norm_pow2; - trace "compute_one_round: norm_machine_int" norm_machine_int; - trace "compute_one_round: norm_index" norm_index - -/// Normalizes up to `get_bit` -let compute': unit -> Tac unit = goal_fixpoint compute_one_round - -/// Proves a goal of the shape `forall (i:nat{i < N}). get_bit ... i == get_bit ... i` (`N` is expected to be a literal) -let prove_bit_vector_equality'' (): Tac unit = - norm [ - iota; - primops; - delta_only [`%bit_vec_of_int_t_array; `%FunctionalExtensionality.on]; - delta_namespace [ - implode_qn (cur_module ()); - "Libcrux_intrinsics.Avx2_extract"; - "BitVec.Intrinsics"; - "BitVecEq"; - ]; - ]; - compute_one_round (); - prove_forall_nat_pointwise (print_time "SMT solved the goal in " (fun _ -> - Tactics.Seq.norm_index_minimal (); - l_to_r [`bit_vec_to_int_t_lemma]; - print ("Ask SMT: " ^ term_to_string (cur_goal ())); - focus smt_sync - )) -let prove_bit_vector_equality' (): Tac unit = - if lax_on () - then iterAll tadmit - else prove_bit_vector_equality'' () -let prove_bit_vector_equality (): Tac unit = - set_rlimit 100; - with_compat_pre_core 0 prove_bit_vector_equality' diff --git a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst deleted file mode 100644 index 85bb0bb78..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst +++ /dev/null @@ -1,273 +0,0 @@ -/// This module interprets machine integers terms that comes from -/// `FStar.[U]Int*` modules or from `Rust_primtiives.Integers` module. -/// It can then convert from and back those two representation, -/// normalize them, etc. -module Tactics.MachineInts - -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Option - -open Tactics.Utils -module RI = Rust_primitives.Integers - -/// The size of a machine int -type size = - | PtrSize - | Size of n:nat {match n with | 8 | 16 | 32 | 64 | 128 -> true | _ -> false} -/// The signedness of a machine int -type signedness = | Signed | Unsigned - -/// The operations we recognize on machine ints -type machine_int_op = | MkInt | V - -/// The AST of a machine int expression -noeq type machine_int_term = - /// Operations `mk_int` (aka `FStar.[U]Int*.[u]int_to_t`) and `v` - | Op { /// Which operation is it? - op: machine_int_op - /// Is that a generic (Rust_primitives.Integers) operation or a native one (FStar.[U]Int*)? - ; native: bool - ; size: size - ; signedness: signedness - ; contents: machine_int_term } - /// A (math) integer literal - | Lit of int - /// An arbitrary term - | Term of term - -/// Expect `n` to be a definition in a machine int namespace -let expect_native_machine_int_ns (n: string): (option (signedness & size & string)) - = match explode_qn n with - | "FStar"::int_module::[def_name] -> - let? (sign, size) = match int_module with - | "Int8" -> Some (Signed, Size 8) - | "Int16" -> Some (Signed, Size 16) - | "Int32" -> Some (Signed, Size 32) - | "Int64" -> Some (Signed, Size 64) - | "Int128" -> Some (Signed, Size 128) - | "UInt8" -> Some (Unsigned, Size 8) - | "UInt16" -> Some (Unsigned, Size 16) - | "UInt32" -> Some (Unsigned, Size 32) - | "UInt64" -> Some (Unsigned, Size 64) - | "UInt18" -> Some (Unsigned, Size 128) - | _ -> None - in Some (sign, size, def_name) - | _ -> None - -/// Given a sign and a size, produces the correct namespace `FStar.[U]Int*` -let mk_native_machine_int_ns (sign: signedness) (size: size): option (list string) - = let sign = match sign with | Signed -> "" | Unsigned -> "U" in - let? size = match size with | PtrSize -> None | Size n -> Some (string_of_int n) in - Some ["FStar"; sign ^ "Int" ^ size] - -/// Interpret HACL*'s `inttype`s -let expect_inttype t: Tac (option (signedness & size)) - = let t = norm_term [iota; reify_; delta_namespace ["Rust_primitives.Integers"; "Lib.IntTypes"]; primops; unmeta] t in - let?# t = expect_fvar t in - match t with - | `%RI.i8_inttype | `%Lib.IntTypes.S8 -> Some ( Signed, Size 8) - | `%RI.i16_inttype | `%Lib.IntTypes.S16 -> Some ( Signed, Size 16) - | `%RI.i32_inttype | `%Lib.IntTypes.S32 -> Some ( Signed, Size 32) - | `%RI.i64_inttype | `%Lib.IntTypes.S64 -> Some ( Signed, Size 64) - | `%RI.i128_inttype | `%Lib.IntTypes.S128 -> Some ( Signed, Size 128) - | `%RI.u8_inttype | `%Lib.IntTypes.U8 -> Some (Unsigned, Size 8) - | `%RI.u16_inttype | `%Lib.IntTypes.U16 -> Some (Unsigned, Size 16) - | `%RI.u32_inttype | `%Lib.IntTypes.U32 -> Some (Unsigned, Size 32) - | `%RI.u64_inttype | `%Lib.IntTypes.U64 -> Some (Unsigned, Size 64) - | `%RI.u128_inttype | `%Lib.IntTypes.U128 -> Some (Unsigned, Size 128) - | `%RI.isize_inttype -> Some (Signed, PtrSize) - | `%RI.usize_inttype -> Some (Unsigned, PtrSize) - | _ -> None - -/// Given a signedness and a size, creates a name `[ui]*_inttype` -let mk_inttype_name (sign: signedness) (size: size): name = - let sign = match sign with | Signed -> "i" | Unsigned -> "u" in - let size = match size with | PtrSize -> "size" | Size n -> string_of_int n in - ["Rust_primitives"; "Integers"; sign ^ size ^ "_inttype"] - -/// Given a signedness and a size, creates a term `[ui]*_inttype` -let mk_inttype (sign: signedness) (size: size): Tac term = - pack (Tv_FVar (pack_fv (mk_inttype_name sign size))) - -/// Interprets a term as a machine int. This function always returns -/// something: when `t` is not a machine int expression we recognize, -/// it returns `Term t`. Below, `term_to_machine_int_term` returns an -/// option. -let rec term_to_machine_int_term' (t: term): Tac machine_int_term = - match term_to_machine_int_term'' t with | Some t -> t | None -> Term t -and term_to_machine_int_term'' (t: term): Tac (option machine_int_term) = - let t = norm_term [delta_only [(`%RI.sz); (`%RI.isz)]] t in - match t with - | Tv_Const (C_Int n) -> Some (Lit n) - | _ -> - let?# (hd, args) = collect_app_hd t in - match expect_native_machine_int_ns hd, args with - | (Some (signedness, size, def_name), [arg, _]) -> begin - let native = true in - let contents = term_to_machine_int_term' arg in - let?# op = match def_name with - | "__uint_to_t" | "__int_to_t" | "uint_to_t" | "int_to_t" -> Some MkInt - | "v" -> Some V | _ -> None in - Some (Op {op; native; size; signedness; contents}) - end - | (None, [inttype, _; contents, _]) -> begin - let?# (signedness, size) = expect_inttype inttype in - let contents = term_to_machine_int_term' contents in - let?# op = match hd with | `%RI.mk_int -> Some MkInt - | `%RI.v -> Some V - | _ -> None in - Some (Op {op; native = false; size; signedness; contents}) - end - | _ -> None - -/// Tries to interpret a term as a machine int -let term_to_machine_int_term (t: term): Tac (option (t: machine_int_term {~(Term? t)})) - = match term_to_machine_int_term' t with - | Term _ -> None | t -> Some t - -/// Transform a machine int AST into a term. Note that this doesn't -/// support native usize/isize (aka `FStar.SizeT`), whence the option. -let rec machine_int_term_to_term (t: machine_int_term): Tac (option term) = - match t with - | Term t -> Some t - | Op {native = false; op; size; signedness; contents} -> - let inttype = mk_inttype signedness size in - let?# contents = machine_int_term_to_term contents in - let op = match op with | V -> `RI.v - | MkInt -> `RI.mk_int in - Some (`((`#op) #(`#inttype) (`#contents))) - | Op {native = true; op; size; signedness; contents} -> - let?# ns = mk_native_machine_int_ns signedness size in - let f = FStar.List.Tot.append ns [ - match op with - | MkInt -> (match signedness with | Signed -> "" | Unsigned -> "u") ^ "int_to_t" - | V -> "v" - ] in - let f = pack (Tv_FVar (pack_fv f)) in - let?# contents = machine_int_term_to_term contents in - Some (mk_e_app f [contents]) - | Lit n -> Some (pack (Tv_Const (C_Int n))) - -/// An operation on a machine_int_term -type operation = machine_int_term -> option machine_int_term - -/// Removes `mk_int (v ...)` or `v (mk_int ...)` when it's the same type -let rec flatten_machine_int_term: operation = function - | Op x -> begin match x.contents with - | Op y -> if x.op <> y.op && x.size = y.size && x.signedness = y.signedness - then Some (match flatten_machine_int_term y.contents with - | Some result -> result - | None -> y.contents) - else let? y = flatten_machine_int_term (Op y) in - Some (Op {x with contents = y}) - | _ -> None - end - | _ -> None - -/// Makes a machine int native or not -let rec change_native_machine_int_term (native: bool): operation = function - | Op x -> let contents = change_native_machine_int_term native x.contents in - if x.native = native - then None - else Some (Op { x with native - ; contents = match contents with - | Some contents -> contents - | None -> x.contents}) - | _ -> None - -/// Combines two operation together -let combine: operation -> operation -> operation = - fun f g t -> match f t with - | Some t -> (match g t with | Some t -> Some t | None -> Some t) - | None -> g t - -/// We call `x` a normal machine integer if `x` has no `mk_int (v -/// ...)` or `v (mk_int ...)` sequence and if all `mk_int` and `v` are -/// native (aka `FStar.[U]Int*.*`, not -/// `Rust_primitives.Integer.*`). Note `usize` is an exception, -/// `mk_int` and `v` alone one usizes (and isizes) cannot be reduced -/// further. -let norm_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term true) - -/// We call `x` a normal generic machine integer if `x` has no -/// `FStar.[U]Int*.[u]int_to_t/v`, and no `mk_int (v ...)` or `v -/// (mk_int ...)`. -let norm_generic_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term false) - -/// Unfolds `mk_int` using `mk_int_equiv_lemma` -let norm_mk_int () = - let?# (lhs, _) = expect_lhs_eq_uvar () in - let lhs' = term_to_machine_int_term lhs in - match?# lhs' with - | Op {op = MkInt; native = false; size; signedness; contents} -> - let inttype = mk_inttype signedness size in - let lemma = `(RI.mk_int_equiv_lemma #(`#inttype)) in - let lemma = norm_term [primops; iota; delta; zeta] lemma in - focus (fun _ -> - apply_lemma_rw lemma - ); - Some () - | _ -> None - -/// Lemmas to deal with the special case of usize -let rw_v_mk_int_usize x - : Lemma (eq2 (RI.v #RI.usize_inttype (RI.mk_int #RI.usize_inttype x)) x) = () -let rw_mk_int_v_usize x - : Lemma (eq2 (RI.mk_int #RI.usize_inttype (RI.v #RI.usize_inttype x)) x) = () - -/// Rewrites `goal_lhs` into `machine_int`. This function expects the -/// goal to be of the shape ` == (?...)`, where `` -/// is a machine int. Do not call this function directly. -let _rewrite_to (goal_lhs: term) (eq_type: typ) (machine_int: machine_int_term): Tac (option unit) - = let?# t_term = machine_int_term_to_term machine_int in - Some (focus (fun _ -> - let rw = tcut (`squash (eq2 #(`#eq_type) (`#goal_lhs) (`#t_term))) in - // This tcut will generate simple verification conditions, we - // discharge them right away - // iterAllSMT (fun () -> smt_sync `or_else` (fun _ -> dump "norm_mk_int: Could not solve SMT here")); - flip (); - pointwise' (fun () -> match norm_mk_int () with - | Some _ -> () - | None -> // special case for usize - (fun () -> (fun () -> apply_lemma_rw (`rw_v_mk_int_usize)) - `or_else` (fun () -> apply_lemma_rw (`rw_mk_int_v_usize))) - `or_else` trefl - ); - compute (); - trefl (); - apply_lemma_rw rw - )) - -/// Rewrites a goal deeply, replacing every machine integer expression -/// `x` by `f x` (when it is `Some _`). -let transform (f: machine_int_term -> option machine_int_term): Tac unit - = pointwise' (fun _ -> - match revert_if_none (fun _ -> - let?# (lhs, eq_type) = expect_lhs_eq_uvar () in - let?# machine_int = term_to_machine_int_term lhs in - let?# machine_int' = f machine_int in - let?# _ = _rewrite_to lhs eq_type machine_int' in - Some () - ) - with - | None -> trefl () - | _ -> () - ) - -open Rust_primitives.Integers -let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) - by (transform norm_machine_int_term; trefl ()) -let _ = assert (mk_int #u8_inttype 3 == 3uy) - by (transform norm_machine_int_term; trefl ()) -let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) - by (transform norm_machine_int_term) -let _ = assert (v (mk_int #usize_inttype 3) == 3) - by (transform norm_machine_int_term; trefl ()) -let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) - by (transform norm_machine_int_term; trefl ()) -let _ = assert (mk_int #u8_inttype 3 == 3uy) - by (transform norm_generic_machine_int_term; trefl ()) -let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) - by (transform norm_generic_machine_int_term; trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst deleted file mode 100644 index 9f6ee1f0f..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst +++ /dev/null @@ -1,58 +0,0 @@ -/// Provides tools to normalize `pow2` -module Tactics.Pow2 - -open Core -open Tactics.Utils -open FStar.Tactics.V2 - -/// Expects `t` to be of the shape `pow2 n`, with `n` a literal, returns n -let expect_pow2_literal t: Tac (option int) - = let?# (f, [x, _]) = expect_app_n t 1 in - let?# () = expect_free_var f (`%pow2) in - expect_int_literal x - -/// Expects `t` to be of the shape `pow2 n - 1`, with `n` a literal, returns n -let expect_pow2_minus_one_literal t: Tac (option int) - = let?# (f, [x, _; y, _]) = expect_app_n t 2 in - let?# () = expect_free_var f (`%op_Subtraction) in - let?# y = expect_int_literal y in - let?? () = y = 1 in - expect_pow2_literal x - -/// Fully normalize a term of the shape `pow2 n`, where `n` is a literal -let norm_pow2 (): Tac unit = - pointwise (fun () -> - let _ = let?# (t, _) = expect_lhs_eq_uvar () in - let?# n = expect_pow2_literal t in - debug ("Normalized `pow2 " ^ string_of_int n ^ "`"); - Some (norm [iota; zeta_full; reify_; delta; primops; unmeta]) in - trefl ()) - -/// Inverse of `pow2` -let rec log2 (n: nat): Tot (option (m: nat {pow2 m == n})) (decreases n) - = if n = 0 then None - else if n = 1 then Some 0 - else if n % 2 <> 0 then None - else match log2 (n / 2) with - | Some n -> Some (1 + n) - | None -> None - -/// Rewrite integers in the goal into `pow2 _ - 1` whenever possible -let rewrite_pow2_minus_one () = - pointwise (fun () -> - match let?# (t, _) = expect_lhs_eq_uvar () in - let?# n = expect_int_literal t in - if n >= 0 then - match log2 (n + 1) with - | Some e -> - let rw_lemma (): Lemma (n == pow2 e - 1) = () in - apply_lemma_rw (quote rw_lemma); - Some () - | _ -> None - else None - with None -> trefl () | _ -> () - ) - -// Test -let _ = fun (i: nat) -> assert (pow2 (i + 3) + pow2 10 == pow2 (i + 3) + 1024) - by (norm_pow2 (); trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst deleted file mode 100644 index 0a7015968..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst +++ /dev/null @@ -1,123 +0,0 @@ -module Tactics.Seq - -open Core -module L = FStar.List.Tot -module S = FStar.Seq -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -(*** Rewrite lemmas *) -private let rw_seq_index_list #t (l: list t) i - : Lemma (S.index (S.seq_of_list l) i == FStar.List.Tot.index l i) - = () -private let rw_index_slice #typ (s: S.seq typ) i j n: Lemma (S.index (S.slice s i j) n == S.index s (normalize_term (i + n))) - = () -private let rw_index_upd s n v i - : Lemma (S.index (S.upd s n v) i == (if n = i then v else S.index s i)) - = () - -/// A version of `L.index` to mark specific instances we want to normalize. -let rec index_to_normalize #a (l: list a) (i:nat{i < L.length l}): Tot a - = let hd::tl = l in - if i = 0 then hd else index_to_normalize tl (i - 1) - -private let rec rw_index_to_index_to_normalize #a (l: list a) (i:nat{i < L.length l}) - : Lemma (L.index #a l i == index_to_normalize #a l i) - = if i = 0 then () else rw_index_to_index_to_normalize (L.tl l) (i - 1) - - -(*** Tactics that apply those lemmas only if needed *) -let tactic_list_index () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in - let?# () = expect_free_var f (`%FStar.List.Tot.index) in - let?# n = expect_int_literal index in - apply_lemma_rw (`rw_index_to_index_to_normalize); - Some () - -/// Expects `t` to be of the shape `seq_of_list #_ _` -let expect_seq_of_list (t: term): Tac (option (term & term)) - = let?# (f, [t,_; index,_]) = expect_app_n t 2 in - let?# _ = expect_free_var f (`%S.seq_of_list) in - Some (t, index) - -/// Expects `t` to be of the shape `index #_ _` -let expect_seq_index (t: term): Tac (option (term & term & term)) - = let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in - let?# () = expect_free_var f (`%S.index) in - Some (typ, l, index) - -/// Expects `t` to be of the shape `slice #_ _` -let expect_seq_slice (t: term): Tac (option (term & term & term & term)) - = let?# (f, [typ, _; s, _; i, _; j, _]) = expect_app_n t 4 in - let?# () = expect_free_var f (`%S.slice) in - Some (typ, s, i, j) - -/// Expects `t` to be of the shape `upd #_ _` -let expect_seq_upd (t: term): Tac (option (term & term & term & term)) - = let?# (f, [typ, _; s, _; i, _; v, _]) = expect_app_n t 4 in - let?# () = expect_free_var f (`%S.upd) in - Some (typ, s, i, v) - -let tactic_seq_index_of_list () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (_, l, _) = expect_seq_index t in - let?# _ = expect_seq_of_list l in - apply_lemma_rw (`rw_seq_index_list); - Some () - -let tactic_rw_index_slice () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (typ, s, index) = expect_seq_index t in - let?# (_, s, i, j) = expect_seq_slice s in - apply_lemma_rw (`rw_index_slice #(`#typ) (`#s) (`#i) (`#j)); - Some () - -let tactic_rw_index_upd () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (typ, s, index) = expect_seq_index t in - let?# (_, s, i, v) = expect_seq_upd s in - apply_lemma_rw (`rw_index_upd #(`#typ) (`#s) (`#i) (`#v)); - Some () - -(*** Final tactics *) -let norm_zeta_full_list_index (): Tac unit - = norm [iota; primops; zeta_full; delta_only [`%index_to_normalize]] - - -let norm_index_minimal (): Tac unit - = pointwise ((unwrap ∘ tactic_list_index) ||> trefl); - norm_zeta_full_list_index () - -let norm_index' (): Tac unit - = pointwise ( (unwrap ∘ tactic_seq_index_of_list) - ||> (unwrap ∘ tactic_list_index) - ||> (unwrap ∘ tactic_rw_index_slice) - ||> (unwrap ∘ tactic_rw_index_upd) - ||> trefl) - -let norm_index (): Tac unit - = goal_fixpoint norm_index' (); - norm_zeta_full_list_index () - - -(*** Tests *) -let _ = assert ( - let s = S.seq_of_list [1;2;3;4;5;6] in - let s = S.slice s 2 4 in - S.index s 1 == 4 -) by (norm []; norm_index (); trefl ()) - -let _ = assert ( - L.index [L.index [1;2;3;4;5;6] (L.index [1;2;3;4;3;3] 2)] 0 == 4 -) by (norm_index(); trefl ()) -let _ = assert ( - S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;4;1]) 3);1]) 3);1]) 3 == 4 -) by (norm_index(); trefl ()) - diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst deleted file mode 100644 index 18030a682..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst +++ /dev/null @@ -1,328 +0,0 @@ -module Tactics.Utils - -open Core -open FStar.Option -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul - -(*** Let operators *) -let (let?#) (x: option 'a) (f: 'a -> Tac (option 'b)): Tac (option 'b) - = match x with - | Some x -> f x - | None -> None - -let ( let?? ) (x: bool) (f: unit -> Tac (option 'a)): Tac (option 'a) - = if x then f () else None - -(*** Debug helpers *) -/// Dump before failing (in some cases, exception cathing messes with -/// `fail`) -let fail' msg = dump msg; fail msg - -exception Restore -/// Dumps a goal with a minimal number of binders in the environment -let dump' (msg: string): Tac unit - = try set_smt_goals []; - iterAll (fun _ -> let _ = repeat clear_top in ()); - dump msg; - raise Restore - with | _ -> () - -(*** `option _` helpers *) -/// Executes `f`, if it fails, execute `g`. Like `or_else`, but returns -/// a chunk. -let ( ||> ) (f: 'a -> Tac 'b) (g: 'a -> Tac 'b) (a: 'a): Tac 'b - = try f a with | _ -> g a - -exception ExpectedSome -/// Unwraps an option, throws `ExpectedSome` if the option is `None` -let unwrap (x: option 'a): Tac 'a - = match x with - | Some x -> x - | None -> raise ExpectedSome - -/// Expects an option to be `None`, otherwise throws an error -let expect (msg: string) (x: option 'a): Tac 'a - = match x with - | None -> dump' ("Expected " ^ msg); - fail ("Expected " ^ msg) - | Some x -> x - -(*** misc. utils *) -/// Reverse function composition (in Tac) -unfold let (>>>) (f: 'a -> Tac 'b) (g: 'b -> Tac 'c) (x: 'a): Tac 'c - = g (f x) -/// Function composition (in Tac) -unfold let (∘) (f: 'b -> Tac 'c) (g: 'a -> Tac 'b): 'a -> Tac 'c - = g >>> f - - -let trace (fun_name: string) (t: unit -> Tac 'b) = - print (fun_name ^ ": enter"); - let result = - try t () - with | e -> (print (fun_name ^ ": exit (with an exception!)"); raise e) - in - print (fun_name ^ ": exit"); - result - -(*** control utils *) -/// Repeats a tactic `f` until the goal is stable -let goal_fixpoint (f: unit -> Tac unit): unit -> Tac unit - = let rec aux (): Tac _ = - let goal0 = cur_goal () in - f (); - let goal1 = cur_goal () in - if not (term_eq goal0 goal1) then aux () - in aux - -private exception DoRefl -let some_or_refl (f: unit -> Tac (option unit)) - = or_else (fun _ -> match f () with | None -> raise DoRefl | _ -> ()) trefl - -/// Runs `f` on each subterms for rewrite. If `f` is `None` or raises -/// an error, applies `trefl`. -let pointwise_or_refl (f: unit -> Tac (option unit)) - = pointwise (fun _ -> some_or_refl f) - -let rec repeatWhile (f: unit -> Tac bool): Tac unit - = if f () then repeatWhile f - -(*** `expect_*` combinators *) -let expect_int_literal (t: term): Tac (option int) = - match inspect_unascribe t with - | Tv_Const (C_Int n) -> Some n - | _ -> None - -let expect_fvar (t: term): Tac (option string) = - match t with - | Tv_UInst fv _ - | Tv_FVar fv -> Some (implode_qn (inspect_fv fv)) - | _ -> None - -let expect_free_var (t: term) (fv: string): Tac (option unit) = - let?# fv' = expect_fvar t in - if fv = fv' then Some () else None - -let expect_lhs_eq_rhs_term t = - match term_as_formula t with - | Comp (Eq typ) lhs rhs -> - let typ = match typ with | None -> `_ | Some typ -> typ in - Some (lhs, rhs, typ) - | _ -> None - -let expect_lhs_eq_rhs () = - expect_lhs_eq_rhs_term (cur_goal ()) - -let expect_lhs_eq_uvar () = - match expect_lhs_eq_rhs () with - | Some (lhs, rhs, typ) -> - ( match rhs with | Tv_Uvar _ _ -> Some (lhs, typ) | _ -> None ) - | _ -> None - -let expect_app_n t n: Tac (option (term & (l: list _ {L.length l == n}))) = - let (head, args) = collect_app t in - if L.length args = n - then Some (head, args) - else None - -let expect_forall t: Tac _ = - match term_as_formula t with - | Forall bv typ phi -> Some (bv, typ, phi) - | _ -> None - -(*** Rewrite utils *) -private exception ForceRevert -let revert_if_none (f: unit -> Tac (option 'a)): Tac (option 'a) - = try match f () with Some x -> Some x - | None -> raise ForceRevert - with | ForceRevert -> None | e -> raise e - -/// Collects an application whose head is a free variable -let collect_app_hd t: Tac (option (string & list argv)) - = let (hd, args) = collect_app t in - let?# fv = expect_fvar hd in - Some (fv, args) - -let statement_of_lemma (lemma: term) = - let _, comp = collect_arr (tc (cur_env ()) lemma) in - match inspect_comp comp with - | C_Total x - | C_Lemma _ x _ -> ( - match x with - | Tv_Abs _ x -> `(squash (`#x)) - | _ -> `(squash (`#x)) - ) - | _ -> fail "statement_of_lemma: supports only Tot and Lemma" - -let weaken_eq2_lemma (u: Type) (t: Type {subtype_of t u}) (p q: t) () - : Lemma (requires ( == ) #u p q) - (ensures ( == ) #t p q) - = () - -/// `apply_lemma_rw` doesn't work if the goal is `(==) #t ... (?u ...)` while the lemma is `(==) #u .. (?u ....)`. `apply_lemma_rw_eqtype` fixes some of those case, and warns about it. -let apply_lemma_rw_eqtype (lemma: term): Tac unit - = try - apply_lemma_rw lemma - with - | e -> match - let stmt = statement_of_lemma lemma in - let?# (lemma_lhs, lemma_rhs, type_lemma') = expect_lhs_eq_rhs_term stmt in - let?# (goal_lhs, goal_rhs, type_goal') = expect_lhs_eq_rhs () in - let type_lemma = norm_term [delta; iota; primops] type_lemma' in - let type_goal = norm_term [delta; iota; primops] type_goal' in - if term_eq type_lemma type_goal - then None - else - ( print "######## Warning: apply_lemma_rw, rewrite equalities with different type"; - print ("######## Your lemma has eq over type " ^ term_to_string type_lemma); - print ("######## Your goal has eq over type " ^ term_to_string type_goal); - print ("######## Trying to weaken the type of the goal."); - apply_lemma ( - `weaken_eq2_lemma - (`#type_lemma') (`#type_goal') - (`#goal_lhs) (`#goal_rhs) - ); - apply_lemma_rw lemma; - Some () - ) - with | None -> raise e - | Some () -> () - -/// Rewrites LHS of an equality: on goal `squash (x == y)`, it will add `squash (x == (?u ...))`. -let rewrite_lhs (): Tac _ = - let (lhs, _, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_lhs)" in - let uvar = fresh_uvar (Some (tc (cur_env ()) lhs)) in - tcut (`squash (`#lhs == `#uvar)) - -/// Rewrites RHS of an equality: on goal `squash (x == y)`, it will add `squash (y == (?u ...))`. -let rewrite_rhs (): Tac _ = - let (_, rhs, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_rhs)" in - let uvar = fresh_uvar (Some (tc (cur_env ()) rhs)) in - tcut (`squash (`#rhs == `#uvar)) - -open FStar.Tactics -(*** Unification *) -(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are -unification variables. This returns a list of terms to substitute `x1` -... `xN` with. You probably want `norm_steps` to be `[delta_only -[`%the_name_of_function_fn]]` *) -exception UnifyAppReturn of (option (list term)) -let unify_app (t fn: term) norm_steps: Tac (option (list term)) - = let (* Tactic types are confusing, seems like we need V1 here *) - open FStar.Tactics.V1 in - let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in - try - let _fake_goal = - (* create a goal `b1 -> ... -> bn -> squash True` *) - let trivial = `squash True in - let trivial_comp = pack_comp (C_Total trivial) in - unshelve (fresh_uvar (Some (match bds with | [] -> trivial | _ -> mk_arr bds trivial_comp))) - in - (* get back the binders `b1`, ..., `bn` *) - let bds = intros () in - let args = FStar.Tactics.Util.map (fun (b: binder) -> b <: term) bds in - let norm_term = norm_term (hnf::norm_steps) in - let fn, t = norm_term (mk_e_app fn args), norm_term t in - let fn = `(((`#fn), ())) in - let dummy_var = fresh_namedv_named "dummy_var" in - let t = `(((`#t), (`#dummy_var))) in - let vars = map (fun b -> - let b = inspect_binder b in - let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in - let sort = b.binder_sort in - let nv: namedv_view = {uniq; ppname; sort = seal sort} in - (FStar.Reflection.V2.pack_namedv nv, sort) - ) bds in - let vars = - List.Tot.append - vars - [(FStar.Reflection.V2.pack_namedv dummy_var, `())] - in - let?# substs = fst (try_unify (cur_env ()) vars fn t) in - raise (UnifyAppReturn ( - if List.Tot.length substs <> List.Tot.length bds + 1 - then (print ("unify_app: WARNING: inconsistent lengths: " ^ string_of_int (List.Tot.length substs) ^ " - 1 VS " ^ string_of_int (List.Tot.length bds + 1)); None) - else ( - match substs with - | [] -> None - | _::substs -> Some (List.Tot.rev (map (fun (_, t) -> t) substs)) - ))) - with | UnifyAppReturn result -> result - | e -> raise e - -(*** Logging and time *) -let time_tactic_ms (t: 'a -> Tac 'b) (x: 'a): Tac ('b & int) - = let time0 = curms () in - let result = t x in - let time1 = curms () in - (result, time1 - time0) - -let print_time prefix (t: 'a -> Tac 'b) (x: 'a): Tac 'b - = let (result, time) = time_tactic_ms t x in - print (prefix ^ string_of_int (time / 1000) ^ "." ^ string_of_int ((time/100)%10) ^ "s"); - result - -(*** Unroll forall goals *) -let _split_forall_nat - (upper_bound: pos) - ($p: (i:nat{i < upper_bound}) -> Type0) - : Lemma (requires (if upper_bound = 0 then True - else p (upper_bound - 1) /\ (forall (i:nat{i < upper_bound - 1}). p i))) - (ensures forall (i:nat{i < upper_bound}). p i) - = () - - -let focus_first_forall_goal (t : unit -> Tac unit) : Tac unit = - let goals = goals () in - let found_goal = alloc false in - iterAll (fun _ -> - (match expect_forall (cur_goal ()) with - | Some _ -> - if read found_goal - then () - else begin - write found_goal true; - t (); - () - end - | _ -> - ()) - ); - if not (read found_goal) then t () - -/// Proves `forall (i:nat{i < bound})` for `bound` being a concrete int -let rec prove_forall_nat_pointwise (tactic: unit -> Tac unit): Tac unit - = focus_first_forall_goal (fun _ -> - let _ = - (* hacky way of printing the progress *) - let goal = term_to_string (cur_goal ()) in - let goal = match String.split ['\n'] goal with - | s::_ -> s | _ -> "" in - print ("prove_forall_pointwise: " ^ goal ^ "...") - in - apply_lemma (`_split_forall_nat); - trivial `or_else` (fun _ -> - if try norm [primops]; - split (); - true - with | e -> false - then ( - tactic (); - prove_forall_nat_pointwise tactic - ) - ) - ) - -#push-options "--compat_pre_core 2" -private let _example (phi: int -> Type0) (proof: (i:int -> Lemma (phi i))) = - assert (forall (i: nat {i < 40}). phi i) - by ( - prove_forall_nat_pointwise (fun _ -> - apply_lemma (quote proof) - ) - ) -#pop-options diff --git a/fstar-helpers/fstar-bitvec/dep.graph b/fstar-helpers/fstar-bitvec/dep.graph deleted file mode 100644 index 58c54a479..000000000 --- a/fstar-helpers/fstar-bitvec/dep.graph +++ /dev/null @@ -1,2316 +0,0 @@ -digraph { - "fstar_int32" -> "fstar_uint" - "fstar_int32" -> "fstar_uint" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_pervasives" -> "fstar_pervasives_native" - "fstar_pervasives" -> "fstar_pervasives_native" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_seq" -> "fstar_seq_properties" - "fstar_seq" -> "fstar_seq_properties" - "fstar_seq" -> "fstar_seq_base" - "fstar_seq" -> "fstar_seq_base" - "fstar_seq" -> "fstar_pervasives" - "fstar_seq" -> "fstar_pervasives" - "fstar_seq" -> "prims" - "fstar_seq" -> "prims" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_int32" -> "fstar_int32" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v1_syntaxhelpers" -> "prims" - "fstar_tactics_v1_syntaxhelpers" -> "prims" - "core_option" -> "fstar_pervasives" - "core_option" -> "fstar_pervasives" - "core_option" -> "prims" - "core_option" -> "prims" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "prims" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "prims" - "fstar_squash" -> "prims" - "fstar_squash" -> "fstar_squash" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" - "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" - "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v1_builtins" -> "prims" - "fstar_stubs_tactics_v1_builtins" -> "prims" - "fstar_tactics_print" -> "fstar_tactics_namedview" - "fstar_tactics_print" -> "fstar_tactics_namedview" - "fstar_tactics_print" -> "fstar_tactics_v2_derived" - "fstar_tactics_print" -> "fstar_tactics_v2_derived" - "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_print" -> "fstar_tactics_effect" - "fstar_tactics_print" -> "fstar_tactics_effect" - "fstar_tactics_print" -> "fstar_reflection_v2" - "fstar_tactics_print" -> "fstar_reflection_v2" - "fstar_tactics_print" -> "fstar_pervasives" - "fstar_tactics_print" -> "fstar_pervasives" - "fstar_tactics_print" -> "prims" - "fstar_tactics_print" -> "prims" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_mul" - "lib_inttypes" -> "fstar_mul" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "prims" - "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" - "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" - "fstar_reflection_v1_compare" -> "fstar_pervasives" - "fstar_reflection_v1_compare" -> "fstar_pervasives" - "fstar_reflection_v1_compare" -> "prims" - "fstar_reflection_v1_compare" -> "prims" - "fstar_classical" -> "fstar_squash" - "fstar_classical" -> "fstar_squash" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "prims" - "fstar_classical" -> "prims" - "fstar_classical" -> "fstar_classical" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "prims" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_squash" - "fstar_seq_properties" -> "fstar_squash" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_classical" - "fstar_seq_properties" -> "fstar_classical" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "fstar_seq_properties" - "fstar_calc" -> "fstar_classical" - "fstar_calc" -> "fstar_classical" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_squash" - "fstar_calc" -> "fstar_squash" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "prims" - "fstar_calc" -> "prims" - "fstar_calc" -> "fstar_calc" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "prims" - "tactics_pow2" -> "fstar_tactics_effect" - "tactics_pow2" -> "fstar_tactics_effect" - "tactics_pow2" -> "fstar_tactics_v2" - "tactics_pow2" -> "fstar_tactics_v2" - "tactics_pow2" -> "tactics_utils" - "tactics_pow2" -> "tactics_utils" - "tactics_pow2" -> "core" - "tactics_pow2" -> "core" - "tactics_pow2" -> "fstar_pervasives" - "tactics_pow2" -> "fstar_pervasives" - "tactics_pow2" -> "prims" - "tactics_pow2" -> "prims" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "prims" - "fstar_classical" -> "prims" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" - "fstar_stubs_reflection_v2_builtins" -> "fstar_order" - "fstar_stubs_reflection_v2_builtins" -> "fstar_order" - "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_builtins" -> "prims" - "fstar_stubs_reflection_v2_builtins" -> "prims" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" - "fstar_option" -> "fstar_pervasives_native" - "fstar_option" -> "fstar_pervasives_native" - "fstar_option" -> "fstar_all" - "fstar_option" -> "fstar_all" - "fstar_option" -> "fstar_pervasives" - "fstar_option" -> "fstar_pervasives" - "fstar_option" -> "prims" - "fstar_option" -> "prims" - "fstar_propositionalextensionality" -> "fstar_pervasives" - "fstar_propositionalextensionality" -> "fstar_pervasives" - "fstar_propositionalextensionality" -> "prims" - "fstar_propositionalextensionality" -> "prims" - "fstar_erasedlogic" -> "fstar_ghost" - "fstar_erasedlogic" -> "fstar_ghost" - "fstar_erasedlogic" -> "fstar_pervasives" - "fstar_erasedlogic" -> "fstar_pervasives" - "fstar_erasedlogic" -> "prims" - "fstar_erasedlogic" -> "prims" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "core" - "bitveceq" -> "core" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "prims" - "bitveceq" -> "prims" - "bitveceq" -> "bitveceq" - "fstar_issue" -> "fstar_stubs_pprint" - "fstar_issue" -> "fstar_range" - "fstar_issue" -> "fstar_pervasives" - "fstar_issue" -> "fstar_pervasives" - "fstar_issue" -> "prims" - "fstar_issue" -> "prims" - "fstar_mul" -> "fstar_pervasives" - "fstar_mul" -> "fstar_pervasives" - "fstar_mul" -> "prims" - "fstar_mul" -> "prims" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_char" - "tactics_utils" -> "fstar_string" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "core" - "tactics_utils" -> "core" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "prims" - "tactics_utils" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "prims" - "fstar_stubs_tactics_types" -> "fstar_issue" - "fstar_stubs_tactics_types" -> "fstar_range" - "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" - "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" - "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_types" -> "fstar_pervasives" - "fstar_stubs_tactics_types" -> "fstar_pervasives" - "fstar_stubs_tactics_types" -> "prims" - "fstar_stubs_tactics_types" -> "prims" - "fstar_exn" -> "fstar_pervasives" - "fstar_exn" -> "fstar_pervasives" - "fstar_exn" -> "prims" - "fstar_exn" -> "prims" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "core_ops_range" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "core_ops" - "core_iter" -> "core_ops" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "rust_primitives" - "core_iter" -> "rust_primitives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "prims" - "core_iter" -> "prims" - "fstar_functionalextensionality" -> "fstar_pervasives_native" - "fstar_functionalextensionality" -> "fstar_pervasives_native" - "fstar_functionalextensionality" -> "fstar_tactics_effect" - "fstar_functionalextensionality" -> "fstar_tactics_effect" - "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" - "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" - "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "fstar_functionalextensionality" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "prims" - "core_iter_adapters_step_by" -> "prims" - "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v1_derived" -> "fstar_squash" - "fstar_tactics_v1_derived" -> "fstar_squash" - "fstar_tactics_v1_derived" -> "fstar_range" - "fstar_tactics_v1_derived" -> "fstar_pervasives_native" - "fstar_tactics_v1_derived" -> "fstar_pervasives_native" - "fstar_tactics_v1_derived" -> "fstar_tactics_visit" - "fstar_tactics_v1_derived" -> "fstar_tactics_visit" - "fstar_tactics_v1_derived" -> "fstar_list_tot_base" - "fstar_tactics_v1_derived" -> "fstar_list_tot_base" - "fstar_tactics_v1_derived" -> "fstar_vconfig" - "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_derived" -> "fstar_tactics_util" - "fstar_tactics_v1_derived" -> "fstar_tactics_util" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1_derived" -> "fstar_tactics_effect" - "fstar_tactics_v1_derived" -> "fstar_tactics_effect" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1" - "fstar_tactics_v1_derived" -> "fstar_pervasives" - "fstar_tactics_v1_derived" -> "fstar_pervasives" - "fstar_tactics_v1_derived" -> "prims" - "fstar_tactics_v1_derived" -> "prims" - "fstar_tactics_visit" -> "fstar_pervasives_native" - "fstar_tactics_visit" -> "fstar_pervasives_native" - "fstar_tactics_visit" -> "fstar_tactics_util" - "fstar_tactics_visit" -> "fstar_tactics_util" - "fstar_tactics_visit" -> "fstar_tactics_effect" - "fstar_tactics_visit" -> "fstar_tactics_effect" - "fstar_tactics_visit" -> "fstar_reflection_v2" - "fstar_tactics_visit" -> "fstar_reflection_v2" - "fstar_tactics_visit" -> "fstar_pervasives" - "fstar_tactics_visit" -> "fstar_pervasives" - "fstar_tactics_visit" -> "prims" - "fstar_tactics_visit" -> "prims" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "fstar_uint16" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "prims" - "core_num_error" -> "prims" - "bitveceq" -> "fstar_math_lemmas" - "bitveceq" -> "fstar_math_lemmas" - "bitveceq" -> "fstar_seq" - "bitveceq" -> "fstar_seq" - "bitveceq" -> "fstar_classical_sugar" - "bitveceq" -> "fstar_classical_sugar" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "mkseq" - "bitveceq" -> "mkseq" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "core" - "bitveceq" -> "core" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "prims" - "bitveceq" -> "prims" - "lib_inttypes" -> "fstar_bitvector" - "lib_inttypes" -> "fstar_bitvector" - "lib_inttypes" -> "fstar_seq" - "lib_inttypes" -> "fstar_seq" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_pervasives_native" - "lib_inttypes" -> "fstar_pervasives_native" - "lib_inttypes" -> "fstar_int_cast_full" - "lib_inttypes" -> "fstar_int_cast_full" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int_cast" - "lib_inttypes" -> "fstar_int_cast" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_math_lemmas" - "lib_inttypes" -> "fstar_math_lemmas" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "lib_inttypes" - "fstar_int_cast_full" -> "fstar_uint128" - "fstar_int_cast_full" -> "fstar_uint128" - "fstar_int_cast_full" -> "fstar_uint64" - "fstar_int_cast_full" -> "fstar_uint64" - "fstar_int_cast_full" -> "fstar_int_cast" - "fstar_int_cast_full" -> "fstar_int_cast" - "fstar_int_cast_full" -> "fstar_pervasives" - "fstar_int_cast_full" -> "fstar_pervasives" - "fstar_int_cast_full" -> "prims" - "fstar_int_cast_full" -> "prims" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "core_slice" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "prims" - "rust_primitives_hax" -> "prims" - "fstar_reflection_v2_formula" -> "fstar_pervasives_native" - "fstar_reflection_v2_formula" -> "fstar_pervasives_native" - "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" - "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" - "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" - "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" - "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" - "fstar_reflection_v2_formula" -> "fstar_tactics_effect" - "fstar_reflection_v2_formula" -> "fstar_tactics_effect" - "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_formula" -> "fstar_reflection_const" - "fstar_reflection_v2_formula" -> "fstar_reflection_const" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_formula" -> "fstar_list_tot_base" - "fstar_reflection_v2_formula" -> "fstar_list_tot_base" - "fstar_reflection_v2_formula" -> "fstar_pervasives" - "fstar_reflection_v2_formula" -> "fstar_pervasives" - "fstar_reflection_v2_formula" -> "prims" - "fstar_reflection_v2_formula" -> "prims" - "fstar_tactics_unseal" -> "fstar_tactics_effect" - "fstar_tactics_unseal" -> "fstar_tactics_effect" - "fstar_tactics_unseal" -> "fstar_sealed" - "fstar_tactics_unseal" -> "fstar_pervasives" - "fstar_tactics_unseal" -> "fstar_pervasives" - "fstar_tactics_unseal" -> "prims" - "fstar_tactics_unseal" -> "prims" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_math_lemmas" - "fstar_int128" -> "fstar_math_lemmas" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "prims" - "fstar_int128" -> "prims" - "fstar_int128" -> "fstar_int128" - "tactics_seq" -> "fstar_tactics_effect" - "tactics_seq" -> "fstar_tactics_effect" - "tactics_seq" -> "fstar_pervasives_native" - "tactics_seq" -> "fstar_pervasives_native" - "tactics_seq" -> "tactics_pow2" - "tactics_seq" -> "tactics_pow2" - "tactics_seq" -> "tactics_utils" - "tactics_seq" -> "tactics_utils" - "tactics_seq" -> "fstar_option" - "tactics_seq" -> "fstar_option" - "tactics_seq" -> "fstar_mul" - "tactics_seq" -> "fstar_mul" - "tactics_seq" -> "fstar_class_printable" - "tactics_seq" -> "fstar_class_printable" - "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_seq" -> "fstar_tactics_v2" - "tactics_seq" -> "fstar_tactics_v2" - "tactics_seq" -> "fstar_seq_base" - "tactics_seq" -> "fstar_seq_base" - "tactics_seq" -> "fstar_list_tot" - "tactics_seq" -> "fstar_list_tot" - "tactics_seq" -> "core" - "tactics_seq" -> "core" - "tactics_seq" -> "fstar_pervasives" - "tactics_seq" -> "fstar_pervasives" - "tactics_seq" -> "prims" - "tactics_seq" -> "prims" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_option" - "rust_primitives" -> "core_option" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "prims" - "rust_primitives" -> "prims" - "fstar_set" -> "fstar_classical" - "fstar_set" -> "fstar_classical" - "fstar_set" -> "fstar_functionalextensionality" - "fstar_set" -> "fstar_functionalextensionality" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "prims" - "fstar_set" -> "prims" - "fstar_set" -> "fstar_set" - "fstar_tactics_v1_logic" -> "fstar_pervasives_native" - "fstar_tactics_v1_logic" -> "fstar_pervasives_native" - "fstar_tactics_v1_logic" -> "fstar_squash" - "fstar_tactics_v1_logic" -> "fstar_squash" - "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v1_logic" -> "fstar_classical" - "fstar_tactics_v1_logic" -> "fstar_classical" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1" - "fstar_tactics_v1_logic" -> "fstar_tactics_util" - "fstar_tactics_v1_logic" -> "fstar_tactics_util" - "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_logic" -> "fstar_tactics_effect" - "fstar_tactics_v1_logic" -> "fstar_tactics_effect" - "fstar_tactics_v1_logic" -> "fstar_pervasives" - "fstar_tactics_v1_logic" -> "fstar_pervasives" - "fstar_tactics_v1_logic" -> "prims" - "fstar_tactics_v1_logic" -> "prims" - "fstar_class_printable" -> "fstar_seq" - "fstar_class_printable" -> "fstar_seq" - "fstar_class_printable" -> "fstar_uint64" - "fstar_class_printable" -> "fstar_uint64" - "fstar_class_printable" -> "fstar_int64" - "fstar_class_printable" -> "fstar_int64" - "fstar_class_printable" -> "fstar_uint32" - "fstar_class_printable" -> "fstar_uint32" - "fstar_class_printable" -> "fstar_int32" - "fstar_class_printable" -> "fstar_int32" - "fstar_class_printable" -> "fstar_uint16" - "fstar_class_printable" -> "fstar_uint16" - "fstar_class_printable" -> "fstar_int16" - "fstar_class_printable" -> "fstar_int16" - "fstar_class_printable" -> "fstar_int8" - "fstar_class_printable" -> "fstar_int8" - "fstar_class_printable" -> "fstar_uint8" - "fstar_class_printable" -> "fstar_uint8" - "fstar_class_printable" -> "fstar_char" - "fstar_class_printable" -> "fstar_list_tot" - "fstar_class_printable" -> "fstar_list_tot" - "fstar_class_printable" -> "fstar_tactics_typeclasses" - "fstar_class_printable" -> "fstar_tactics_typeclasses" - "fstar_class_printable" -> "fstar_seq_properties" - "fstar_class_printable" -> "fstar_seq_properties" - "fstar_class_printable" -> "fstar_string" - "fstar_class_printable" -> "fstar_pervasives" - "fstar_class_printable" -> "fstar_pervasives" - "fstar_class_printable" -> "prims" - "fstar_class_printable" -> "prims" - "tactics_getbit" -> "fstar_functionalextensionality" - "tactics_getbit" -> "fstar_functionalextensionality" - "tactics_getbit" -> "tactics_machineints" - "tactics_getbit" -> "tactics_machineints" - "tactics_getbit" -> "rust_primitives_hax" - "tactics_getbit" -> "rust_primitives_hax" - "tactics_getbit" -> "tactics_seq" - "tactics_getbit" -> "tactics_seq" - "tactics_getbit" -> "bitveceq" - "tactics_getbit" -> "bitveceq" - "tactics_getbit" -> "tactics_pow2" - "tactics_getbit" -> "tactics_pow2" - "tactics_getbit" -> "tactics_utils" - "tactics_getbit" -> "tactics_utils" - "tactics_getbit" -> "fstar_option" - "tactics_getbit" -> "fstar_option" - "tactics_getbit" -> "fstar_mul" - "tactics_getbit" -> "fstar_mul" - "tactics_getbit" -> "fstar_class_printable" - "tactics_getbit" -> "fstar_class_printable" - "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_getbit" -> "fstar_tactics_v2" - "tactics_getbit" -> "fstar_tactics_v2" - "tactics_getbit" -> "fstar_list_tot" - "tactics_getbit" -> "fstar_list_tot" - "tactics_getbit" -> "core" - "tactics_getbit" -> "core" - "tactics_getbit" -> "fstar_pervasives" - "tactics_getbit" -> "fstar_pervasives" - "tactics_getbit" -> "prims" - "tactics_getbit" -> "prims" - "tactics_machineints" -> "fstar_uint8" - "tactics_machineints" -> "fstar_uint8" - "tactics_machineints" -> "fstar_tactics_effect" - "tactics_machineints" -> "fstar_tactics_effect" - "tactics_machineints" -> "fstar_list_tot" - "tactics_machineints" -> "fstar_list_tot" - "tactics_machineints" -> "lib_inttypes" - "tactics_machineints" -> "lib_inttypes" - "tactics_machineints" -> "fstar_pervasives_native" - "tactics_machineints" -> "fstar_pervasives_native" - "tactics_machineints" -> "rust_primitives_integers" - "tactics_machineints" -> "rust_primitives_integers" - "tactics_machineints" -> "tactics_utils" - "tactics_machineints" -> "tactics_utils" - "tactics_machineints" -> "fstar_option" - "tactics_machineints" -> "fstar_option" - "tactics_machineints" -> "fstar_class_printable" - "tactics_machineints" -> "fstar_class_printable" - "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_machineints" -> "fstar_tactics_v2" - "tactics_machineints" -> "fstar_tactics_v2" - "tactics_machineints" -> "fstar_pervasives" - "tactics_machineints" -> "fstar_pervasives" - "tactics_machineints" -> "prims" - "tactics_machineints" -> "prims" - "fstar_preorder" -> "fstar_pervasives" - "fstar_preorder" -> "fstar_pervasives" - "fstar_preorder" -> "prims" - "fstar_preorder" -> "prims" - "fstar_reflection_const" -> "fstar_pervasives" - "fstar_reflection_const" -> "fstar_pervasives" - "fstar_reflection_const" -> "prims" - "fstar_reflection_const" -> "prims" - "fstar_tactics_bv" -> "fstar_pervasives_native" - "fstar_tactics_bv" -> "fstar_pervasives_native" - "fstar_tactics_bv" -> "fstar_uint" - "fstar_tactics_bv" -> "fstar_uint" - "fstar_tactics_bv" -> "fstar_bv" - "fstar_tactics_bv" -> "fstar_bv" - "fstar_tactics_bv" -> "fstar_reflection_v2_arith" - "fstar_tactics_bv" -> "fstar_reflection_v2_arith" - "fstar_tactics_bv" -> "fstar_reflection_v2_formula" - "fstar_tactics_bv" -> "fstar_reflection_v2_formula" - "fstar_tactics_bv" -> "fstar_tactics_v2" - "fstar_tactics_bv" -> "fstar_tactics_v2" - "fstar_tactics_bv" -> "fstar_pervasives" - "fstar_tactics_bv" -> "fstar_pervasives" - "fstar_tactics_bv" -> "prims" - "fstar_tactics_bv" -> "prims" - "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2" -> "fstar_tactics_smt" - "fstar_tactics_v2" -> "fstar_tactics_smt" - "fstar_tactics_v2" -> "fstar_tactics_mapply" - "fstar_tactics_v2" -> "fstar_tactics_mapply" - "fstar_tactics_v2" -> "fstar_tactics_namedview" - "fstar_tactics_v2" -> "fstar_tactics_namedview" - "fstar_tactics_v2" -> "fstar_tactics_visit" - "fstar_tactics_v2" -> "fstar_tactics_visit" - "fstar_tactics_v2" -> "fstar_tactics_print" - "fstar_tactics_v2" -> "fstar_tactics_print" - "fstar_tactics_v2" -> "fstar_tactics_util" - "fstar_tactics_v2" -> "fstar_tactics_util" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2" -> "fstar_tactics_v2_logic" - "fstar_tactics_v2" -> "fstar_tactics_v2_logic" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2" -> "fstar_tactics_effect" - "fstar_tactics_v2" -> "fstar_tactics_effect" - "fstar_tactics_v2" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2" -> "fstar_reflection_v2" - "fstar_tactics_v2" -> "fstar_reflection_v2" - "fstar_tactics_v2" -> "fstar_stubs_reflection_types" - "fstar_tactics_v2" -> "fstar_pervasives" - "fstar_tactics_v2" -> "fstar_pervasives" - "fstar_tactics_v2" -> "prims" - "fstar_tactics_v2" -> "prims" - "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_result" -> "fstar_pervasives" - "fstar_stubs_tactics_result" -> "fstar_pervasives" - "fstar_stubs_tactics_result" -> "prims" - "fstar_stubs_tactics_result" -> "prims" - "fstar_tactics_effect" -> "fstar_stubs_tactics_result" - "fstar_tactics_effect" -> "fstar_stubs_tactics_types" - "fstar_tactics_effect" -> "fstar_stubs_reflection_types" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "fstar_tactics_effect" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "prims" - "fstar_range" -> "fstar_sealed" - "fstar_range" -> "fstar_pervasives" - "fstar_range" -> "fstar_pervasives" - "fstar_range" -> "prims" - "fstar_range" -> "prims" - "fstar_monotonic_witnessed" -> "fstar_classical" - "fstar_monotonic_witnessed" -> "fstar_classical" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "fstar_uint32" - "fstar_st" -> "fstar_set" - "fstar_st" -> "fstar_set" - "fstar_st" -> "fstar_monotonic_witnessed" - "fstar_st" -> "fstar_monotonic_witnessed" - "fstar_st" -> "fstar_preorder" - "fstar_st" -> "fstar_preorder" - "fstar_st" -> "fstar_heap" - "fstar_st" -> "fstar_heap" - "fstar_st" -> "fstar_tset" - "fstar_st" -> "fstar_tset" - "fstar_st" -> "fstar_pervasives" - "fstar_st" -> "fstar_pervasives" - "fstar_st" -> "prims" - "fstar_st" -> "prims" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_string" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" - "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" - "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "prims" - "bitvec_intrinsics" -> "prims" - "fstar_stubs_typechecker_core" -> "fstar_pervasives" - "fstar_stubs_typechecker_core" -> "fstar_pervasives" - "fstar_stubs_typechecker_core" -> "prims" - "fstar_stubs_typechecker_core" -> "prims" - "fstar_char" -> "fstar_uint32" - "fstar_char" -> "fstar_uint32" - "fstar_char" -> "fstar_pervasives" - "fstar_char" -> "fstar_pervasives" - "fstar_char" -> "prims" - "fstar_char" -> "prims" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_math_lemmas" - "fstar_int8" -> "fstar_math_lemmas" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "prims" - "fstar_int8" -> "prims" - "fstar_int8" -> "fstar_int8" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "prims" - "fstar_tset" -> "fstar_squash" - "fstar_tset" -> "fstar_squash" - "fstar_tset" -> "fstar_strongexcludedmiddle" - "fstar_tset" -> "fstar_strongexcludedmiddle" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_predicateextensionality" - "fstar_tset" -> "fstar_predicateextensionality" - "fstar_tset" -> "fstar_functionalextensionality" - "fstar_tset" -> "fstar_functionalextensionality" - "fstar_tset" -> "fstar_propositionalextensionality" - "fstar_tset" -> "fstar_propositionalextensionality" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "prims" - "fstar_tset" -> "prims" - "fstar_tset" -> "fstar_tset" - "tactics_folds" -> "tactics_utils" - "tactics_folds" -> "tactics_utils" - "tactics_folds" -> "rust_primitives_hax_folds" - "tactics_folds" -> "fstar_option" - "tactics_folds" -> "fstar_option" - "tactics_folds" -> "fstar_mul" - "tactics_folds" -> "fstar_mul" - "tactics_folds" -> "fstar_class_printable" - "tactics_folds" -> "fstar_class_printable" - "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_folds" -> "fstar_tactics_v2" - "tactics_folds" -> "fstar_tactics_v2" - "tactics_folds" -> "fstar_seq_base" - "tactics_folds" -> "fstar_seq_base" - "tactics_folds" -> "fstar_list_tot" - "tactics_folds" -> "fstar_list_tot" - "tactics_folds" -> "core" - "tactics_folds" -> "core" - "tactics_folds" -> "fstar_pervasives" - "tactics_folds" -> "fstar_pervasives" - "tactics_folds" -> "prims" - "tactics_folds" -> "prims" - "fstar_vconfig" -> "fstar_pervasives" - "fstar_vconfig" -> "fstar_pervasives" - "fstar_vconfig" -> "prims" - "fstar_vconfig" -> "prims" - "fstar_reflection_v2_derived" -> "fstar_list_tot_base" - "fstar_reflection_v2_derived" -> "fstar_list_tot_base" - "fstar_reflection_v2_derived" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived" -> "fstar_list_tot" - "fstar_reflection_v2_derived" -> "fstar_list_tot" - "fstar_reflection_v2_derived" -> "fstar_vconfig" - "fstar_reflection_v2_derived" -> "fstar_order" - "fstar_reflection_v2_derived" -> "fstar_order" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_derived" -> "fstar_reflection_const" - "fstar_reflection_v2_derived" -> "fstar_reflection_const" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_derived" -> "fstar_pervasives" - "fstar_reflection_v2_derived" -> "fstar_pervasives" - "fstar_reflection_v2_derived" -> "prims" - "fstar_reflection_v2_derived" -> "prims" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "prims" - "fstar_tset" -> "prims" - "fstar_tactics" -> "fstar_tactics_v1" - "fstar_tactics" -> "fstar_tactics_v1" - "fstar_tactics" -> "fstar_pervasives" - "fstar_tactics" -> "fstar_pervasives" - "fstar_tactics" -> "prims" - "fstar_tactics" -> "prims" - "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v1_derived_lemmas" -> "prims" - "fstar_reflection_v1_derived_lemmas" -> "prims" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "prims" - "fstar_set" -> "prims" - "fstar_classical_sugar" -> "fstar_squash" - "fstar_classical_sugar" -> "fstar_squash" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "fstar_classical_sugar" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "prims" - "fstar_squash" -> "prims" - "fstar_stubs_reflection_types" -> "fstar_sealed" - "fstar_stubs_reflection_types" -> "fstar_range" - "fstar_stubs_reflection_types" -> "fstar_pervasives" - "fstar_stubs_reflection_types" -> "fstar_pervasives" - "fstar_stubs_reflection_types" -> "prims" - "fstar_stubs_reflection_types" -> "prims" - "fstar_tactics_v1" -> "fstar_tactics_smt" - "fstar_tactics_v1" -> "fstar_tactics_smt" - "fstar_tactics_v1" -> "fstar_tactics_visit" - "fstar_tactics_v1" -> "fstar_tactics_visit" - "fstar_tactics_v1" -> "fstar_tactics_print" - "fstar_tactics_v1" -> "fstar_tactics_print" - "fstar_tactics_v1" -> "fstar_tactics_util" - "fstar_tactics_v1" -> "fstar_tactics_util" - "fstar_tactics_v1" -> "fstar_tactics_v1_logic" - "fstar_tactics_v1" -> "fstar_tactics_v1_logic" - "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1" -> "fstar_tactics_effect" - "fstar_tactics_v1" -> "fstar_tactics_effect" - "fstar_tactics_v1" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1" -> "fstar_reflection_v1_compare" - "fstar_tactics_v1" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1" -> "fstar_reflection_v1_derived" - "fstar_tactics_v1" -> "fstar_reflection_v1_derived" - "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" - "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" - "fstar_tactics_v1" -> "fstar_reflection_const" - "fstar_tactics_v1" -> "fstar_reflection_const" - "fstar_tactics_v1" -> "fstar_stubs_reflection_types" - "fstar_tactics_v1" -> "fstar_pervasives" - "fstar_tactics_v1" -> "fstar_pervasives" - "fstar_tactics_v1" -> "prims" - "fstar_tactics_v1" -> "prims" - "fstar_list_tot" -> "fstar_list_tot_properties" - "fstar_list_tot" -> "fstar_list_tot_properties" - "fstar_list_tot" -> "fstar_list_tot_base" - "fstar_list_tot" -> "fstar_list_tot_base" - "fstar_list_tot" -> "fstar_pervasives" - "fstar_list_tot" -> "fstar_pervasives" - "fstar_list_tot" -> "prims" - "fstar_list_tot" -> "prims" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "prims" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "fstar_ghost" - "fstar_bitvector" -> "fstar_seq" - "fstar_bitvector" -> "fstar_seq" - "fstar_bitvector" -> "fstar_mul" - "fstar_bitvector" -> "fstar_mul" - "fstar_bitvector" -> "fstar_pervasives" - "fstar_bitvector" -> "fstar_pervasives" - "fstar_bitvector" -> "prims" - "fstar_bitvector" -> "prims" - "core" -> "core_ops" - "core" -> "core_ops" - "core" -> "core_iter" - "core" -> "core_num" - "core" -> "rust_primitives" - "core" -> "rust_primitives" - "core" -> "fstar_pervasives" - "core" -> "fstar_pervasives" - "core" -> "prims" - "core" -> "prims" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "prims" - "fstar_uint" -> "prims" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_builtins" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxcoercions" -> "prims" - "fstar_tactics_v2_syntaxcoercions" -> "prims" - "fstar_tactics_v2_logic" -> "fstar_pervasives_native" - "fstar_tactics_v2_logic" -> "fstar_pervasives_native" - "fstar_tactics_v2_logic" -> "fstar_squash" - "fstar_tactics_v2_logic" -> "fstar_squash" - "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v2_logic" -> "fstar_classical" - "fstar_tactics_v2_logic" -> "fstar_classical" - "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_logic" -> "fstar_tactics_util" - "fstar_tactics_v2_logic" -> "fstar_tactics_util" - "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" - "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_logic" -> "fstar_tactics_effect" - "fstar_tactics_v2_logic" -> "fstar_tactics_effect" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2" - "fstar_tactics_v2_logic" -> "fstar_pervasives" - "fstar_tactics_v2_logic" -> "fstar_pervasives" - "fstar_tactics_v2_logic" -> "prims" - "fstar_tactics_v2_logic" -> "prims" - "fstar_uint" -> "fstar_calc" - "fstar_uint" -> "fstar_calc" - "fstar_uint" -> "fstar_seq_base" - "fstar_uint" -> "fstar_seq_base" - "fstar_uint" -> "fstar_classical" - "fstar_uint" -> "fstar_classical" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_math_lib" - "fstar_uint" -> "fstar_math_lib" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "prims" - "fstar_uint" -> "prims" - "fstar_uint" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "fstar_uint8" - "fstar_monotonic_pure" -> "fstar_pervasives" - "fstar_monotonic_pure" -> "fstar_pervasives" - "fstar_monotonic_pure" -> "prims" - "fstar_monotonic_pure" -> "prims" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "prims" - "core_ops_index" -> "prims" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "fstar_uint64" - "fstar_float" -> "fstar_pervasives" - "fstar_float" -> "fstar_pervasives" - "fstar_float" -> "prims" - "fstar_float" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_ghost" - "fstar_reflection_v2_compare" -> "fstar_ghost" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2_compare" -> "fstar_pervasives_native" - "fstar_reflection_v2_compare" -> "fstar_pervasives_native" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_math_lib" - "fstar_int" -> "fstar_math_lib" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "prims" - "fstar_int" -> "prims" - "fstar_int" -> "fstar_int" - "fstar_int16" -> "fstar_uint" - "fstar_int16" -> "fstar_uint" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "prims" - "fstar_int16" -> "prims" - "fstar_list" -> "fstar_pervasives_native" - "fstar_list" -> "fstar_pervasives_native" - "fstar_list" -> "fstar_list_tot" - "fstar_list" -> "fstar_list_tot" - "fstar_list" -> "fstar_all" - "fstar_list" -> "fstar_all" - "fstar_list" -> "fstar_pervasives" - "fstar_list" -> "fstar_pervasives" - "fstar_list" -> "prims" - "fstar_list" -> "prims" - "fstar_predicateextensionality" -> "fstar_propositionalextensionality" - "fstar_predicateextensionality" -> "fstar_propositionalextensionality" - "fstar_predicateextensionality" -> "fstar_functionalextensionality" - "fstar_predicateextensionality" -> "fstar_functionalextensionality" - "fstar_predicateextensionality" -> "fstar_pervasives" - "fstar_predicateextensionality" -> "fstar_pervasives" - "fstar_predicateextensionality" -> "prims" - "fstar_predicateextensionality" -> "prims" - "fstar_reflection_v1_derived" -> "fstar_list_tot_base" - "fstar_reflection_v1_derived" -> "fstar_list_tot_base" - "fstar_reflection_v1_derived" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived" -> "fstar_vconfig" - "fstar_reflection_v1_derived" -> "fstar_order" - "fstar_reflection_v1_derived" -> "fstar_order" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_derived" -> "fstar_reflection_const" - "fstar_reflection_v1_derived" -> "fstar_reflection_const" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_derived" -> "fstar_pervasives" - "fstar_reflection_v1_derived" -> "fstar_pervasives" - "fstar_reflection_v1_derived" -> "prims" - "fstar_reflection_v1_derived" -> "prims" - "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" - "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_data" -> "prims" - "fstar_stubs_reflection_v2_data" -> "prims" - "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" - "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" - "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v1_builtins" -> "fstar_order" - "fstar_stubs_reflection_v1_builtins" -> "fstar_order" - "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_builtins" -> "prims" - "fstar_stubs_reflection_v1_builtins" -> "prims" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "prims" - "fstar_reflection_v2_arith" -> "fstar_classical" - "fstar_reflection_v2_arith" -> "fstar_classical" - "fstar_reflection_v2_arith" -> "fstar_list_tot" - "fstar_reflection_v2_arith" -> "fstar_list_tot" - "fstar_reflection_v2_arith" -> "fstar_pervasives_native" - "fstar_reflection_v2_arith" -> "fstar_pervasives_native" - "fstar_reflection_v2_arith" -> "fstar_list_tot_base" - "fstar_reflection_v2_arith" -> "fstar_list_tot_base" - "fstar_reflection_v2_arith" -> "fstar_order" - "fstar_reflection_v2_arith" -> "fstar_order" - "fstar_reflection_v2_arith" -> "fstar_reflection_v2" - "fstar_reflection_v2_arith" -> "fstar_reflection_v2" - "fstar_reflection_v2_arith" -> "fstar_tactics_v2" - "fstar_reflection_v2_arith" -> "fstar_tactics_v2" - "fstar_reflection_v2_arith" -> "fstar_pervasives" - "fstar_reflection_v2_arith" -> "fstar_pervasives" - "fstar_reflection_v2_arith" -> "prims" - "fstar_reflection_v2_arith" -> "prims" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "prims" - "fstar_reflection_termeq" -> "fstar_classical_sugar" - "fstar_reflection_termeq" -> "fstar_classical_sugar" - "fstar_reflection_termeq" -> "fstar_sealed" - "fstar_reflection_termeq" -> "fstar_pervasives_native" - "fstar_reflection_termeq" -> "fstar_pervasives_native" - "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" - "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "fstar_reflection_termeq" - "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v2_derived_lemmas" -> "prims" - "fstar_reflection_v2_derived_lemmas" -> "prims" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "prims" - "core_ops_range" -> "prims" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "prims" - "core_iter_traits_iterator" -> "prims" - "fstar_bv" -> "fstar_list" - "fstar_bv" -> "fstar_list" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "prims" - "fstar_bv" -> "prims" - "fstar_math_lemmas" -> "fstar_calc" - "fstar_math_lemmas" -> "fstar_calc" - "fstar_math_lemmas" -> "fstar_math_lib" - "fstar_math_lemmas" -> "fstar_math_lib" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "fstar_math_lemmas" - "fstar_tactics_builtins" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_builtins" -> "fstar_pervasives" - "fstar_tactics_builtins" -> "fstar_pervasives" - "fstar_tactics_builtins" -> "prims" - "fstar_tactics_builtins" -> "prims" - "fstar_string" -> "fstar_all" - "fstar_string" -> "fstar_all" - "fstar_string" -> "fstar_list" - "fstar_string" -> "fstar_list" - "fstar_string" -> "fstar_char" - "fstar_string" -> "fstar_list_tot" - "fstar_string" -> "fstar_list_tot" - "fstar_string" -> "fstar_pervasives" - "fstar_string" -> "fstar_pervasives" - "fstar_string" -> "prims" - "fstar_string" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "fstar_pervasives" - "fstar_tactics_util" -> "fstar_pervasives_native" - "fstar_tactics_util" -> "fstar_pervasives_native" - "fstar_tactics_util" -> "fstar_list_tot_base" - "fstar_tactics_util" -> "fstar_list_tot_base" - "fstar_tactics_util" -> "fstar_tactics_effect" - "fstar_tactics_util" -> "fstar_tactics_effect" - "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "prims" - "fstar_tactics_util" -> "prims" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "prims" - "core_slice_iter" -> "prims" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "prims" - "core_ops_control_flow" -> "prims" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_slice_iter" - "core_slice" -> "core_slice_iter" - "core_slice" -> "fstar_seq" - "core_slice" -> "fstar_seq" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "prims" - "core_slice" -> "prims" - "fstar_all" -> "fstar_exn" - "fstar_all" -> "fstar_exn" - "fstar_all" -> "fstar_st" - "fstar_all" -> "fstar_st" - "fstar_all" -> "fstar_heap" - "fstar_all" -> "fstar_heap" - "fstar_all" -> "fstar_pervasives" - "fstar_all" -> "fstar_pervasives" - "fstar_all" -> "prims" - "fstar_all" -> "prims" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "prims" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "prims" - "fstar_list_tot_properties" -> "fstar_classical" - "fstar_list_tot_properties" -> "fstar_classical" - "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" - "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" - "fstar_list_tot_properties" -> "fstar_classical_sugar" - "fstar_list_tot_properties" -> "fstar_classical_sugar" - "fstar_list_tot_properties" -> "fstar_pervasives_native" - "fstar_list_tot_properties" -> "fstar_pervasives_native" - "fstar_list_tot_properties" -> "fstar_list_tot_base" - "fstar_list_tot_properties" -> "fstar_list_tot_base" - "fstar_list_tot_properties" -> "fstar_pervasives" - "fstar_list_tot_properties" -> "fstar_pervasives" - "fstar_list_tot_properties" -> "prims" - "fstar_list_tot_properties" -> "prims" - "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" - "fstar_stubs_syntax_syntax" -> "fstar_pervasives" - "fstar_stubs_syntax_syntax" -> "fstar_pervasives" - "fstar_stubs_syntax_syntax" -> "prims" - "fstar_stubs_syntax_syntax" -> "prims" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "prims" - "core_ops_arith" -> "prims" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "core_ops_range" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "prims" - "rust_primitives_hax_folds" -> "prims" - "fstar_strongexcludedmiddle" -> "fstar_pervasives" - "fstar_strongexcludedmiddle" -> "fstar_pervasives" - "fstar_strongexcludedmiddle" -> "prims" - "fstar_strongexcludedmiddle" -> "prims" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "prims" - "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" - "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" - "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" - "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" - "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v2_builtins" -> "prims" - "fstar_stubs_tactics_v2_builtins" -> "prims" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "fstar_reflection_v1" -> "fstar_reflection_v1_compare" - "fstar_reflection_v1" -> "fstar_reflection_const" - "fstar_reflection_v1" -> "fstar_reflection_const" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1" -> "fstar_pervasives" - "fstar_reflection_v1" -> "fstar_pervasives" - "fstar_reflection_v1" -> "prims" - "fstar_reflection_v1" -> "prims" - "fstar_bv" -> "fstar_math_lemmas" - "fstar_bv" -> "fstar_math_lemmas" - "fstar_bv" -> "fstar_seq" - "fstar_bv" -> "fstar_seq" - "fstar_bv" -> "fstar_bitvector" - "fstar_bv" -> "fstar_bitvector" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "prims" - "fstar_bv" -> "prims" - "fstar_bv" -> "fstar_bv" - "fstar_list_tot_base" -> "fstar_classical_sugar" - "fstar_list_tot_base" -> "fstar_classical_sugar" - "fstar_list_tot_base" -> "fstar_pervasives_native" - "fstar_list_tot_base" -> "fstar_pervasives_native" - "fstar_list_tot_base" -> "fstar_pervasives" - "fstar_list_tot_base" -> "fstar_pervasives" - "fstar_list_tot_base" -> "prims" - "fstar_list_tot_base" -> "prims" - "fstar_math_lib" -> "fstar_mul" - "fstar_math_lib" -> "fstar_mul" - "fstar_math_lib" -> "fstar_pervasives" - "fstar_math_lib" -> "fstar_pervasives" - "fstar_math_lib" -> "prims" - "fstar_math_lib" -> "prims" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "core_ops_arith" - "core_num" -> "core_num_error" - "core_num" -> "core_result" - "core_num" -> "core_result" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "lib_inttypes" - "core_num" -> "lib_inttypes" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint32" - "core_num" -> "fstar_uint32" - "core_num" -> "rust_primitives" - "core_num" -> "rust_primitives" - "core_num" -> "fstar_pervasives" - "core_num" -> "fstar_pervasives" - "core_num" -> "prims" - "core_num" -> "prims" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_math_lemmas" - "fstar_int16" -> "fstar_math_lemmas" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "prims" - "fstar_int16" -> "prims" - "fstar_int16" -> "fstar_int16" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "core" - "bitvec_utils" -> "core" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "prims" - "bitvec_utils" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" - "fstar_tactics_typeclasses" -> "fstar_list_tot" - "fstar_tactics_typeclasses" -> "fstar_list_tot" - "fstar_tactics_typeclasses" -> "fstar_tactics_util" - "fstar_tactics_typeclasses" -> "fstar_tactics_util" - "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" - "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" - "fstar_tactics_typeclasses" -> "fstar_pervasives_native" - "fstar_tactics_typeclasses" -> "fstar_pervasives_native" - "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" - "fstar_tactics_typeclasses" -> "fstar_list_tot_base" - "fstar_tactics_typeclasses" -> "fstar_list_tot_base" - "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" - "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" - "fstar_tactics_typeclasses" -> "fstar_reflection_v2" - "fstar_tactics_typeclasses" -> "fstar_reflection_v2" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "rust_primitives_integers" - "fstar_tactics_namedview" -> "fstar_range" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "prims" - "fstar_reflection_v2" -> "fstar_reflection_v2_compare" - "fstar_reflection_v2" -> "fstar_reflection_v2_compare" - "fstar_reflection_v2" -> "fstar_reflection_const" - "fstar_reflection_v2" -> "fstar_reflection_const" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2" -> "fstar_pervasives" - "fstar_reflection_v2" -> "fstar_pervasives" - "fstar_reflection_v2" -> "prims" - "fstar_reflection_v2" -> "prims" - "fstar_int_cast" -> "fstar_int" - "fstar_int_cast" -> "fstar_int" - "fstar_int_cast" -> "fstar_int64" - "fstar_int_cast" -> "fstar_int64" - "fstar_int_cast" -> "fstar_int32" - "fstar_int_cast" -> "fstar_int32" - "fstar_int_cast" -> "fstar_int16" - "fstar_int_cast" -> "fstar_int16" - "fstar_int_cast" -> "fstar_int8" - "fstar_int_cast" -> "fstar_int8" - "fstar_int_cast" -> "fstar_uint64" - "fstar_int_cast" -> "fstar_uint64" - "fstar_int_cast" -> "fstar_uint32" - "fstar_int_cast" -> "fstar_uint32" - "fstar_int_cast" -> "fstar_uint16" - "fstar_int_cast" -> "fstar_uint16" - "fstar_int_cast" -> "fstar_uint8" - "fstar_int_cast" -> "fstar_uint8" - "fstar_int_cast" -> "fstar_pervasives" - "fstar_int_cast" -> "fstar_pervasives" - "fstar_int_cast" -> "prims" - "fstar_int_cast" -> "prims" - "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" - "fstar_stubs_errors_msg" -> "fstar_pervasives" - "fstar_stubs_errors_msg" -> "fstar_pervasives" - "fstar_stubs_errors_msg" -> "prims" - "fstar_stubs_errors_msg" -> "prims" - "fstar_tactics_mapply" -> "fstar_squash" - "fstar_tactics_mapply" -> "fstar_squash" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" - "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_mapply" -> "fstar_tactics_namedview" - "fstar_tactics_mapply" -> "fstar_tactics_namedview" - "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" - "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "fstar_tactics_mapply" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_tset" - "fstar_monotonic_heap" -> "fstar_tset" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "prims" - "fstar_stubs_tactics_common" -> "fstar_range" - "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" - "fstar_stubs_tactics_common" -> "fstar_pervasives" - "fstar_stubs_tactics_common" -> "fstar_pervasives" - "fstar_stubs_tactics_common" -> "prims" - "fstar_stubs_tactics_common" -> "prims" - "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_data" -> "prims" - "fstar_stubs_reflection_v1_data" -> "prims" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "fstar_seq_base" - "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v2_derived" -> "fstar_squash" - "fstar_tactics_v2_derived" -> "fstar_squash" - "fstar_tactics_v2_derived" -> "fstar_range" - "fstar_tactics_v2_derived" -> "fstar_pervasives_native" - "fstar_tactics_v2_derived" -> "fstar_pervasives_native" - "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_derived" -> "fstar_tactics_visit" - "fstar_tactics_v2_derived" -> "fstar_tactics_visit" - "fstar_tactics_v2_derived" -> "fstar_list_tot_base" - "fstar_tactics_v2_derived" -> "fstar_list_tot_base" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" - "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" - "fstar_tactics_v2_derived" -> "fstar_vconfig" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2_derived" -> "fstar_tactics_util" - "fstar_tactics_v2_derived" -> "fstar_tactics_util" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2_derived" -> "fstar_tactics_effect" - "fstar_tactics_v2_derived" -> "fstar_tactics_effect" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2" - "fstar_tactics_v2_derived" -> "fstar_pervasives" - "fstar_tactics_v2_derived" -> "fstar_pervasives" - "fstar_tactics_v2_derived" -> "prims" - "fstar_tactics_v2_derived" -> "prims" - "fstar_uint128" -> "fstar_pervasives_native" - "fstar_uint128" -> "fstar_pervasives_native" - "fstar_uint128" -> "fstar_int_cast" - "fstar_uint128" -> "fstar_int_cast" - "fstar_uint128" -> "fstar_calc" - "fstar_uint128" -> "fstar_calc" - "fstar_uint128" -> "fstar_classical_sugar" - "fstar_uint128" -> "fstar_classical_sugar" - "fstar_uint128" -> "fstar_tactics_effect" - "fstar_uint128" -> "fstar_tactics_effect" - "fstar_uint128" -> "fstar_tactics_bv" - "fstar_uint128" -> "fstar_tactics_bv" - "fstar_uint128" -> "fstar_tactics_v2" - "fstar_uint128" -> "fstar_tactics_v2" - "fstar_uint128" -> "fstar_bv" - "fstar_uint128" -> "fstar_bv" - "fstar_uint128" -> "fstar_math_lemmas" - "fstar_uint128" -> "fstar_math_lemmas" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_bitvector" - "fstar_uint128" -> "fstar_bitvector" - "fstar_uint128" -> "fstar_seq" - "fstar_uint128" -> "fstar_seq" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "fstar_uint128" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "fstar_int8" -> "fstar_uint" - "fstar_int8" -> "fstar_uint" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "prims" - "fstar_int8" -> "prims" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "rust_primitives_arrays" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_uint" - "fstar_int128" -> "fstar_uint" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "prims" - "fstar_int128" -> "prims" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "prims" - "fstar_calc" -> "fstar_range" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "prims" - "fstar_calc" -> "prims" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "bitvec_equality" - "fstar_sealed" -> "fstar_pervasives" - "fstar_sealed" -> "fstar_pervasives" - "fstar_sealed" -> "prims" - "fstar_sealed" -> "prims" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "prims" - "fstar_int" -> "prims" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "prims" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_squash" - "fstar_indefinitedescription" -> "fstar_squash" - "fstar_indefinitedescription" -> "fstar_classical" - "fstar_indefinitedescription" -> "fstar_classical" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "fstar_indefinitedescription" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_math_lemmas" - "fstar_int64" -> "fstar_math_lemmas" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "prims" - "fstar_int64" -> "prims" - "fstar_int64" -> "fstar_int64" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" - "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" - "fstar_pervasives_native" -> "prims" - "fstar_pervasives_native" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "prims" - "fstar_stubs_pprint" -> "fstar_float" - "fstar_stubs_pprint" -> "fstar_char" - "fstar_stubs_pprint" -> "fstar_pervasives" - "fstar_stubs_pprint" -> "fstar_pervasives" - "fstar_stubs_pprint" -> "prims" - "fstar_stubs_pprint" -> "prims" - "fstar_sealed_inhabited" -> "fstar_sealed" - "fstar_sealed_inhabited" -> "fstar_pervasives" - "fstar_sealed_inhabited" -> "fstar_pervasives" - "fstar_sealed_inhabited" -> "prims" - "fstar_sealed_inhabited" -> "prims" - "fstar_tactics_namedview" -> "fstar_list_tot" - "fstar_tactics_namedview" -> "fstar_list_tot" - "fstar_tactics_namedview" -> "fstar_pervasives_native" - "fstar_tactics_namedview" -> "fstar_pervasives_native" - "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_namedview" -> "fstar_tactics_util" - "fstar_tactics_namedview" -> "fstar_tactics_util" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "fstar_tactics_namedview" - "fstar_heap" -> "fstar_preorder" - "fstar_heap" -> "fstar_preorder" - "fstar_heap" -> "fstar_monotonic_heap" - "fstar_heap" -> "fstar_monotonic_heap" - "fstar_heap" -> "fstar_pervasives" - "fstar_heap" -> "fstar_pervasives" - "fstar_heap" -> "prims" - "fstar_heap" -> "prims" - "mkseq" -> "fstar_tactics_effect" - "mkseq" -> "fstar_tactics_effect" - "mkseq" -> "fstar_classical" - "mkseq" -> "fstar_classical" - "mkseq" -> "fstar_list_tot" - "mkseq" -> "fstar_list_tot" - "mkseq" -> "fstar_pervasives_native" - "mkseq" -> "fstar_pervasives_native" - "mkseq" -> "fstar_tactics" - "mkseq" -> "fstar_tactics" - "mkseq" -> "fstar_seq" - "mkseq" -> "fstar_seq" - "mkseq" -> "fstar_reflection_v2" - "mkseq" -> "fstar_reflection_v2" - "mkseq" -> "rust_primitives_integers" - "mkseq" -> "rust_primitives_integers" - "mkseq" -> "fstar_tactics_v2" - "mkseq" -> "fstar_tactics_v2" - "mkseq" -> "core" - "mkseq" -> "core" - "mkseq" -> "fstar_pervasives" - "mkseq" -> "fstar_pervasives" - "mkseq" -> "prims" - "mkseq" -> "prims" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxhelpers" -> "prims" - "fstar_tactics_v2_syntaxhelpers" -> "prims" - "bitvec_intrinsics_constants" -> "fstar_tactics_visit" - "bitvec_intrinsics_constants" -> "fstar_tactics_visit" - "bitvec_intrinsics_constants" -> "tactics_seq" - "bitvec_intrinsics_constants" -> "tactics_seq" - "bitvec_intrinsics_constants" -> "tactics_pow2" - "bitvec_intrinsics_constants" -> "tactics_pow2" - "bitvec_intrinsics_constants" -> "fstar_tactics_effect" - "bitvec_intrinsics_constants" -> "fstar_tactics_effect" - "bitvec_intrinsics_constants" -> "fstar_list_tot" - "bitvec_intrinsics_constants" -> "fstar_list_tot" - "bitvec_intrinsics_constants" -> "fstar_reflection_v2" - "bitvec_intrinsics_constants" -> "fstar_reflection_v2" - "bitvec_intrinsics_constants" -> "fstar_pervasives_native" - "bitvec_intrinsics_constants" -> "fstar_pervasives_native" - "bitvec_intrinsics_constants" -> "fstar_tactics" - "bitvec_intrinsics_constants" -> "fstar_tactics" - "bitvec_intrinsics_constants" -> "tactics_utils" - "bitvec_intrinsics_constants" -> "tactics_utils" - "bitvec_intrinsics_constants" -> "fstar_tactics_v2" - "bitvec_intrinsics_constants" -> "fstar_tactics_v2" - "bitvec_intrinsics_constants" -> "fstar_int32" - "bitvec_intrinsics_constants" -> "fstar_int32" - "bitvec_intrinsics_constants" -> "fstar_int16" - "bitvec_intrinsics_constants" -> "fstar_int16" - "bitvec_intrinsics_constants" -> "bitvec_equality" - "bitvec_intrinsics_constants" -> "bitvec_equality" - "bitvec_intrinsics_constants" -> "bitvec_utils" - "bitvec_intrinsics_constants" -> "bitvec_utils" - "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" - "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" - "bitvec_intrinsics_constants" -> "fstar_mul" - "bitvec_intrinsics_constants" -> "fstar_mul" - "bitvec_intrinsics_constants" -> "rust_primitives" - "bitvec_intrinsics_constants" -> "rust_primitives" - "bitvec_intrinsics_constants" -> "core" - "bitvec_intrinsics_constants" -> "core" - "bitvec_intrinsics_constants" -> "fstar_pervasives" - "bitvec_intrinsics_constants" -> "fstar_pervasives" - "bitvec_intrinsics_constants" -> "prims" - "bitvec_intrinsics_constants" -> "prims" - "fstar_order" -> "fstar_pervasives_native" - "fstar_order" -> "fstar_pervasives_native" - "fstar_order" -> "fstar_pervasives" - "fstar_order" -> "fstar_pervasives" - "fstar_order" -> "prims" - "fstar_order" -> "prims" - "fstar_tactics_effect" -> "fstar_range" - "fstar_tactics_effect" -> "fstar_stubs_tactics_result" - "fstar_tactics_effect" -> "fstar_stubs_tactics_types" - "fstar_tactics_effect" -> "fstar_stubs_reflection_types" - "fstar_tactics_effect" -> "fstar_monotonic_pure" - "fstar_tactics_effect" -> "fstar_monotonic_pure" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "prims" - "core_ops" -> "core_ops_index" - "core_ops" -> "core_ops_index" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "rust_primitives" - "core_ops" -> "rust_primitives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "prims" - "core_ops" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" - "core_result" -> "fstar_pervasives" - "core_result" -> "fstar_pervasives" - "core_result" -> "prims" - "core_result" -> "prims" - "fstar_monotonic_heap" -> "fstar_erasedlogic" - "fstar_monotonic_heap" -> "fstar_erasedlogic" - "fstar_monotonic_heap" -> "fstar_squash" - "fstar_monotonic_heap" -> "fstar_squash" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_pervasives_native" - "fstar_monotonic_heap" -> "fstar_pervasives_native" - "fstar_monotonic_heap" -> "fstar_functionalextensionality" - "fstar_monotonic_heap" -> "fstar_functionalextensionality" - "fstar_monotonic_heap" -> "fstar_classical" - "fstar_monotonic_heap" -> "fstar_classical" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "fstar_monotonic_heap" - "fstar_tactics_smt" -> "fstar_vconfig" - "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_smt" -> "fstar_tactics_effect" - "fstar_tactics_smt" -> "fstar_tactics_effect" - "fstar_tactics_smt" -> "fstar_pervasives" - "fstar_tactics_smt" -> "fstar_pervasives" - "fstar_tactics_smt" -> "prims" - "fstar_tactics_smt" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "prims" - "fstar_int64" -> "fstar_uint" - "fstar_int64" -> "fstar_uint" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "prims" - "fstar_int64" -> "prims" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "prims" - "core_iter_adapters_enumerate" -> "prims" - "fstar_reflection_v1_formula" -> "fstar_pervasives_native" - "fstar_reflection_v1_formula" -> "fstar_pervasives_native" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_formula" -> "fstar_reflection_const" - "fstar_reflection_v1_formula" -> "fstar_reflection_const" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" - "fstar_reflection_v1_formula" -> "fstar_tactics_effect" - "fstar_reflection_v1_formula" -> "fstar_tactics_effect" - "fstar_reflection_v1_formula" -> "fstar_list_tot_base" - "fstar_reflection_v1_formula" -> "fstar_list_tot_base" - "fstar_reflection_v1_formula" -> "fstar_pervasives" - "fstar_reflection_v1_formula" -> "fstar_pervasives" - "fstar_reflection_v1_formula" -> "prims" - "fstar_reflection_v1_formula" -> "prims" -} diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index d76bbd9ca..85ed0be95 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -20,7 +20,7 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" # This is only required for verification. # The hax config is set by the hax toolchain. [target.'cfg(hax)'.dependencies] -hax-lib.workspace = true +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] simd128 = [] diff --git a/libcrux-sha3/src/generic_keccak.rs b/libcrux-sha3/src/generic_keccak.rs index 0e3e853c8..8751d95d5 100644 --- a/libcrux-sha3/src/generic_keccak.rs +++ b/libcrux-sha3/src/generic_keccak.rs @@ -57,7 +57,7 @@ impl Self { Self { inner: KeccakState::new(), diff --git a/proofs/fstar/extraction-edited/Makefile b/proofs/fstar/extraction-edited/Makefile index ec420d509..6b294a42d 100644 --- a/proofs/fstar/extraction-edited/Makefile +++ b/proofs/fstar/extraction-edited/Makefile @@ -1 +1,150 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + +ifeq ($(OTHERFLAGS),$(subst --admit_smt_queries true,,$(OTHERFLAGS))) +FSTAR_HINTS ?= --use_hints --use_hint_hashes --record_hints +else +FSTAR_HINTS ?= --use_hints --use_hint_hashes +endif + +VERIFIED = \ + Libcrux.Digest.fsti \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.Kyber768.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fsti \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fsti \ + Libcrux.Kem.Kyber.Kyber512.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fsti \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.fsti \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Compress.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fsti \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Kem.Kyber.Matrix.fsti \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fsti \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fsti \ + Libcrux.Kem.Kyber.Serialize.fst + +UNVERIFIED = + + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) + +FSTAR_FLAGS = $(FSTAR_HINTS) \ + --cmi \ + --warn_error -331 \ + --warn_error -321 \ + --warn_error -274 \ + --query_stats \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +# --log_queries \ +# --z3version 4.12.3 \ +# --smtencoding.l_arith_repr native \ +# --smtencoding.nl_arith_repr native \ + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* diff --git a/proofs/fstar/extraction-secret-independent/Makefile b/proofs/fstar/extraction-secret-independent/Makefile index ec420d509..3c4a3f008 100644 --- a/proofs/fstar/extraction-secret-independent/Makefile +++ b/proofs/fstar/extraction-secret-independent/Makefile @@ -1 +1,134 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar-secret-integers +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + + +SECRET_INDEPENDENT = \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Digest.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Kyber768.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fsti \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fsti \ + Libcrux.Kem.Kyber.Kyber512.fst \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.fsti \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fsti \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Compress.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fsti \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Kem.Kyber.Matrix.fsti \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fsti \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fsti \ + Libcrux.Kem.Kyber.Serialize.fst + +SECRET_INDEPENDENT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(SECRET_INDEPENDENT))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(SECRET_INDEPENDENT) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --admit_smt_queries true \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(SECRET_INDEPENDENT_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(SECRET_INDEPENDENT_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/proofs/fstar/extraction/Makefile b/proofs/fstar/extraction/Makefile index ec420d509..763274af1 100644 --- a/proofs/fstar/extraction/Makefile +++ b/proofs/fstar/extraction/Makefile @@ -1 +1,127 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + + +VERIFIED = \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fst + + +UNVERIFIED = \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Digest.fsti \ + Libcrux.Digest.Incremental_x4.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fst + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) ../../../sys/platform/proofs/fstar/extraction/ + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti index 95dad6932..e8713dad5 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index 968a5585c..0b77def1e 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs index 9c1755073..5f6602af9 100644 --- a/sys/pqclean/src/bindings.rs +++ b/sys/pqclean/src/bindings.rs @@ -1,4 +1,4 @@ -/* automatically generated by rust-bindgen 0.69.5 */ +/* automatically generated by rust-bindgen 0.69.4 */ pub const SHAKE128_RATE: u32 = 168; pub const SHAKE256_RATE: u32 = 136; From 737728580477d25f17d20f2349472422c9863192 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 20:13:49 +0100 Subject: [PATCH 21/74] cleanup --- .../Libcrux_ml_kem.Types.Unpacked.fsti | 48 -- .../Libcrux_ml_kem.Vector.Avx2.Portable.fsti | 30 -- ..._kem.Vector.Portable.Serialize.Edited.fsti | 100 ---- .../Libcrux_ml_kem.Vector.Portable.fst | 59 --- libcrux-ml-kem/proofs/fstar/spec/Makefile | 1 - .../fstar/spec/Spec.MLKEM.Instances.fst | 64 --- .../proofs/fstar/spec/Spec.MLKEM.Math.fst | 293 ----------- .../proofs/fstar/spec/Spec.MLKEM.fst | 343 ------------ .../proofs/fstar/spec/Spec.Utils.fst | 493 ------------------ 9 files changed, 1431 deletions(-) delete mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti delete mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti delete mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti delete mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst delete mode 100644 libcrux-ml-kem/proofs/fstar/spec/Makefile delete mode 100644 libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst delete mode 100644 libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst delete mode 100644 libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst delete mode 100644 libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti deleted file mode 100644 index 1910c0b08..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.Unpacked.fsti +++ /dev/null @@ -1,48 +0,0 @@ -module Libcrux_ml_kem.Types.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () - -/// An unpacked ML-KEM IND-CPA Private Key -type t_IndCpaPrivateKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { f_secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K } - -/// An unpacked ML-KEM IND-CPA Private Key -type t_IndCpaPublicKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_t_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; - f_seed_for_A:t_Array u8 (sz 32); - f_A:t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K -} - -/// An unpacked ML-KEM IND-CCA Private Key -type t_MlKemPrivateKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_ind_cpa_private_key:t_IndCpaPrivateKeyUnpacked v_K v_Vector; - f_implicit_rejection_value:t_Array u8 (sz 32) -} - -/// An unpacked ML-KEM IND-CCA Private Key -type t_MlKemPublicKeyUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_ind_cpa_public_key:t_IndCpaPublicKeyUnpacked v_K v_Vector; - f_public_key_hash:t_Array u8 (sz 32) -} - -/// An unpacked ML-KEM KeyPair -type t_MlKemKeyPairUnpacked - (v_K: usize) (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - = { - f_private_key:t_MlKemPrivateKeyUnpacked v_K v_Vector; - f_public_key:t_MlKemPublicKeyUnpacked v_K v_Vector -} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti deleted file mode 100644 index fe64003c4..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Portable.fsti +++ /dev/null @@ -1,30 +0,0 @@ -module Libcrux_ml_kem.Vector.Avx2.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -val deserialize_11_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - Prims.l_True - (fun _ -> Prims.l_True) - -val serialize_11_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) - Prims.l_True - (fun _ -> Prims.l_True) - -type t_PortableVector = { f_elements:t_Array i16 (sz 16) } - -val from_i16_array (array: t_Array i16 (sz 16)) - : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) - -val serialize_11_ (v: t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -val to_i16_array (v: t_PortableVector) - : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) - -val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) - -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti deleted file mode 100644 index 4ed69770d..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.Edited.fsti +++ /dev/null @@ -1,100 +0,0 @@ -module Libcrux_ml_kem.Vector.Portable.Serialize.Edited -// #set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -// open Core -// open FStar.Mul - -// val deserialize_10_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_11_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_12_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True) - -// val deserialize_4_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_5_int (bytes: t_Slice u8) -// : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val serialize_10_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8 & u8) -// (requires (Core.Slice.impl__len #i16 v <: usize) =. sz 4) -// (ensures -// fun tuple -> -// let tuple:(u8 & u8 & u8 & u8 & u8) = tuple in -// BitVecEq.int_t_array_bitwise_eq' (v <: t_Array i16 (sz 4)) 10 (MkSeq.create5 tuple) 8) - -// val serialize_11_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) -// (requires Seq.length v == 8 /\ (forall i. Rust_primitives.bounded (Seq.index v i) 11)) -// (ensures -// fun tuple -> -// let tuple:(u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) = tuple in -// BitVecEq.int_t_array_bitwise_eq' (v <: t_Array i16 (sz 8)) 11 (MkSeq.create11 tuple) 8) - -// val serialize_12_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_4_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_5_int (v: t_Slice i16) -// : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -// val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -// : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -// val deserialize_1_ (v: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_10_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_11_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_12_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_4_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) - -// val deserialize_5_ (bytes: t_Slice u8) -// : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector -// Prims.l_True -// (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst deleted file mode 100644 index 0ca12f7ff..000000000 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fst +++ /dev/null @@ -1,59 +0,0 @@ -module Libcrux_ml_kem.Vector.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open Core -open FStar.Mul - -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in - () - -let deserialize_11_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a - -let deserialize_5_ (a: t_Slice u8) = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a - -let serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a - -let serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a - -let deserialize_1_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a - -let deserialize_10_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a - -let deserialize_12_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a - -let deserialize_4_ (a: t_Slice u8) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma a in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a - -let serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 1) in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a - -let serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a - -let serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a - -let serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = assert (forall i. Rust_primitives.bounded (Seq.index a.f_elements i) 4) in - let _:Prims.unit = Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma a in - Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a diff --git a/libcrux-ml-kem/proofs/fstar/spec/Makefile b/libcrux-ml-kem/proofs/fstar/spec/Makefile deleted file mode 100644 index b4ce70a38..000000000 --- a/libcrux-ml-kem/proofs/fstar/spec/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst deleted file mode 100644 index f598ee0ff..000000000 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Instances.fst +++ /dev/null @@ -1,64 +0,0 @@ -module Spec.MLKEM.Instances -#set-options "--fuel 0 --ifuel 1 --z3rlimit 30" -open FStar.Mul -open Core -open Spec.Utils -open Spec.MLKEM.Math -open Spec.MLKEM - - -(** MLKEM-768 Instantiation *) - -let mlkem768_rank : rank = sz 3 - -#push-options "--z3rlimit 300" -let mlkem768_generate_keypair (randomness:t_Array u8 (sz 64)): - (t_Array u8 (sz 2400) & t_Array u8 (sz 1184)) & bool = - ind_cca_generate_keypair mlkem768_rank randomness - -let mlkem768_encapsulate (public_key: t_Array u8 (sz 1184)) (randomness: t_Array u8 (sz 32)): - (t_Array u8 (sz 1088) & t_Array u8 (sz 32)) & bool = - ind_cca_encapsulate mlkem768_rank public_key randomness - -let mlkem768_decapsulate (secret_key: t_Array u8 (sz 2400)) (ciphertext: t_Array u8 (sz 1088)): - t_Array u8 (sz 32) & bool = - ind_cca_decapsulate mlkem768_rank secret_key ciphertext - -(** MLKEM-1024 Instantiation *) - -let mlkem1024_rank = sz 4 - -let mlkem1024_generate_keypair (randomness:t_Array u8 (sz 64)): - (t_Array u8 (sz 3168) & t_Array u8 (sz 1568)) & bool = - ind_cca_generate_keypair mlkem1024_rank randomness - -#set-options "--z3rlimit 100" -let mlkem1024_encapsulate (public_key: t_Array u8 (sz 1568)) (randomness: t_Array u8 (sz 32)): - (t_Array u8 (sz 1568) & t_Array u8 (sz 32)) & bool = - assert (v_CPA_CIPHERTEXT_SIZE mlkem1024_rank == sz 1568); - ind_cca_encapsulate mlkem1024_rank public_key randomness - -let mlkem1024_decapsulate (secret_key: t_Array u8 (sz 3168)) (ciphertext: t_Array u8 (sz 1568)): - t_Array u8 (sz 32) & bool = - ind_cca_decapsulate mlkem1024_rank secret_key ciphertext - -(** MLKEM-512 Instantiation *) - -let mlkem512_rank : rank = sz 2 - -let mlkem512_generate_keypair (randomness:t_Array u8 (sz 64)): - (t_Array u8 (sz 1632) & t_Array u8 (sz 800)) & bool = - ind_cca_generate_keypair mlkem512_rank randomness - -let mlkem512_encapsulate (public_key: t_Array u8 (sz 800)) (randomness: t_Array u8 (sz 32)): - (t_Array u8 (sz 768) & t_Array u8 (sz 32)) & bool = - assert (v_CPA_CIPHERTEXT_SIZE mlkem512_rank == sz 768); - ind_cca_encapsulate mlkem512_rank public_key randomness - - -let mlkem512_decapsulate (secret_key: t_Array u8 (sz 1632)) (ciphertext: t_Array u8 (sz 768)): - t_Array u8 (sz 32) & bool = - ind_cca_decapsulate mlkem512_rank secret_key ciphertext - - - diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst deleted file mode 100644 index 571e879fb..000000000 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.Math.fst +++ /dev/null @@ -1,293 +0,0 @@ -module Spec.MLKEM.Math -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" - -open FStar.Mul -open Core -open Spec.Utils - -let v_FIELD_MODULUS: i32 = 3329l -let is_rank (r:usize) = v r == 2 \/ v r == 3 \/ v r == 4 - -type rank = r:usize{is_rank r} - -(** MLKEM Math and Sampling *) - -type field_element = n:nat{n < v v_FIELD_MODULUS} -type polynomial = t_Array field_element (sz 256) -type vector (r:rank) = t_Array polynomial r -type matrix (r:rank) = t_Array (vector r) r - -val field_add: field_element -> field_element -> field_element -let field_add a b = (a + b) % v v_FIELD_MODULUS - -val field_sub: field_element -> field_element -> field_element -let field_sub a b = (a - b) % v v_FIELD_MODULUS - -val field_neg: field_element -> field_element -let field_neg a = (0 - a) % v v_FIELD_MODULUS - -val field_mul: field_element -> field_element -> field_element -let field_mul a b = (a * b) % v v_FIELD_MODULUS - -val poly_add: polynomial -> polynomial -> polynomial -let poly_add a b = map2 field_add a b - -val poly_sub: polynomial -> polynomial -> polynomial -let poly_sub a b = map2 field_sub a b - -let int_to_spec_fe (m:int) : field_element = - let m_v = m % v v_FIELD_MODULUS in - assert (m_v > - v v_FIELD_MODULUS); - if m_v < 0 then - m_v + v v_FIELD_MODULUS - else m_v - -(* Convert concrete code types to spec types *) - -let to_spec_fe (m:i16) : field_element = - int_to_spec_fe (v m) - -let to_spec_array #len (m:t_Array i16 len) : t_Array field_element len = - createi #field_element len (fun i -> to_spec_fe (m.[i])) - -let to_spec_poly (m:t_Array i16 (sz 256)) : polynomial = - to_spec_array m - -let to_spec_vector (#r:rank) - (m:t_Array (t_Array i16 (sz 256)) r) - : (vector r) = - createi r (fun i -> to_spec_poly (m.[i])) - -let to_spec_matrix (#r:rank) - (m:t_Array (t_Array (t_Array i16 (sz 256)) r) r) - : (matrix r) = - createi r (fun i -> to_spec_vector (m.[i])) - -(* Specifying NTT: -bitrev7 = [int('{:07b}'.format(x)[::-1], 2) for x in range(0,128)] -zetas = [pow(17,x) % 3329 for x in bitrev7] -zetas_mont = [pow(2,16) * x % 3329 for x in zetas] -zetas_mont_r = [(x - 3329 if x > 1664 else x) for x in zetas_mont] - -bitrev7 is -[0, 64, 32, 96, 16, 80, 48, 112, 8, 72, 40, 104, 24, 88, 56, 120, 4, 68, 36, 100, 20, 84, 52, 116, 12, 76, 44, 108, 28, 92, 60, 124, 2, 66, 34, 98, 18, 82, 50, 114, 10, 74, 42, 106, 26, 90, 58, 122, 6, 70, 38, 102, 22, 86, 54, 118, 14, 78, 46, 110, 30, 94, 62, 126, 1, 65, 33, 97, 17, 81, 49, 113, 9, 73, 41, 105, 25, 89, 57, 121, 5, 69, 37, 101, 21, 85, 53, 117, 13, 77, 45, 109, 29, 93, 61, 125, 3, 67, 35, 99, 19, 83, 51, 115, 11, 75, 43, 107, 27, 91, 59, 123, 7, 71, 39, 103, 23, 87, 55, 119, 15, 79, 47, 111, 31, 95, 63, 127] - -zetas = 17^bitrev7 is -[1, 1729, 2580, 3289, 2642, 630, 1897, 848, 1062, 1919, 193, 797, 2786, 3260, 569, 1746, 296, 2447, 1339, 1476, 3046, 56, 2240, 1333, 1426, 2094, 535, 2882, 2393, 2879, 1974, 821, 289, 331, 3253, 1756, 1197, 2304, 2277, 2055, 650, 1977, 2513, 632, 2865, 33, 1320, 1915, 2319, 1435, 807, 452, 1438, 2868, 1534, 2402, 2647, 2617, 1481, 648, 2474, 3110, 1227, 910, 17, 2761, 583, 2649, 1637, 723, 2288, 1100, 1409, 2662, 3281, 233, 756, 2156, 3015, 3050, 1703, 1651, 2789, 1789, 1847, 952, 1461, 2687, 939, 2308, 2437, 2388, 733, 2337, 268, 641, 1584, 2298, 2037, 3220, 375, 2549, 2090, 1645, 1063, 319, 2773, 757, 2099, 561, 2466, 2594, 2804, 1092, 403, 1026, 1143, 2150, 2775, 886, 1722, 1212, 1874, 1029, 2110, 2935, 885, 2154] - -zetas_mont = zetas * 2^16 is -[2285, 2571, 2970, 1812, 1493, 1422, 287, 202, 3158, 622, 1577, 182, 962, 2127, 1855, 1468, 573, 2004, 264, 383, 2500, 1458, 1727, 3199, 2648, 1017, 732, 608, 1787, 411, 3124, 1758, 1223, 652, 2777, 1015, 2036, 1491, 3047, 1785, 516, 3321, 3009, 2663, 1711, 2167, 126, 1469, 2476, 3239, 3058, 830, 107, 1908, 3082, 2378, 2931, 961, 1821, 2604, 448, 2264, 677, 2054, 2226, 430, 555, 843, 2078, 871, 1550, 105, 422, 587, 177, 3094, 3038, 2869, 1574, 1653, 3083, 778, 1159, 3182, 2552, 1483, 2727, 1119, 1739, 644, 2457, 349, 418, 329, 3173, 3254, 817, 1097, 603, 610, 1322, 2044, 1864, 384, 2114, 3193, 1218, 1994, 2455, 220, 2142, 1670, 2144, 1799, 2051, 794, 1819, 2475, 2459, 478, 3221, 3021, 996, 991, 958, 1869, 1522, 1628] - -zetas_mont_r = zetas_mont - 3329 if zetas_mont > 1664 else zetas_mont is -[-1044, -758, -359, -1517, 1493, 1422, 287, 202, -171, 622, 1577, 182, 962, -1202, -1474, 1468, 573, -1325, 264, 383, -829, 1458, -1602, -130, -681, 1017, 732, 608, -1542, 411, -205, -1571, 1223, 652, -552, 1015, -1293, 1491, -282, -1544, 516, -8, -320, -666, -1618, -1162, 126, 1469, -853, -90, -271, 830, 107, -1421, -247, -951, -398, 961, -1508, -725, 448, -1065, 677, -1275, -1103, 430, 555, 843, -1251, 871, 1550, 105, 422, 587, 177, -235, -291, -460, 1574, 1653, -246, 778, 1159, -147, -777, 1483, -602, 1119, -1590, 644, -872, 349, 418, 329, -156, -75, 817, 1097, 603, 610, 1322, -1285, -1465, 384, -1215, -136, 1218, -1335, -874, 220, -1187, -1659, -1185, -1530, -1278, 794, -1510, -854, -870, 478, -108, -308, 996, 991, 958, -1460, 1522, 1628] -*) - -let zetas_list : list field_element = [1; 1729; 2580; 3289; 2642; 630; 1897; 848; 1062; 1919; 193; 797; 2786; 3260; 569; 1746; 296; 2447; 1339; 1476; 3046; 56; 2240; 1333; 1426; 2094; 535; 2882; 2393; 2879; 1974; 821; 289; 331; 3253; 1756; 1197; 2304; 2277; 2055; 650; 1977; 2513; 632; 2865; 33; 1320; 1915; 2319; 1435; 807; 452; 1438; 2868; 1534; 2402; 2647; 2617; 1481; 648; 2474; 3110; 1227; 910; 17; 2761; 583; 2649; 1637; 723; 2288; 1100; 1409; 2662; 3281; 233; 756; 2156; 3015; 3050; 1703; 1651; 2789; 1789; 1847; 952; 1461; 2687; 939; 2308; 2437; 2388; 733; 2337; 268; 641; 1584; 2298; 2037; 3220; 375; 2549; 2090; 1645; 1063; 319; 2773; 757; 2099; 561; 2466; 2594; 2804; 1092; 403; 1026; 1143; 2150; 2775; 886; 1722; 1212; 1874; 1029; 2110; 2935; 885; 2154] - -let zetas : t_Array field_element (sz 128) = - assert_norm(List.Tot.length zetas_list == 128); - Rust_primitives.Arrays.of_list zetas_list - -let poly_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) = - let t = field_mul b zetas.[sz i] in - let b = field_sub a t in - let a = field_add a t in - (a,b) - -#push-options "--split_queries always" -let poly_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial = - let len = pow2 l in - let k = (128 / len) - 1 in - Rust_primitives.Arrays.createi (sz 256) (fun i -> - let round = v i / (2 * len) in - let idx = v i % (2 * len) in - let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in - let (a_ntt, b_ntt) = poly_ntt_step p.[sz idx0] p.[sz idx1] (round + k) in - if idx < len then a_ntt else b_ntt) -#pop-options - -val poly_ntt: polynomial -> polynomial -let poly_ntt p = - let p = poly_ntt_layer p 7 in - let p = poly_ntt_layer p 6 in - let p = poly_ntt_layer p 5 in - let p = poly_ntt_layer p 4 in - let p = poly_ntt_layer p 3 in - let p = poly_ntt_layer p 2 in - let p = poly_ntt_layer p 1 in - p - -let poly_inv_ntt_step (a:field_element) (b:field_element) (i:nat{i < 128}) = - let b_minus_a = field_sub b a in - let a = field_add a b in - let b = field_mul b_minus_a zetas.[sz i] in - (a,b) - -#push-options "--z3rlimit 150" -let poly_inv_ntt_layer (p:polynomial) (l:nat{l > 0 /\ l < 8}) : polynomial = - let len = pow2 l in - let k = (256 / len) - 1 in - Rust_primitives.Arrays.createi (sz 256) (fun i -> - let round = v i / (2 * len) in - let idx = v i % (2 * len) in - let (idx0, idx1) = if idx < len then (idx, idx+len) else (idx-len,idx) in - let (a_ntt, b_ntt) = poly_inv_ntt_step p.[sz idx0] p.[sz idx1] (k - round) in - if idx < len then a_ntt else b_ntt) -#pop-options - -val poly_inv_ntt: polynomial -> polynomial -let poly_inv_ntt p = - let p = poly_inv_ntt_layer p 1 in - let p = poly_inv_ntt_layer p 2 in - let p = poly_inv_ntt_layer p 3 in - let p = poly_inv_ntt_layer p 4 in - let p = poly_inv_ntt_layer p 5 in - let p = poly_inv_ntt_layer p 6 in - let p = poly_inv_ntt_layer p 7 in - p - -let poly_base_case_multiply (a0 a1 b0 b1 zeta:field_element) = - let c0 = field_add (field_mul a0 b0) (field_mul (field_mul a1 b1) zeta) in - let c1 = field_add (field_mul a0 b1) (field_mul a1 b0) in - (c0,c1) - -val poly_mul_ntt: polynomial -> polynomial -> polynomial -let poly_mul_ntt a b = - Rust_primitives.Arrays.createi (sz 256) (fun i -> - let a0 = a.[sz (2 * (v i / 2))] in - let a1 = a.[sz (2 * (v i / 2) + 1)] in - let b0 = b.[sz (2 * (v i / 2))] in - let b1 = b.[sz (2 * (v i / 2) + 1)] in - let zeta_4 = zetas.[sz (64 + (v i/4))] in - let zeta = if v i % 4 < 2 then zeta_4 else field_neg zeta_4 in - let (c0,c1) = poly_base_case_multiply a0 a1 b0 b1 zeta in - if v i % 2 = 0 then c0 else c1) - - -val vector_add: #r:rank -> vector r -> vector r -> vector r -let vector_add #p a b = map2 poly_add a b - -val vector_ntt: #r:rank -> vector r -> vector r -let vector_ntt #p v = map_array poly_ntt v - -val vector_inv_ntt: #r:rank -> vector r -> vector r -let vector_inv_ntt #p v = map_array poly_inv_ntt v - -val vector_mul_ntt: #r:rank -> vector r -> vector r -> vector r -let vector_mul_ntt #p a b = map2 poly_mul_ntt a b - -val vector_sum: #r:rank -> vector r -> polynomial -let vector_sum #r a = repeati (r -! sz 1) - (fun i x -> assert (v i < v r - 1); poly_add x (a.[i +! sz 1])) a.[sz 0] - -val vector_dot_product_ntt: #r:rank -> vector r -> vector r -> polynomial -let vector_dot_product_ntt a b = vector_sum (vector_mul_ntt a b) - -val matrix_transpose: #r:rank -> matrix r -> matrix r -let matrix_transpose #r m = - createi r (fun i -> - createi r (fun j -> - m.[j].[i])) - -val matrix_vector_mul_ntt: #r:rank -> matrix r -> vector r -> vector r -let matrix_vector_mul_ntt #r m v = - createi r (fun i -> vector_dot_product_ntt m.[i] v) - -val compute_As_plus_e_ntt: #r:rank -> a:matrix r -> s:vector r -> e:vector r -> vector r -let compute_As_plus_e_ntt #p a s e = vector_add (matrix_vector_mul_ntt a s) e - - - -type dT = d: nat {d = 1 \/ d = 4 \/ d = 5 \/ d = 10 \/ d = 11 \/ d = 12} -let max_d (d:dT) = if d < 12 then pow2 d else v v_FIELD_MODULUS -type field_element_d (d:dT) = n:nat{n < max_d d} -type polynomial_d (d:dT) = t_Array (field_element_d d) (sz 256) -type vector_d (r:rank) (d:dT) = t_Array (polynomial_d d) r - -let bits_to_bytes (#bytes: usize) (bv: bit_vec (v bytes * 8)) - : Pure (t_Array u8 bytes) - (requires True) - (ensures fun r -> (forall i. bit_vec_of_int_t_array r 8 i == bv i)) - = bit_vec_to_int_t_array 8 bv - -let bytes_to_bits (#bytes: usize) (r: t_Array u8 bytes) - : Pure (i: bit_vec (v bytes * 8)) - (requires True) - (ensures fun f -> (forall i. bit_vec_of_int_t_array r 8 i == f i)) - = bit_vec_of_int_t_array r 8 - -unfold let retype_bit_vector #a #b (#_:unit{a == b}) (x: a): b = x - - -let compress_d (d: dT {d <> 12}) (x: field_element): field_element_d d - = let r = (pow2 d * x + 1664) / v v_FIELD_MODULUS in - assert (r * v v_FIELD_MODULUS <= pow2 d * x + 1664); - assert (r * v v_FIELD_MODULUS <= pow2 d * (v v_FIELD_MODULUS - 1) + 1664); - Math.Lemmas.lemma_div_le (r * v v_FIELD_MODULUS) (pow2 d * (v v_FIELD_MODULUS - 1) + 1664) (v v_FIELD_MODULUS); - Math.Lemmas.cancel_mul_div r (v v_FIELD_MODULUS); - assert (r <= (pow2 d * (v v_FIELD_MODULUS - 1) + 1664) / v v_FIELD_MODULUS); - Math.Lemmas.lemma_div_mod_plus (1664 - pow2 d) (pow2 d) (v v_FIELD_MODULUS); - assert (r <= pow2 d + (1664 - pow2 d) / v v_FIELD_MODULUS); - assert (r <= pow2 d); - if r = pow2 d then 0 else r - -let decompress_d (d: dT {d <> 12}) (x: field_element_d d): field_element - = let r = (x * v v_FIELD_MODULUS + 1664) / pow2 d in - r - - -let byte_encode (d: dT) (coefficients: polynomial_d d): t_Array u8 (sz (32 * d)) - = let coefficients' : t_Array nat (sz 256) = map_array #(field_element_d d) (fun x -> x <: nat) coefficients in - bits_to_bytes #(sz (32 * d)) - (retype_bit_vector (bit_vec_of_nat_array coefficients' d)) - -let byte_decode (d: dT) (coefficients: t_Array u8 (sz (32 * d))): polynomial_d d - = let bv = bytes_to_bits coefficients in - let arr: t_Array nat (sz 256) = bit_vec_to_nat_array d (retype_bit_vector bv) in - let p: polynomial_d d = - createi (sz 256) (fun i -> - let x_f : field_element = arr.[i] % v v_FIELD_MODULUS in - assert (d < 12 ==> arr.[i] < pow2 d); - let x_m : field_element_d d = x_f in - x_m) - in - p - -let coerce_polynomial_12 (p:polynomial): polynomial_d 12 = p -let coerce_vector_12 (#r:rank) (v:vector r): vector_d r 12 = v - -let compress_then_byte_encode (d: dT {d <> 12}) (coefficients: polynomial): t_Array u8 (sz (32 * d)) - = let coefs: t_Array (field_element_d d) (sz 256) = map_array (compress_d d) coefficients - in - byte_encode d coefs - -let byte_decode_then_decompress (d: dT {d <> 12}) (b:t_Array u8 (sz (32 * d))): polynomial - = map_array (decompress_d d) (byte_decode d b) - - -(**** Definitions to move or to rework *) -let serialize_pre - (d1: dT) - (coefficients: t_Array i16 (sz 16)) - = forall i. i < 16 ==> bounded (Seq.index coefficients i) d1 - -// TODO: this is an alternative version of byte_encode -// rename to encoded bytes -#push-options "--z3rlimit 80 --split_queries always" -let serialize_post - (d1: dT) - (coefficients: t_Array i16 (sz 16) { serialize_pre d1 coefficients }) - (output: t_Array u8 (sz (d1 * 2))) - = BitVecEq.int_t_array_bitwise_eq coefficients d1 - output 8 - -// TODO: this is an alternative version of byte_decode -// rename to decoded bytes -let deserialize_post - (d1: dT) - (bytes: t_Array u8 (sz (d1 * 2))) - (output: t_Array i16 (sz 16)) - = BitVecEq.int_t_array_bitwise_eq bytes 8 - output d1 /\ - forall (i:nat). i < 16 ==> bounded (Seq.index output i) d1 -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst deleted file mode 100644 index 07c9216ae..000000000 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.MLKEM.fst +++ /dev/null @@ -1,343 +0,0 @@ -module Spec.MLKEM -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" -open FStar.Mul -open Core - -include Spec.Utils -include Spec.MLKEM.Math - -(** ML-KEM Constants *) -let v_BITS_PER_COEFFICIENT: usize = sz 12 - -let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 - -let v_BITS_PER_RING_ELEMENT: usize = sz 3072 // v_COEFFICIENTS_IN_RING_ELEMENT *! sz 12 - -let v_BYTES_PER_RING_ELEMENT: usize = sz 384 // v_BITS_PER_RING_ELEMENT /! sz 8 - -let v_CPA_KEY_GENERATION_SEED_SIZE: usize = sz 32 - -let v_H_DIGEST_SIZE: usize = sz 32 -// same as Libcrux.Digest.digest_size (Libcrux.Digest.Algorithm_Sha3_256_ <: Libcrux.Digest.t_Algorithm) - -let v_REJECTION_SAMPLING_SEED_SIZE: usize = sz 840 // sz 168 *! sz 5 - -let v_SHARED_SECRET_SIZE: usize = v_H_DIGEST_SIZE - -val v_ETA1 (r:rank) : u:usize{u == sz 3 \/ u == sz 2} -let v_ETA1 (r:rank) : usize = - if r = sz 2 then sz 3 else - if r = sz 3 then sz 2 else - if r = sz 4 then sz 2 - -let v_ETA2 (r:rank) : usize = sz 2 - -val v_VECTOR_U_COMPRESSION_FACTOR (r:rank) : u:usize{u == sz 10 \/ u == sz 11} -let v_VECTOR_U_COMPRESSION_FACTOR (r:rank) : usize = - if r = sz 2 then sz 10 else - if r = sz 3 then sz 10 else - if r = sz 4 then sz 11 - -val v_VECTOR_V_COMPRESSION_FACTOR (r:rank) : u:usize{u == sz 4 \/ u == sz 5} -let v_VECTOR_V_COMPRESSION_FACTOR (r:rank) : usize = - if r = sz 2 then sz 4 else - if r = sz 3 then sz 4 else - if r = sz 4 then sz 5 - -val v_ETA1_RANDOMNESS_SIZE (r:rank) : u:usize{u == sz 128 \/ u == sz 192} -let v_ETA1_RANDOMNESS_SIZE (r:rank) = v_ETA1 r *! sz 64 - -val v_ETA2_RANDOMNESS_SIZE (r:rank) : u:usize{u == sz 128} -let v_ETA2_RANDOMNESS_SIZE (r:rank) = v_ETA2 r *! sz 64 - -val v_RANKED_BYTES_PER_RING_ELEMENT (r:rank) : u:usize{u = sz 768 \/ u = sz 1152 \/ u = sz 1536} -let v_RANKED_BYTES_PER_RING_ELEMENT (r:rank) = r *! v_BYTES_PER_RING_ELEMENT - -let v_T_AS_NTT_ENCODED_SIZE (r:rank) = v_RANKED_BYTES_PER_RING_ELEMENT r -let v_CPA_PRIVATE_KEY_SIZE (r:rank) = v_RANKED_BYTES_PER_RING_ELEMENT r - -val v_CPA_PUBLIC_KEY_SIZE (r:rank) : u:usize{u = sz 800 \/ u = sz 1184 \/ u = sz 1568} -let v_CPA_PUBLIC_KEY_SIZE (r:rank) = v_RANKED_BYTES_PER_RING_ELEMENT r +! sz 32 - -val v_CCA_PRIVATE_KEY_SIZE (r:rank) : u:usize{u = sz 1632 \/ u = sz 2400 \/ u = sz 3168} -let v_CCA_PRIVATE_KEY_SIZE (r:rank) = - (v_CPA_PRIVATE_KEY_SIZE r +! v_CPA_PUBLIC_KEY_SIZE r +! v_H_DIGEST_SIZE +! v_SHARED_SECRET_SIZE) - -let v_CCA_PUBLIC_KEY_SIZE (r:rank) = v_CPA_PUBLIC_KEY_SIZE r - -val v_C1_BLOCK_SIZE (r:rank): u:usize{(u = sz 320 \/ u = sz 352) /\ v u == 32 * v (v_VECTOR_U_COMPRESSION_FACTOR r)} -let v_C1_BLOCK_SIZE (r:rank) = sz 32 *! v_VECTOR_U_COMPRESSION_FACTOR r - -val v_C1_SIZE (r:rank) : u:usize{(u >=. sz 640 /\ u <=. sz 1448) /\ - v u == v (v_C1_BLOCK_SIZE r) * v r} -let v_C1_SIZE (r:rank) = v_C1_BLOCK_SIZE r *! r - -val v_C2_SIZE (r:rank) : u:usize{(u = sz 128 \/ u = sz 160) /\ v u == 32 * v (v_VECTOR_V_COMPRESSION_FACTOR r)} -let v_C2_SIZE (r:rank) = sz 32 *! v_VECTOR_V_COMPRESSION_FACTOR r - -val v_CPA_CIPHERTEXT_SIZE (r:rank) : u:usize {v u = v (v_C1_SIZE r) + v (v_C2_SIZE r)} -let v_CPA_CIPHERTEXT_SIZE (r:rank) = v_C1_SIZE r +! v_C2_SIZE r - -let v_CCA_CIPHERTEXT_SIZE (r:rank) = v_CPA_CIPHERTEXT_SIZE r - -val v_IMPLICIT_REJECTION_HASH_INPUT_SIZE (r:rank): u:usize{v u == v v_SHARED_SECRET_SIZE + - v (v_CPA_CIPHERTEXT_SIZE r)} -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE (r:rank) = - v_SHARED_SECRET_SIZE +! v_CPA_CIPHERTEXT_SIZE r - -val v_KEY_GENERATION_SEED_SIZE: u:usize{u = sz 64} -let v_KEY_GENERATION_SEED_SIZE: usize = - v_CPA_KEY_GENERATION_SEED_SIZE +! - v_SHARED_SECRET_SIZE - - -(** ML-KEM Types *) - -type t_MLKEMPublicKey (r:rank) = t_Array u8 (v_CPA_PUBLIC_KEY_SIZE r) -type t_MLKEMPrivateKey (r:rank) = t_Array u8 (v_CCA_PRIVATE_KEY_SIZE r) -type t_MLKEMKeyPair (r:rank) = t_MLKEMPrivateKey r & t_MLKEMPublicKey r - -type t_MLKEMCPAPrivateKey (r:rank) = t_Array u8 (v_CPA_PRIVATE_KEY_SIZE r) -type t_MLKEMCPAKeyPair (r:rank) = t_MLKEMCPAPrivateKey r & t_MLKEMPublicKey r - -type t_MLKEMCiphertext (r:rank) = t_Array u8 (v_CPA_CIPHERTEXT_SIZE r) -type t_MLKEMSharedSecret = t_Array u8 (v_SHARED_SECRET_SIZE) - - -assume val sample_max: n:usize{v n < pow2 32 /\ v n >= 128 * 3 /\ v n % 3 = 0} - -val sample_polynomial_ntt: seed:t_Array u8 (sz 34) -> (polynomial & bool) -let sample_polynomial_ntt seed = - let randomness = v_XOF sample_max seed in - let bv = bytes_to_bits randomness in - assert (v sample_max * 8 == (((v sample_max / 3) * 2) * 12)); - let bv: bit_vec ((v (sz ((v sample_max / 3) * 2))) * 12) = retype_bit_vector bv in - let i16s = bit_vec_to_nat_array #(sz ((v sample_max / 3) * 2)) 12 bv in - assert ((v sample_max / 3) * 2 >= 256); - let poly0: polynomial = Seq.create 256 0 in - let index_t = n:nat{n <= 256} in - let (sampled, poly1) = - repeati #(index_t & polynomial) (sz ((v sample_max / 3) * 2)) - (fun i (sampled,acc) -> - if sampled < 256 then - let sample = Seq.index i16s (v i) in - if sample < 3329 then - (sampled+1, Rust_primitives.Hax.update_at acc (sz sampled) sample) - else (sampled, acc) - else (sampled, acc)) - (0,poly0) in - if sampled < 256 then poly0, false else poly1, true - -let sample_polynomial_ntt_at_index (seed:t_Array u8 (sz 32)) (i j: (x:usize{v x <= 4})) : polynomial & bool = - let seed34 = Seq.append seed (Seq.create 2 0uy) in - let seed34 = Rust_primitives.Hax.update_at seed34 (sz 32) (mk_int #u8_inttype (v i)) in - let seed34 = Rust_primitives.Hax.update_at seed34 (sz 33) (mk_int #u8_inttype (v j)) in - sample_polynomial_ntt seed34 - -val sample_matrix_A_ntt: #r:rank -> seed:t_Array u8 (sz 32) -> (matrix r & bool) -let sample_matrix_A_ntt #r seed = - let m = - createi r (fun i -> - createi r (fun j -> - let (p,b) = sample_polynomial_ntt_at_index seed i j in - p)) - in - let sufficient_randomness = - repeati r (fun i b -> - repeati r (fun j b -> - let (p,v) = sample_polynomial_ntt_at_index seed i j in - b && v) b) true in - (m, sufficient_randomness) - -assume val sample_poly_cbd: v_ETA:usize{v v_ETA == 2 \/ v v_ETA == 3} -> t_Array u8 (v_ETA *! sz 64) -> polynomial - -open Rust_primitives.Integers - -val sample_poly_cbd2: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize{v domain_sep < 256} -> polynomial -let sample_poly_cbd2 #r seed domain_sep = - let prf_input = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep))) in - let prf_output = v_PRF (v_ETA2_RANDOMNESS_SIZE r) prf_input in - sample_poly_cbd (v_ETA2 r) prf_output - -val sample_poly_cbd1: #r:rank -> seed:t_Array u8 (sz 32) -> domain_sep:usize{v domain_sep < 256} -> polynomial -let sample_poly_cbd1 #r seed domain_sep = - let prf_input = Seq.append seed (Seq.create 1 (mk_int #u8_inttype (v domain_sep))) in - let prf_output = v_PRF (v_ETA1_RANDOMNESS_SIZE r) prf_input in - sample_poly_cbd (v_ETA1 r) prf_output - -let sample_vector_cbd1 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = - createi r (fun i -> sample_poly_cbd1 #r seed (domain_sep +! i)) - -let sample_vector_cbd2 (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = - createi r (fun i -> sample_poly_cbd2 #r seed (domain_sep +! i)) - -let sample_vector_cbd_then_ntt (#r:rank) (seed:t_Array u8 (sz 32)) (domain_sep:usize{v domain_sep < 2 * v r}) : vector r = - vector_ntt (sample_vector_cbd1 #r seed domain_sep) - -let vector_encode_12 (#r:rank) (v: vector r) : t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r) - = let s: t_Array (t_Array _ (sz 384)) r = map_array (byte_encode 12) (coerce_vector_12 v) in - flatten s - -let vector_decode_12 (#r:rank) (arr: t_Array u8 (v_T_AS_NTT_ENCODED_SIZE r)): vector r - = createi r (fun block -> - let block_size = (sz (32 * 12)) in - let slice = Seq.slice arr (v block * v block_size) - (v block * v block_size + v block_size) in - byte_decode 12 slice - ) - -let compress_then_encode_message (p:polynomial) : t_Array u8 v_SHARED_SECRET_SIZE - = compress_then_byte_encode 1 p - -let decode_then_decompress_message (b:t_Array u8 v_SHARED_SECRET_SIZE): polynomial - = byte_decode_then_decompress 1 b - -let compress_then_encode_u (#r:rank) (vec: vector r): t_Array u8 (v_C1_SIZE r) - = let d = v (v_VECTOR_U_COMPRESSION_FACTOR r) in - flatten (map_array (compress_then_byte_encode d) vec) - -let decode_then_decompress_u (#r:rank) (arr: t_Array u8 (v_C1_SIZE r)): vector r - = let d = v_VECTOR_U_COMPRESSION_FACTOR r in - createi r (fun block -> - let block_size = v_C1_BLOCK_SIZE r in - let slice = Seq.slice arr (v block * v block_size) - (v block * v block_size + v block_size) in - byte_decode_then_decompress (v d) slice - ) - -let compress_then_encode_v (#r:rank): polynomial -> t_Array u8 (v_C2_SIZE r) - = compress_then_byte_encode (v (v_VECTOR_V_COMPRESSION_FACTOR r)) - -let decode_then_decompress_v (#r:rank): t_Array u8 (v_C2_SIZE r) -> polynomial - = byte_decode_then_decompress (v (v_VECTOR_V_COMPRESSION_FACTOR r)) - -(** IND-CPA Functions *) - -/// This function implements most of Algorithm 12 of the -/// NIST FIPS 203 specification; this is the MLKEM CPA-PKE key generation algorithm. -/// -/// We say "most of" since Algorithm 12 samples the required randomness within -/// the function itself, whereas this implementation expects it to be provided -/// through the `key_generation_seed` parameter. - -val ind_cpa_generate_keypair (r:rank) (randomness:t_Array u8 v_CPA_KEY_GENERATION_SEED_SIZE) : - (t_MLKEMCPAKeyPair r & bool) -let ind_cpa_generate_keypair r randomness = - let hashed = v_G randomness in - let (seed_for_A, seed_for_secret_and_error) = split hashed (sz 32) in - let (matrix_A_as_ntt, sufficient_randomness) = sample_matrix_A_ntt #r seed_for_A in - let secret_as_ntt = sample_vector_cbd_then_ntt #r seed_for_secret_and_error (sz 0) in - let error_as_ntt = sample_vector_cbd_then_ntt #r seed_for_secret_and_error r in - let t_as_ntt = compute_As_plus_e_ntt #r matrix_A_as_ntt secret_as_ntt error_as_ntt in - let public_key_serialized = Seq.append (vector_encode_12 #r t_as_ntt) seed_for_A in - let secret_key_serialized = vector_encode_12 #r secret_as_ntt in - ((secret_key_serialized,public_key_serialized), sufficient_randomness) - -/// This function implements Algorithm 13 of the -/// NIST FIPS 203 specification; this is the MLKEM CPA-PKE encryption algorithm. - -val ind_cpa_encrypt (r:rank) (public_key: t_MLKEMPublicKey r) - (message: t_Array u8 v_SHARED_SECRET_SIZE) - (randomness:t_Array u8 v_SHARED_SECRET_SIZE) : - (t_MLKEMCiphertext r & bool) - -[@ "opaque_to_smt"] -let ind_cpa_encrypt r public_key message randomness = - let (t_as_ntt_bytes, seed_for_A) = split public_key (v_T_AS_NTT_ENCODED_SIZE r) in - let t_as_ntt = vector_decode_12 #r t_as_ntt_bytes in - let matrix_A_as_ntt, sufficient_randomness = sample_matrix_A_ntt #r seed_for_A in - let r_as_ntt = sample_vector_cbd_then_ntt #r randomness (sz 0) in - let error_1 = sample_vector_cbd2 #r randomness r in - let error_2 = sample_poly_cbd2 #r randomness (r +! r) in - let u = vector_add (vector_inv_ntt (matrix_vector_mul_ntt (matrix_transpose matrix_A_as_ntt) r_as_ntt)) error_1 in - let mu = decode_then_decompress_message message in - let v = poly_add (poly_add (vector_dot_product_ntt t_as_ntt r_as_ntt) error_2) mu in - let c1 = compress_then_encode_u #r u in - let c2 = compress_then_encode_v #r v in - (concat c1 c2, sufficient_randomness) - -/// This function implements Algorithm 14 of the -/// NIST FIPS 203 specification; this is the MLKEM CPA-PKE decryption algorithm. - -val ind_cpa_decrypt (r:rank) (secret_key: t_MLKEMCPAPrivateKey r) - (ciphertext: t_MLKEMCiphertext r): - t_MLKEMSharedSecret - -[@ "opaque_to_smt"] -let ind_cpa_decrypt r secret_key ciphertext = - let (c1,c2) = split ciphertext (v_C1_SIZE r) in - let u = decode_then_decompress_u #r c1 in - let v = decode_then_decompress_v #r c2 in - let secret_as_ntt = vector_decode_12 #r secret_key in - let w = poly_sub v (poly_inv_ntt (vector_dot_product_ntt secret_as_ntt (vector_ntt u))) in - compress_then_encode_message w - -(** IND-CCA Functions *) - - -/// This function implements most of Algorithm 15 of the -/// NIST FIPS 203 specification; this is the MLKEM CCA-KEM key generation algorithm. -/// -/// We say "most of" since Algorithm 15 samples the required randomness within -/// the function itself, whereas this implementation expects it to be provided -/// through the `randomness` parameter. -/// -/// TODO: input validation - -val ind_cca_generate_keypair (r:rank) (randomness:t_Array u8 v_KEY_GENERATION_SEED_SIZE) : - t_MLKEMKeyPair r & bool -let ind_cca_generate_keypair p randomness = - let (ind_cpa_keypair_randomness, implicit_rejection_value) = - split randomness v_CPA_KEY_GENERATION_SEED_SIZE in - - let (ind_cpa_secret_key,ind_cpa_public_key), sufficient_randomness = ind_cpa_generate_keypair p ind_cpa_keypair_randomness in - let ind_cca_secret_key = Seq.append ind_cpa_secret_key ( - Seq.append ind_cpa_public_key ( - Seq.append (v_H ind_cpa_public_key) implicit_rejection_value)) in - (ind_cca_secret_key, ind_cpa_public_key), sufficient_randomness - -/// This function implements most of Algorithm 16 of the -/// NIST FIPS 203 specification; this is the MLKEM CCA-KEM encapsulation algorithm. -/// -/// We say "most of" since Algorithm 16 samples the required randomness within -/// the function itself, whereas this implementation expects it to be provided -/// through the `randomness` parameter. -/// -/// TODO: input validation - -val ind_cca_encapsulate (r:rank) (public_key: t_MLKEMPublicKey r) - (randomness:t_Array u8 v_SHARED_SECRET_SIZE) : - (t_MLKEMCiphertext r & t_MLKEMSharedSecret) & bool -let ind_cca_encapsulate p public_key randomness = - let to_hash = concat randomness (v_H public_key) in - let hashed = v_G to_hash in - let (shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in - let ciphertext, sufficient_randomness = ind_cpa_encrypt p public_key randomness pseudorandomness in - (ciphertext,shared_secret), sufficient_randomness - - -/// This function implements Algorithm 17 of the -/// NIST FIPS 203 specification; this is the MLKEM CCA-KEM encapsulation algorithm. - -val ind_cca_decapsulate (r:rank) (secret_key: t_MLKEMPrivateKey r) - (ciphertext: t_MLKEMCiphertext r): - t_MLKEMSharedSecret & bool -let ind_cca_decapsulate p secret_key ciphertext = - let (ind_cpa_secret_key,rest) = split secret_key (v_CPA_PRIVATE_KEY_SIZE p) in - let (ind_cpa_public_key,rest) = split rest (v_CPA_PUBLIC_KEY_SIZE p) in - let (ind_cpa_public_key_hash,implicit_rejection_value) = split rest v_H_DIGEST_SIZE in - - let decrypted = ind_cpa_decrypt p ind_cpa_secret_key ciphertext in - let to_hash = concat decrypted ind_cpa_public_key_hash in - let hashed = v_G to_hash in - let (success_shared_secret, pseudorandomness) = split hashed v_SHARED_SECRET_SIZE in - - assert (Seq.length implicit_rejection_value = 32); - let to_hash = concat implicit_rejection_value ciphertext in - let rejection_shared_secret = v_J to_hash in - - let reencrypted, sufficient_randomness = ind_cpa_encrypt p ind_cpa_public_key decrypted pseudorandomness in - if reencrypted = ciphertext - then success_shared_secret, sufficient_randomness - else rejection_shared_secret, sufficient_randomness - diff --git a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst b/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst deleted file mode 100644 index 1c6ed14b1..000000000 --- a/libcrux-ml-kem/proofs/fstar/spec/Spec.Utils.fst +++ /dev/null @@ -1,493 +0,0 @@ -module Spec.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" -open FStar.Mul -open Core - -(** Utils *) -let map_slice #a #b - (f:(x:a -> b)) - (s: t_Slice a): t_Slice b - = createi (length s) (fun i -> f (Seq.index s (v i))) - -let map_array #a #b #len - (f:(x:a -> b)) - (s: t_Array a len): t_Array b len - = createi (length s) (fun i -> f (Seq.index s (v i))) - -let map2 #a #b #c #len - (f:a -> b -> c) - (x: t_Array a len) (y: t_Array b len): t_Array c len - = createi (length x) (fun i -> f (Seq.index x (v i)) (Seq.index y (v i))) - -let create len c = createi len (fun i -> c) - -let repeati #acc (l:usize) (f:(i:usize{v i < v l}) -> acc -> acc) acc0 : acc = Lib.LoopCombinators.repeati (v l) (fun i acc -> f (sz i) acc) acc0 - -let createL len l = Rust_primitives.Hax.array_of_list len l - -let create16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 = - let l = [v15; v14; v13; v12; v11; v10; v9; v8; v7; v6; v5; v4; v3; v2; v1; v0] in - assert_norm (List.Tot.length l == 16); - createL 16 l - - -val lemma_createL_index #a len l i : - Lemma (Seq.index (createL #a len l) i == List.Tot.index l i) - [SMTPat (Seq.index (createL #a len l) i)] -let lemma_createL_index #a len l i = () - -val lemma_create16_index #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 i : - Lemma (Seq.index (create16 #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) i == - (if i = 0 then v15 else - if i = 1 then v14 else - if i = 2 then v13 else - if i = 3 then v12 else - if i = 4 then v11 else - if i = 5 then v10 else - if i = 6 then v9 else - if i = 7 then v8 else - if i = 8 then v7 else - if i = 9 then v6 else - if i = 10 then v5 else - if i = 11 then v4 else - if i = 12 then v3 else - if i = 13 then v2 else - if i = 14 then v1 else - if i = 15 then v0)) - [SMTPat (Seq.index (create16 #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) i)] -let lemma_create16_index #a v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 i = - let l = [v15; v14; v13; v12; v11; v10; v9; v8; v7; v6; v5; v4; v3; v2; v1; v0] in - assert_norm (List.Tot.index l 0 == v15); - assert_norm (List.Tot.index l 1 == v14); - assert_norm (List.Tot.index l 2 == v13); - assert_norm (List.Tot.index l 3 == v12); - assert_norm (List.Tot.index l 4 == v11); - assert_norm (List.Tot.index l 5 == v10); - assert_norm (List.Tot.index l 6 == v9); - assert_norm (List.Tot.index l 7 == v8); - assert_norm (List.Tot.index l 8 == v7); - assert_norm (List.Tot.index l 9 == v6); - assert_norm (List.Tot.index l 10 == v5); - assert_norm (List.Tot.index l 11 == v4); - assert_norm (List.Tot.index l 12 == v3); - assert_norm (List.Tot.index l 13 == v2); - assert_norm (List.Tot.index l 14 == v1); - assert_norm (List.Tot.index l 15 == v0) - - -val lemma_createi_index #a len f i : - Lemma (Seq.index (createi #a len f) i == f (sz i)) - [SMTPat (Seq.index (createi #a len f) i)] -let lemma_createi_index #a len f i = () - -val lemma_create_index #a len c i: - Lemma (Seq.index (create #a len c) i == c) - [SMTPat (Seq.index (create #a len c) i)] -let lemma_create_index #a len c i = () - -val lemma_map_index #a #b #len f x i: - Lemma (Seq.index (map_array #a #b #len f x) i == f (Seq.index x i)) - [SMTPat (Seq.index (map_array #a #b #len f x) i)] -let lemma_map_index #a #b #len f x i = () - -val lemma_map2_index #a #b #c #len f x y i: - Lemma (Seq.index (map2 #a #b #c #len f x y) i == f (Seq.index x i) (Seq.index y i)) - [SMTPat (Seq.index (map2 #a #b #c #len f x y) i)] -let lemma_map2_index #a #b #c #len f x y i = () - -let lemma_bitand_properties #t (x:int_t t) : - Lemma ((x &. ones) == x /\ (x &. mk_int #t 0) == mk_int #t 0 /\ (ones #t &. x) == x /\ (mk_int #t 0 &. x) == mk_int #t 0) = - logand_lemma #t x x - -#push-options "--z3rlimit 250" -let flatten #t #n - (#m: usize {range (v n * v m) usize_inttype}) - (x: t_Array (t_Array t m) n) - : t_Array t (m *! n) - = createi (m *! n) (fun i -> Seq.index (Seq.index x (v i / v m)) (v i % v m)) -#pop-options - -type t_Error = | Error_RejectionSampling : t_Error - -type t_Result a b = - | Ok: a -> t_Result a b - | Err: b -> t_Result a b - -(** Hash Function *) -open Spec.SHA3 - -val v_G (input: t_Slice u8) : t_Array u8 (sz 64) -let v_G input = map_slice Lib.RawIntTypes.u8_to_UInt8 (sha3_512 (Seq.length input) (map_slice Lib.IntTypes.secret input)) - -val v_H (input: t_Slice u8) : t_Array u8 (sz 32) -let v_H input = map_slice Lib.RawIntTypes.u8_to_UInt8 (sha3_256 (Seq.length input) (map_slice Lib.IntTypes.secret input)) - -val v_PRF (v_LEN: usize{v v_LEN < pow2 32}) (input: t_Slice u8) : t_Array u8 v_LEN -let v_PRF v_LEN input = map_slice Lib.RawIntTypes.u8_to_UInt8 ( - shake256 (Seq.length input) (map_slice Lib.IntTypes.secret input) (v v_LEN)) - -let v_J (input: t_Slice u8) : t_Array u8 (sz 32) = v_PRF (sz 32) input - -val v_XOF (v_LEN: usize{v v_LEN < pow2 32}) (input: t_Slice u8) : t_Array u8 v_LEN -let v_XOF v_LEN input = map_slice Lib.RawIntTypes.u8_to_UInt8 ( - shake128 (Seq.length input) (map_slice Lib.IntTypes.secret input) (v v_LEN)) - -let update_at_range_lemma #n - (s: t_Slice 't) - (i: Core.Ops.Range.t_Range (int_t n) {(Core.Ops.Range.impl_index_range_slice 't n).f_index_pre s i}) - (x: t_Slice 't) - : Lemma - (requires (Seq.length x == v i.f_end - v i.f_start)) - (ensures ( - let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in - let len = v i.f_start in - forall (i: nat). i < len ==> Seq.index s i == Seq.index s' i - )) - [SMTPat (Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x)] - = let s' = Rust_primitives.Hax.Monomorphized_update_at.update_at_range s i x in - let len = v i.f_start in - introduce forall (i:nat {i < len}). Seq.index s i == Seq.index s' i - with (assert ( Seq.index (Seq.slice s 0 len) i == Seq.index s i - /\ Seq.index (Seq.slice s' 0 len) i == Seq.index s' i )) - - -/// Bounded integers - -let is_intb (l:nat) (x:int) = (x <= l) && (x >= -l) -let is_i16b (l:nat) (x:i16) = is_intb l (v x) -let is_i16b_array (l:nat) (x:t_Slice i16) = forall i. i < Seq.length x ==> is_i16b l (Seq.index x i) -let is_i16b_vector (l:nat) (r:usize) (x:t_Array (t_Array i16 (sz 256)) r) = forall i. i < v r ==> is_i16b_array l (Seq.index x i) -let is_i16b_matrix (l:nat) (r:usize) (x:t_Array (t_Array (t_Array i16 (sz 256)) r) r) = forall i. i < v r ==> is_i16b_vector l r (Seq.index x i) - -[@ "opaque_to_smt"] -let is_i16b_array_opaque (l:nat) (x:t_Slice i16) = is_i16b_array l x - -let is_i32b (l:nat) (x:i32) = is_intb l (v x) -let is_i32b_array (l:nat) (x:t_Slice i32) = forall i. i < Seq.length x ==> is_i32b l (Seq.index x i) - -let nat_div_ceil (x:nat) (y:pos) : nat = if (x % y = 0) then x/y else (x/y)+1 - -val lemma_intb_le b b' - : Lemma (requires (b <= b')) - (ensures (forall n. is_intb b n ==> is_intb b' n)) -let lemma_intb_le b b' = () - -#push-options "--z3rlimit 200" -val lemma_mul_intb (b1 b2: nat) (n1 n2: int) - : Lemma (requires (is_intb b1 n1 /\ is_intb b2 n2)) - (ensures (is_intb (b1 * b2) (n1 * n2))) -let lemma_mul_intb (b1 b2: nat) (n1 n2: int) = - if n1 = 0 || n2 = 0 - then () - else - let open FStar.Math.Lemmas in - lemma_abs_bound n1 b1; - lemma_abs_bound n2 b2; - lemma_abs_mul n1 n2; - lemma_mult_le_left (abs n1) (abs n2) b2; - lemma_mult_le_right b2 (abs n1) b1; - lemma_abs_bound (n1 * n2) (b1 * b2) -#pop-options - -#push-options "--z3rlimit 200" -val lemma_mul_i16b (b1 b2: nat) (n1 n2: i16) - : Lemma (requires (is_i16b b1 n1 /\ is_i16b b2 n2 /\ b1 * b2 < pow2 31)) - (ensures (range (v n1 * v n2) i32_inttype /\ - is_i32b (b1 * b2) ((cast n1 <: i32) *! (cast n2 <: i32)) /\ - v ((cast n1 <: i32) *! (cast n2 <: i32)) == v n1 * v n2)) - -let lemma_mul_i16b (b1 b2: nat) (n1 n2: i16) = - if v n1 = 0 || v n2 = 0 - then () - else - let open FStar.Math.Lemmas in - lemma_abs_bound (v n1) b1; - lemma_abs_bound (v n2) b2; - lemma_abs_mul (v n1) (v n2); - lemma_mult_le_left (abs (v n1)) (abs (v n2)) b2; - lemma_mult_le_right b2 (abs (v n1)) b1; - lemma_abs_bound (v n1 * v n2) (b1 * b2) -#pop-options - -val lemma_add_i16b (b1 b2:nat) (n1 n2:i16) : - Lemma (requires (is_i16b b1 n1 /\ is_i16b b2 n2 /\ b1 + b2 < pow2 15)) - (ensures (range (v n1 + v n2) i16_inttype /\ - is_i16b (b1 + b2) (n1 +! n2))) -let lemma_add_i16b (b1 b2:nat) (n1 n2:i16) = () - -#push-options "--z3rlimit 100 --split_queries always" -let lemma_range_at_percent (v:int) (p:int{p>0/\ p%2=0 /\ v < p/2 /\ v >= -p / 2}): - Lemma (v @% p == v) = - let m = v % p in - if v < 0 then ( - Math.Lemmas.lemma_mod_plus v 1 p; - assert ((v + p) % p == v % p); - assert (v + p >= 0); - assert (v + p < p); - Math.Lemmas.modulo_lemma (v+p) p; - assert (m == v + p); - assert (m >= p/2); - assert (v @% p == m - p); - assert (v @% p == v)) - else ( - assert (v >= 0 /\ v < p); - Math.Lemmas.modulo_lemma v p; - assert (v % p == v); - assert (m < p/2); - assert (v @% p == v) - ) -#pop-options - -val lemma_sub_i16b (b1 b2:nat) (n1 n2:i16) : - Lemma (requires (is_i16b b1 n1 /\ is_i16b b2 n2 /\ b1 + b2 < pow2 15)) - (ensures (range (v n1 - v n2) i16_inttype /\ - is_i16b (b1 + b2) (n1 -. n2) /\ - v (n1 -. n2) == v n1 - v n2)) -let lemma_sub_i16b (b1 b2:nat) (n1 n2:i16) = () - -let mont_mul_red_i16 (x:i16) (y:i16) : i16= - let vlow = x *. y in - let k = vlow *. (neg 3327s) in - let k_times_modulus = cast (((cast k <: i32) *. 3329l) >>! 16l) <: i16 in - let vhigh = cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16 in - vhigh -. k_times_modulus - -let mont_red_i32 (x:i32) : i16 = - let vlow = cast x <: i16 in - let k = vlow *. (neg 3327s) in - let k_times_modulus = cast (((cast k <: i32) *. 3329l) >>! 16l) <: i16 in - let vhigh = cast (x >>! 16l) <: i16 in - vhigh -. k_times_modulus - -#push-options "--z3rlimit 100" -let lemma_at_percent_mod (v:int) (p:int{p>0/\ p%2=0}): - Lemma ((v @% p) % p == v % p) = - let m = v % p in - assert (m >= 0 /\ m < p); - if m >= p/2 then ( - assert ((v @%p) % p == (m - p) %p); - Math.Lemmas.lemma_mod_plus m (-1) p; - assert ((v @%p) % p == m %p); - Math.Lemmas.lemma_mod_mod m v p; - assert ((v @%p) % p == v % p) - ) else ( - assert ((v @%p) % p == m%p); - Math.Lemmas.lemma_mod_mod m v p; - assert ((v @%p) % p == v % p) - ) -#pop-options - -let lemma_div_at_percent (v:int) (p:int{p>0/\ p%2=0 /\ (v/p) < p/2 /\ (v/p) >= -p / 2}): - Lemma ((v / p) @% p == v / p) = - lemma_range_at_percent (v/p) p - -val lemma_mont_red_i32 (x:i32): Lemma - (requires (is_i32b (3328 * pow2 16) x)) - (ensures ( - let result:i16 = mont_red_i32 x in - is_i16b (3328 + 1665) result /\ - (is_i32b (3328 * pow2 15) x ==> is_i16b 3328 result) /\ - v result % 3329 == (v x * 169) % 3329)) - -let lemma_mont_red_i32 (x:i32) = - let vlow = cast x <: i16 in - assert (v vlow == v x @% pow2 16); - let k = vlow *. (neg 3327s) in - assert (v k == ((v x @% pow2 16) * (- 3327)) @% pow2 16); - let k_times_modulus = (cast k <: i32) *. 3329l in - assert (v k_times_modulus == (v k * 3329)); - let c = cast (k_times_modulus >>! 16l) <: i16 in - assert (v c == (((v k * 3329) / pow2 16) @% pow2 16)); - lemma_div_at_percent (v k * 3329) (pow2 16); - assert (v c == (((v k * 3329) / pow2 16))); - assert (is_i16b 1665 c); - let vhigh = cast (x >>! 16l) <: i16 in - lemma_div_at_percent (v x) (pow2 16); - assert (v vhigh == v x / pow2 16); - assert (is_i16b 3328 vhigh); - let result = vhigh -. c in - lemma_sub_i16b 3328 1665 vhigh c; - assert (is_i16b (3328 + 1665) result); - assert (v result = v vhigh - v c); - assert (is_i16b (3328 + 1665) result); - assert (is_i32b (3328 * pow2 15) x ==> is_i16b 3328 result); - calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == v k * 3329) } - (v k * 3329) % pow2 16; - ( == ) { assert (v k = ((v x @% pow2 16) * (-3327)) @% pow2 16) } - ((((v x @% pow2 16) * (-3327)) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (((v x @% pow2 16) * (-3327)) @% pow2 16) 3329 (pow2 16) } - (((((v x @% pow2 16) * (-3327)) @% pow2 16) % pow2 16) * 3329) % pow2 16; - ( == ) { lemma_at_percent_mod ((v x @% pow2 16) * (-3327)) (pow2 16)} - ((((v x @% pow2 16) * (-3327)) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v x @% pow2 16) * (-3327)) 3329 (pow2 16) } - (((v x @% pow2 16) * (-3327)) * 3329) % pow2 16; - ( == ) { } - ((v x @% pow2 16) * (-3327 * 3329)) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v x @% pow2 16) (-3327 * 3329) (pow2 16) } - ((v x @% pow2 16) % pow2 16); - ( == ) { lemma_at_percent_mod (v x) (pow2 16) } - (v x) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v x) (v k_times_modulus); - assert ((v x - v k_times_modulus) % pow2 16 == 0); - calc ( == ) { - v result % 3329; - ( == ) { } - (v x / pow2 16 - v k_times_modulus / pow2 16) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v x - v k_times_modulus) (pow2 16) } - ((v x - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v x - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v x - v k_times_modulus) / pow2 16) - (pow2 16 * 169) - 3329 } - (((v x - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v x - v k_times_modulus) (pow2 16) } - ((v x - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == v k * 3329) } - ((v x * 169) - (v k * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v x * 169) 3329 (v k * 169) } - (v x * 169) % 3329; - } - -val lemma_mont_mul_red_i16_int (x y:i16): Lemma - (requires (is_intb (3326 * pow2 15) (v x * v y))) - (ensures ( - let result:i16 = mont_mul_red_i16 x y in - is_i16b 3328 result /\ - v result % 3329 == (v x * v y * 169) % 3329)) - -let lemma_mont_mul_red_i16_int (x y:i16) = - let vlow = x *. y in - let prod = v x * v y in - assert (v vlow == prod @% pow2 16); - let k = vlow *. (neg 3327s) in - assert (v k == (((prod) @% pow2 16) * (- 3327)) @% pow2 16); - let k_times_modulus = (cast k <: i32) *. 3329l in - assert (v k_times_modulus == (v k * 3329)); - let c = cast (k_times_modulus >>! 16l) <: i16 in - assert (v c == (((v k * 3329) / pow2 16) @% pow2 16)); - lemma_div_at_percent (v k * 3329) (pow2 16); - assert (v c == (((v k * 3329) / pow2 16))); - assert (is_i16b 1665 c); - let vhigh = cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16 in - assert (v x @% pow2 32 == v x); - assert (v y @% pow2 32 == v y); - assert (v ((cast x <: i32) *. (cast y <: i32)) == (v x * v y) @% pow2 32); - assert (v vhigh == (((prod) @% pow2 32) / pow2 16) @% pow2 16); - assert_norm (pow2 15 * 3326 < pow2 31); - lemma_range_at_percent prod (pow2 32); - assert (v vhigh == (prod / pow2 16) @% pow2 16); - lemma_div_at_percent prod (pow2 16); - assert (v vhigh == prod / pow2 16); - let result = vhigh -. c in - assert (is_i16b 1663 vhigh); - lemma_sub_i16b 1663 1665 vhigh c; - assert (is_i16b 3328 result); - assert (v result = v vhigh - v c); - calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == v k * 3329) } - (v k * 3329) % pow2 16; - ( == ) { assert (v k = ((prod @% pow2 16) * (-3327)) @% pow2 16) } - ((((prod @% pow2 16) * (-3327)) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (((prod @% pow2 16) * (-3327)) @% pow2 16) 3329 (pow2 16) } - (((((prod @% pow2 16) * (-3327)) @% pow2 16) % pow2 16) * 3329) % pow2 16; - ( == ) { lemma_at_percent_mod ((prod @% pow2 16) * (-3327)) (pow2 16)} - ((((prod @% pow2 16) * (-3327)) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((prod @% pow2 16) * (-3327)) 3329 (pow2 16) } - (((prod @% pow2 16) * (-3327)) * 3329) % pow2 16; - ( == ) { } - ((prod @% pow2 16) * (-3327 * 3329)) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (prod @% pow2 16) (-3327 * 3329) (pow2 16) } - ((prod @% pow2 16) % pow2 16); - ( == ) { lemma_at_percent_mod (prod) (pow2 16) } - (prod) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) ((prod)) (v k_times_modulus); - assert (((prod) - v k_times_modulus) % pow2 16 == 0); - calc ( == ) { - v result % 3329; - ( == ) { } - (((prod) / pow2 16) - ((v k * 3329) / pow2 16)) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact ((prod) - (v k * 3329)) (pow2 16) } - ((prod - (v k * 3329)) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((prod - (v k * 3329)) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (((prod) - (v k * 3329)) / pow2 16) - (pow2 16 * 169) - 3329 } - ((((prod) - (v k * 3329)) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact ((prod) - (v k * 3329)) (pow2 16) } - (((prod) - (v k * 3329)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub ((prod) * 169) 3329 (v k * 169)} - ((prod) * 169) % 3329; - } - - -val lemma_mont_mul_red_i16 (x y:i16): Lemma - (requires (is_i16b 1664 y \/ is_intb (3326 * pow2 15) (v x * v y))) - (ensures ( - let result:i16 = mont_mul_red_i16 x y in - is_i16b 3328 result /\ - v result % 3329 == (v x * v y * 169) % 3329)) - [SMTPat (mont_mul_red_i16 x y)] -let lemma_mont_mul_red_i16 x y = - if is_i16b 1664 y then ( - lemma_mul_intb (pow2 15) 1664 (v x) (v y); - assert(is_intb (3326 * pow2 15) (v x * v y)); - lemma_mont_mul_red_i16_int x y) - else lemma_mont_mul_red_i16_int x y - -let barrett_red (x:i16) = - let t1 = cast (((cast x <: i32) *. (cast 20159s <: i32)) >>! 16l) <: i16 in - let t2 = t1 +. 512s in - let q = t2 >>! 10l in - let qm = q *. 3329s in - x -. qm - -let lemma_barrett_red (x:i16) : Lemma - (requires (is_i16b 28296 x)) - (ensures (let result = barrett_red x in - is_i16b 3328 result /\ - v result % 3329 == v x % 3329)) - [SMTPat (barrett_red x)] - = admit() - -let cond_sub (x:i16) = - let xm = x -. 3329s in - let mask = xm >>! 15l in - let mm = mask &. 3329s in - xm +. mm - -let lemma_cond_sub x: - Lemma (let r = cond_sub x in - if x >=. 3329s then r == x -! 3329s else r == x) - [SMTPat (cond_sub x)] - = admit() - - -let lemma_shift_right_15_i16 (x:i16): - Lemma (if v x >= 0 then (x >>! 15l) == 0s else (x >>! 15l) == -1s) = - Rust_primitives.Integers.mk_int_v_lemma #i16_inttype 0s; - Rust_primitives.Integers.mk_int_v_lemma #i16_inttype (-1s); - () - -val ntt_spec #len (vec_in: t_Array i16 len) (zeta: int) (i: nat{i < v len}) (j: nat{j < v len}) - (vec_out: t_Array i16 len) : Type0 -let ntt_spec vec_in zeta i j vec_out = - ((v (Seq.index vec_out i) % 3329) == - ((v (Seq.index vec_in i) + (v (Seq.index vec_in j) * zeta * 169)) % 3329)) /\ - ((v (Seq.index vec_out j) % 3329) == - ((v (Seq.index vec_in i) - (v (Seq.index vec_in j) * zeta * 169)) % 3329)) - -val inv_ntt_spec #len (vec_in: t_Array i16 len) (zeta: int) (i: nat{i < v len}) (j: nat{j < v len}) - (vec_out: t_Array i16 len) : Type0 -let inv_ntt_spec vec_in zeta i j vec_out = - ((v (Seq.index vec_out i) % 3329) == - ((v (Seq.index vec_in j) + v (Seq.index vec_in i)) % 3329)) /\ - ((v (Seq.index vec_out j) % 3329) == - (((v (Seq.index vec_in j) - v (Seq.index vec_in i)) * zeta * 169) % 3329)) - From 516b6f31cd2fc769cd6f301028497deee48897b6 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 20:36:16 +0100 Subject: [PATCH 22/74] cleanup --- Cargo.lock | 189 ++++++++++-------- Cargo.toml | 3 +- libcrux-intrinsics/Cargo.toml | 3 - libcrux-ml-dsa/Cargo.toml | 2 - libcrux-sha3/proofs/fstar/extraction/Makefile | 1 - .../fstar/extraction/Libcrux_platform.X86.fst | 69 ------- 6 files changed, 107 insertions(+), 160 deletions(-) delete mode 100644 libcrux-sha3/proofs/fstar/extraction/Makefile delete mode 100644 sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst diff --git a/Cargo.lock b/Cargo.lock index dc42f03bd..830df0dcd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -84,9 +84,9 @@ checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110" [[package]] name = "autocfg" -version = "1.4.0" +version = "1.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" +checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "base16ct" @@ -126,9 +126,9 @@ dependencies = [ [[package]] name = "bindgen" -version = "0.69.5" +version = "0.69.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088" +checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0" dependencies = [ "bitflags", "cexpr", @@ -143,7 +143,7 @@ dependencies = [ "regex", "rustc-hash", "shlex", - "syn 2.0.82", + "syn 2.0.77", "which", ] @@ -191,9 +191,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.31" +version = "1.1.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" +checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" dependencies = [ "jobserver", "libc", @@ -290,9 +290,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.20" +version = "4.5.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b97f376d85a664d5837dbae44bf546e6477a679ff6610010f17276f686d867e8" +checksum = "b0956a43b323ac1afaffc053ed5c4b7c1f1800bacd1683c353aabbb752515dd3" dependencies = [ "clap_builder", "clap_derive", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.20" +version = "4.5.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19bc80abd44e4bed93ca373a0704ccbd1b710dc5749406201bb018272808dc54" +checksum = "4d72166dd41634086d5803a47eb71ae740e61d84709c36f3c34110173db3961b" dependencies = [ "anstream", "anstyle", @@ -319,7 +319,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] @@ -483,7 +483,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] @@ -711,10 +711,10 @@ dependencies = [ [[package]] name = "hax-lib" -version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/#001a27e20755b65d6a780243a125076fe90e6d0b" +version = "0.1.0-pre.1" +source = "git+https://github.com/hacspec/hax/#c2093b4963099522c65f5cd42b96d6433afb0617" dependencies = [ - "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", + "hax-lib-macros 0.1.0-pre.1", "num-bigint", "num-traits", ] @@ -729,20 +729,33 @@ dependencies = [ "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] name = "hax-lib-macros" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/#001a27e20755b65d6a780243a125076fe90e6d0b" +source = "git+https://github.com/hacspec/hax?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" dependencies = [ - "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax?branch=main)", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", +] + +[[package]] +name = "hax-lib-macros" +version = "0.1.0-pre.1" +source = "git+https://github.com/hacspec/hax/#c2093b4963099522c65f5cd42b96d6433afb0617" +dependencies = [ + "hax-lib-macros-types 0.1.0-pre.1", + "paste", + "proc-macro-error", + "proc-macro2", + "quote", + "syn 2.0.77", ] [[package]] @@ -760,7 +773,19 @@ dependencies = [ [[package]] name = "hax-lib-macros-types" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/#001a27e20755b65d6a780243a125076fe90e6d0b" +source = "git+https://github.com/hacspec/hax?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" +dependencies = [ + "proc-macro2", + "quote", + "serde", + "serde_json", + "uuid", +] + +[[package]] +name = "hax-lib-macros-types" +version = "0.1.0-pre.1" +source = "git+https://github.com/hacspec/hax/#c2093b4963099522c65f5cd42b96d6433afb0617" dependencies = [ "proc-macro2", "quote", @@ -884,9 +909,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.72" +version = "0.3.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" +checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a" dependencies = [ "wasm-bindgen", ] @@ -924,9 +949,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.161" +version = "0.2.158" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" +checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" [[package]] name = "libcrux" @@ -934,6 +959,8 @@ version = "0.0.2-beta.2" dependencies = [ "clap", "getrandom", + "hax-lib 0.1.0-alpha.1", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax?branch=main)", "hex", "libcrux", "libcrux-ecdh", @@ -1006,9 +1033,6 @@ dependencies = [ [[package]] name = "libcrux-intrinsics" version = "0.0.2-beta.2" -dependencies = [ - "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", -] [[package]] name = "libcrux-kem" @@ -1027,7 +1051,6 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1043,7 +1066,7 @@ name = "libcrux-ml-kem" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", + "hax-lib 0.1.0-pre.1", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1089,7 +1112,7 @@ version = "0.0.2-beta.2" dependencies = [ "cavp", "criterion", - "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", + "hax-lib 0.1.0-pre.1", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1202,9 +1225,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.20.2" +version = "1.19.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" +checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "oorandom" @@ -1220,9 +1243,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.68" +version = "0.10.66" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" +checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" dependencies = [ "bitflags", "cfg-if", @@ -1241,14 +1264,14 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] name = "openssl-sys" -version = "0.9.104" +version = "0.9.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" +checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" dependencies = [ "cc", "libc", @@ -1403,12 +1426,12 @@ dependencies = [ [[package]] name = "prettyplease" -version = "0.2.24" +version = "0.2.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "910d41a655dac3b764f1ade94821093d3610248694320cd072303a8eedcf221d" +checksum = "479cf940fbbb3426c32c5d5176f62ad57549a0bb84773423ba8be9d089f5faba" dependencies = [ "proc-macro2", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] @@ -1446,9 +1469,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.88" +version = "1.0.86" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7c3a7fc5db1e57d5a779a352c8cdb57b29aa4c40cc69c3a68a7fedc815fbf2f9" +checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" dependencies = [ "unicode-ident", ] @@ -1536,9 +1559,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.11.0" +version = "1.10.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38200e5ee88914975b69f657f0801b6f6dccafd44fd9326302a4aaeecfacb1d8" +checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" dependencies = [ "aho-corasick", "memchr", @@ -1548,9 +1571,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.8" +version = "0.4.7" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" +checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" dependencies = [ "aho-corasick", "memchr", @@ -1559,9 +1582,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.5" +version = "0.8.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" +checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" [[package]] name = "rfc6979" @@ -1659,29 +1682,29 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.211" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ac55e59090389fb9f0dd9e0f3c09615afed1d19094284d0b200441f13550793" +checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.211" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54be4f245ce16bc58d57ef2716271d0d4519e0f6defa147f6e081005bcb278ff" +checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] name = "serde_json" -version = "1.0.132" +version = "1.0.128" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" +checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" dependencies = [ "itoa", "memchr", @@ -1773,9 +1796,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.82" +version = "2.0.77" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83540f837a8afc019423a8edb95b52a8effe46957ee402287f4292fae35be021" +checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" dependencies = [ "proc-macro2", "quote", @@ -1837,9 +1860,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.11.0" +version = "1.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a" +checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314" dependencies = [ "getrandom", ] @@ -1874,9 +1897,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.95" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" +checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" dependencies = [ "cfg-if", "once_cell", @@ -1885,24 +1908,24 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.95" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" +checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" dependencies = [ "bumpalo", "log", "once_cell", "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-futures" -version = "0.4.45" +version = "0.4.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b" +checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed" dependencies = [ "cfg-if", "js-sys", @@ -1912,9 +1935,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.95" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" +checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -1922,28 +1945,28 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.95" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" +checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.95" +version = "0.2.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" +checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" [[package]] name = "wasm-bindgen-test" -version = "0.3.45" +version = "0.3.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d381749acb0943d357dcbd8f0b100640679883fcdeeef04def49daf8d33a5426" +checksum = "68497a05fb21143a08a7d24fc81763384a3072ee43c44e86aad1744d6adef9d9" dependencies = [ "console_error_panic_hook", "js-sys", @@ -1956,20 +1979,20 @@ dependencies = [ [[package]] name = "wasm-bindgen-test-macro" -version = "0.3.45" +version = "0.3.43" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c97b2ef2c8d627381e51c071c2ab328eac606d3f69dd82bcbca20a9e389d95f0" +checksum = "4b8220be1fa9e4c889b30fd207d4906657e7e90b12e0e6b0c8b8d8709f5de021" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] name = "web-sys" -version = "0.3.72" +version = "0.3.70" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112" +checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0" dependencies = [ "js-sys", "wasm-bindgen", @@ -2120,7 +2143,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] [[package]] @@ -2140,5 +2163,5 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.82", + "syn 2.0.77", ] diff --git a/Cargo.toml b/Cargo.toml index aef7bc2b2..561c1ce67 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -77,8 +77,7 @@ getrandom = { version = "0.2", features = ["js"], optional = true } # When using the hax toolchain, we have more dependencies. # This is only required when doing proofs. -#[target.'cfg(hax)'.dependencies] -[workspace.dependencies] +[target.'cfg(hax)'.dependencies] hax-lib-macros = { git = "https://github.com/hacspec/hax", branch = "main" } hax-lib = { git = "https://github.com/hacspec/hax/", branch = "fstar-proof-lib-small-additions" } diff --git a/libcrux-intrinsics/Cargo.toml b/libcrux-intrinsics/Cargo.toml index 5cacc5bee..144f7137d 100644 --- a/libcrux-intrinsics/Cargo.toml +++ b/libcrux-intrinsics/Cargo.toml @@ -10,9 +10,6 @@ readme.workspace = true description = "Libcrux intrinsics crate" exclude = ["/proofs"] -[dependencies] -hax-lib.workspace = true - [features] simd128 = [] simd256 = [] diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index bd57d33c7..d451f7c23 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -20,8 +20,6 @@ libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } -hax-lib.workspace = true - [dev-dependencies] rand = { version = "0.8" } hex = { version = "0.4.3", features = ["serde"] } diff --git a/libcrux-sha3/proofs/fstar/extraction/Makefile b/libcrux-sha3/proofs/fstar/extraction/Makefile deleted file mode 100644 index ec420d509..000000000 --- a/libcrux-sha3/proofs/fstar/extraction/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst deleted file mode 100644 index 0e4db4e49..000000000 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst +++ /dev/null @@ -1,69 +0,0 @@ -module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } -Last available AST for this item: - -#[inline(never)] -#[inline(always)] -#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] -#[allow(non_upper_case_globals)] -#[no_std()] -#[feature(register_tool)] -#[register_tool(_hax)] -unsafe fn init__cpuid(leaf: int) -> core::core_arch::x86::cpuid::t_CpuidResult { - rust_primitives::hax::dropped_body -} - - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_platform"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "cpuid"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } -Last available AST for this item: - -#[inline(never)] -#[inline(always)] -#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] -#[allow(non_upper_case_globals)] -#[no_std()] -#[feature(register_tool)] -#[register_tool(_hax)] -unsafe fn init__cpuid_count( - leaf: int, - sub_leaf: int, -) -> core::core_arch::x86::cpuid::t_CpuidResult { - rust_primitives::hax::dropped_body -} - - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_platform"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "cpuid_count"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) From 3400e59d1feb387080b9f52b64fb1dc6e954769e Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 20:44:50 +0100 Subject: [PATCH 23/74] cleanup --- libcrux-intrinsics/Cargo.toml | 2 + .../Libcrux_intrinsics.Arm64_extract.fsti | 2 +- .../Libcrux_intrinsics.Avx2_extract.fsti | 348 +++++++----------- libcrux-intrinsics/src/arm64_extract.rs | 9 - libcrux-intrinsics/src/avx2_extract.rs | 158 +------- 5 files changed, 141 insertions(+), 378 deletions(-) diff --git a/libcrux-intrinsics/Cargo.toml b/libcrux-intrinsics/Cargo.toml index 144f7137d..cdc0acc2b 100644 --- a/libcrux-intrinsics/Cargo.toml +++ b/libcrux-intrinsics/Cargo.toml @@ -10,6 +10,8 @@ readme.workspace = true description = "Libcrux intrinsics crate" exclude = ["/proofs"] +[dependencies] + [features] simd128 = [] simd256 = [] diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti index d4014e6a8..a03c287ec 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Arm64_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 16d93fb14..5ac496e48 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -1,301 +1,207 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val mm256_abs_epi32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_and_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -unfold type t_Vec128 = bit_vec 128 -val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) -let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i +val mm256_andnot_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -unfold type t_Vec256 = bit_vec 256 -val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) -let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i +val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) +val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi128_si256 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_ps (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_si128 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpeq_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_castsi128_si256 (vector: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cvtepi16_epi32 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val mm256_extracti128_si256 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_inserti128_si256 (v_CONTROL: i32) (vector vector_i128: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i16 (input: t_Slice i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i32 (input: t_Slice i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cvtepi16_epi32 (vector: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_madd_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_i16 (input: t_Slice i16) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_mul_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_i32 (input: t_Slice i32) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mul_epu32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_u8 (input: t_Slice u8) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mullo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mulhi_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec256_as_i16x16 lhs) - (vec256_as_i16x16 rhs)) +val mm256_or_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_packs_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permute2x128_si256 (v_IMM8: i32) (a b: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permutevar8x32_epi32 (vector control: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_permutevar8x32_epi32} +val mm256_set1_epi32 (constant: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set1_epi64x (a: i64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set_epi16 + (input15 input14 input13 input12 input11 input10 input9 input8 input7 input6 input5 input4 input3 input2 input1 input0: + i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi32} +val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val mm256_set_epi64x (input3 input2 input1 input0: i64) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_set_epi8 + (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + i8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_set_m128i (hi lo: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_setzero_si256: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi8} +val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sign_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_slli_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_shuffle_epi8} +val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_slli_epi64 (v_LEFT: i32) (x: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_sllv_epi32} +val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector)) +val mm256_srli_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srlv_epi32 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srlv_epi64 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi64 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) - : Prims.Pure (t_Slice i16) - Prims.l_True - (ensures - fun output_future -> - let output_future:t_Slice i16 = output_future in - (Core.Slice.impl__len #i16 output_future <: usize) =. - (Core.Slice.impl__len #i16 output <: usize)) +val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: u8) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256) +val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: u8) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256) +val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val mm256_sub_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) - -val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpackhi_epi32 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpackhi_epi64 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpacklo_epi32 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm_add_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) - -include BitVec.Intrinsics {mm_loadu_si128} - -val mm_mulhi_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec128_as_i16x8 lhs) - (vec128_as_i16x8 rhs)) - -val mm_mullo_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) - -val mm_set1_epi16 (constant: i16) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) +val mm256_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_set_epi32 (input3 input2 input1 input0: i32) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sub_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_set_epi8} +val mm256_testz_si256 (lhs rhs: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_shuffle_epi8} +val mm256_unpackhi_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_sllv_epi32 (vector counts: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_unpackhi_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_unpacklo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_storeu_bytes_si128} +val mm256_unpacklo_epi64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128) - : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) +val mm256_xor_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128) - : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) +val mm_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_sub_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) +val mm_movemask_epi8 (vector: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val vec256_blendv_epi32 (a b mask: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} -val lemma_mm256_and_si256 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] +val mm_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128} +val mm_packs_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256} +val mm_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16} +val mm_set_epi32 (input3 input2 input1 input0: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16} -let lemma_mm256_mullo_epi16 v1 v2 : - Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) == - Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) - [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit() +val mm_set_epi8 + (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} -val lemma_mm256_set1_epi16 constant - : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) - == Spec.Utils.create (sz 16) constant - ) - [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] +val mm_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} -let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : - Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == - Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() +val mm_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} +val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} +val mm_storeu_bytes_si128 (output: t_Slice u8) (vector: u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64} +val mm_storeu_si128 (output: t_Slice i16) (vector: u8) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + +val mm_storeu_si128_i32 (output: t_Slice i32) (vector: u8) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} +val mm_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} +val vec256_blendv_epi32 (a b mask: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-intrinsics/src/arm64_extract.rs b/libcrux-intrinsics/src/arm64_extract.rs index d41241275..e43abc8f4 100644 --- a/libcrux-intrinsics/src/arm64_extract.rs +++ b/libcrux-intrinsics/src/arm64_extract.rs @@ -3,23 +3,14 @@ #![allow(non_camel_case_types, unsafe_code, unused_variables)] -#[hax_lib::opaque_type] pub type _uint16x4_t = u8; -#[hax_lib::opaque_type] pub type _int16x4_t = u8; -#[hax_lib::opaque_type] pub type _int16x8_t = u8; -#[hax_lib::opaque_type] pub type _uint8x16_t = u8; -#[hax_lib::opaque_type] pub type _uint16x8_t = u8; -#[hax_lib::opaque_type] pub type _uint32x4_t = u8; -#[hax_lib::opaque_type] pub type _int32x4_t = u8; -#[hax_lib::opaque_type] pub type _uint64x2_t = u8; -#[hax_lib::opaque_type] pub type _int64x2_t = u8; #[inline(always)] diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index ce78d81e5..8afb4ab49 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -3,33 +3,7 @@ #![allow(unused_variables, non_camel_case_types)] -#[cfg(hax)] -#[derive(Clone, Copy)] -#[hax_lib::fstar::replace( - interface, - r#" -unfold type $:{Vec256} = bit_vec 256 -val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) -let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i -"# -)] -pub struct Vec256(u8); - -#[cfg(hax)] -#[derive(Copy, Clone)] -#[hax_lib::fstar::replace( - interface, - r#" -unfold type $:{Vec128} = bit_vec 128 -val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) -let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i -"# -)] -pub struct Vec128(u8); - -#[cfg(not(hax))] pub type Vec256 = u8; -#[cfg(not(hax))] pub type Vec128 = u8; pub type Vec256Float = u8; @@ -37,8 +11,6 @@ pub fn mm256_storeu_si256_u8(output: &mut [u8], vector: Vec256) { debug_assert_eq!(output.len(), 32); unimplemented!() } - -#[hax_lib::ensures(|()| future(output).len() == output.len())] pub fn mm256_storeu_si256_i16(output: &mut [i16], vector: Vec256) { debug_assert_eq!(output.len(), 16); unimplemented!() @@ -57,13 +29,11 @@ pub fn mm_storeu_si128_i32(output: &mut [i32], vector: Vec128) { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_storeu_bytes_si128}")] pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { debug_assert_eq!(output.len(), 16); unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_loadu_si128}")] pub fn mm_loadu_si128(input: &[u8]) -> Vec128 { debug_assert_eq!(input.len(), 16); unimplemented!() @@ -89,7 +59,6 @@ pub fn mm256_set_m128i(hi: Vec128, lo: Vec128) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_set_epi8}")] pub fn mm_set_epi8( byte15: u8, byte14: u8, @@ -111,7 +80,6 @@ pub fn mm_set_epi8( unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi8}")] pub fn mm256_set_epi8( byte31: i8, byte30: i8, @@ -149,33 +117,9 @@ pub fn mm256_set_epi8( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.create (sz 16) $constant"))] -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}} -val lemma_mm256_set1_epi16 constant - : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) - == Spec.Utils.create (sz 16) constant - ) - [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] -"# -)] pub fn mm256_set1_epi16(constant: i16) -> Vec256 { unimplemented!() } - -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_set_epi16 as ${mm256_set_epi16}} -let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : - Lemma (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == - Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() -"# -)] pub fn mm256_set_epi16( input15: i16, input14: i16, @@ -197,8 +141,6 @@ pub fn mm256_set_epi16( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.create (sz 8) $constant"))] #[inline(always)] pub fn mm_set1_epi16(constant: i16) -> Vec128 { unimplemented!() @@ -213,8 +155,6 @@ pub fn mm256_set1_epi32(constant: i32) -> Vec256 { pub fn mm_set_epi32(input3: i32, input2: i32, input1: i32, input0: i32) -> Vec128 { unimplemented!() } - -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi32}")] #[inline(always)] pub fn mm256_set_epi32( input7: i32, @@ -229,27 +169,15 @@ pub fn mm256_set_epi32( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (+.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] +#[inline(always)] pub fn mm_add_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } - -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (-.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] -pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { - unimplemented!() -} - -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (+.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] +#[inline(always)] pub fn mm256_add_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_madd_epi16 as ${mm256_madd_epi16}}" -)] +#[inline(always)] pub fn mm256_madd_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } @@ -258,12 +186,6 @@ pub fn mm256_add_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (-.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] -pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { - unimplemented!() -} - #[inline(always)] pub fn mm256_add_epi64(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -274,26 +196,21 @@ pub fn mm256_abs_epi32(a: Vec256) -> Vec256 { unimplemented!() } +pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} pub fn mm256_sub_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_mullo_epi16 as ${mm256_mullo_epi16}} -let lemma_mm256_mullo_epi16 v1 v2 : - Lemma (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2) == - Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) - [SMTPat (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2))] = admit() -"# -)] +pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} + pub fn mm256_mullo_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 mul_mod (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] pub fn mm_mullo_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -326,9 +243,6 @@ pub fn mm256_movemask_ps(a: Vec256Float) -> i32 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] pub fn mm_mulhi_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -337,8 +251,6 @@ pub fn mm256_mullo_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] pub fn mm256_mulhi_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } @@ -352,17 +264,6 @@ pub fn mm256_mul_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_and_si256 as ${mm256_and_si256}} -val lemma_mm256_and_si256 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] -"# -)] #[inline(always)] pub fn mm256_and_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -381,9 +282,6 @@ pub fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (vec256_as_i16x16 $vector)"))] pub fn mm256_srai_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -393,10 +291,6 @@ pub fn mm256_srai_epi32(vector: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_srli_epi16 as ${mm256_srli_epi16::<0>}}" -)] pub fn mm256_srli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -410,20 +304,11 @@ pub fn mm_srli_epi64(vector: Vec128) -> Vec128 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() } - -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_srli_epi64 as ${mm256_srli_epi64::<0>}}" -)] pub fn mm256_srli_epi64(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_slli_epi16 as ${mm256_slli_epi16::<0>}}" -)] pub fn mm256_slli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -434,11 +319,9 @@ pub fn mm256_slli_epi32(vector: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_shuffle_epi8}")] pub fn mm_shuffle_epi8(vector: Vec128, control: Vec128) -> Vec128 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_shuffle_epi8}")] pub fn mm256_shuffle_epi8(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } @@ -464,10 +347,6 @@ pub fn mm256_unpackhi_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_castsi256_si128 as ${mm256_castsi256_si128}}" -)] pub fn mm256_castsi256_si128(vector: Vec256) -> Vec128 { unimplemented!() } @@ -479,10 +358,6 @@ pub fn mm256_cvtepi16_epi32(vector: Vec128) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_packs_epi16 as ${mm_packs_epi16}}" -)] pub fn mm_packs_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -490,10 +365,6 @@ pub fn mm256_packs_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_extracti128_si256 as ${mm256_extracti128_si256::<0>}}" -)] pub fn mm256_extracti128_si256(vector: Vec256) -> Vec128 { debug_assert!(CONTROL == 0 || CONTROL == 1); unimplemented!() @@ -523,21 +394,17 @@ pub fn vec256_blendv_epi32(a: Vec256, b: Vec256, mask: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_movemask_epi8 as ${mm_movemask_epi8}}" -)] #[inline(always)] pub fn mm_movemask_epi8(vector: Vec128) -> i32 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_permutevar8x32_epi32}")] #[inline(always)] pub fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } +#[inline(always)] pub fn mm256_srlv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } @@ -549,9 +416,6 @@ pub fn mm256_srlv_epi64(vector: Vec256, counts: Vec256) -> Vec256 { pub fn mm_sllv_epi32(vector: Vec128, counts: Vec128) -> Vec128 { unimplemented!() } - -#[inline(always)] -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_sllv_epi32}")] pub fn mm256_sllv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } From 025679dcdaad98390b3571dba5bf90229d107fd5 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 20:45:55 +0100 Subject: [PATCH 24/74] cleanup --- .../Libcrux_intrinsics.Avx2_extract.fst | 1214 ----------------- .../proofs/fstar/extraction/Makefile | 1 - 2 files changed, 1215 deletions(-) delete mode 100644 libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst delete mode 100644 libcrux-intrinsics/proofs/fstar/extraction/Makefile diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst deleted file mode 100644 index 167d0b324..000000000 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst +++ /dev/null @@ -1,1214 +0,0 @@ -module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" -open Core -open FStar.Mul - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_and_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_castsi128_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_extracti128_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_madd_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_mullo_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_slli_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_srli_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_movemask_epi8"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_packs_epi16"); disambiguator = 0 - } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_storeu_bytes_si128"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Makefile b/libcrux-intrinsics/proofs/fstar/extraction/Makefile deleted file mode 100644 index b4ce70a38..000000000 --- a/libcrux-intrinsics/proofs/fstar/extraction/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base From 95b46dfca4651aecb241050b3996d4c6b743dc65 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 21:18:46 +0100 Subject: [PATCH 25/74] cleanup --- Cargo.lock | 1 + libcrux-ml-dsa/Cargo.toml | 3 +++ 2 files changed, 4 insertions(+) diff --git a/Cargo.lock b/Cargo.lock index 830df0dcd..60f52642b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1051,6 +1051,7 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", + "hax-lib 0.1.0-pre.1", "hex", "libcrux-intrinsics", "libcrux-platform", diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index d451f7c23..3358b8678 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -20,6 +20,9 @@ libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } +[target.'cfg(hax)'.dependencies] +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } + [dev-dependencies] rand = { version = "0.8" } hex = { version = "0.4.3", features = ["serde"] } From b9a51e863b4aefc79e59256c41b3a8414fbe490d Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 22:19:25 +0100 Subject: [PATCH 26/74] make --- fstar-helpers/Makefile.base | 14 ++ fstar-helpers/Makefile.generic | 271 +++++++++++++++++++++++++++++++++ 2 files changed, 285 insertions(+) create mode 100644 fstar-helpers/Makefile.base create mode 100644 fstar-helpers/Makefile.generic diff --git a/fstar-helpers/Makefile.base b/fstar-helpers/Makefile.base new file mode 100644 index 000000000..b4e0d962b --- /dev/null +++ b/fstar-helpers/Makefile.base @@ -0,0 +1,14 @@ +# Base Makefile for F* in libcrux. +# This inherits from Makefile.generic, and adds the `specs` folder from HACL and the `libcrux-ml-kem/proofs/fstar/spec` folder. + +VERIFY_SLOW_MODULES ?= no +ifeq (${VERIFY_SLOW_MODULES},no) + ADMIT_MODULES += ${SLOW_MODULES} +endif + +EXTRA_HELPMESSAGE += printf "Libcrux specifics:\n"; +EXTRA_HELPMESSAGE += target SLOW_MODULES 'a list of modules to verify fully only when `VERIFY_SLOW_MODULES` is set to `yes`. When `VERIFY_SLOW_MODULES`, those modules are admitted.'; +EXTRA_HELPMESSAGE += target VERIFY_SLOW_MODULES '`yes` or `no`, defaults to `no`'; + +FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.generic diff --git a/fstar-helpers/Makefile.generic b/fstar-helpers/Makefile.generic new file mode 100644 index 000000000..a7264458b --- /dev/null +++ b/fstar-helpers/Makefile.generic @@ -0,0 +1,271 @@ +# This is a generically useful Makefile for F* that is self-contained +# +# We expect: +# 1. `fstar.exe` to be in PATH (alternatively, you can also set +# $FSTAR_HOME to be set to your F* repo/install directory) +# +# 2. `cargo`, `rustup`, `hax` and `jq` to be installed and in PATH. +# +# 3. the extracted Cargo crate to have "hax-lib" as a dependency: +# `hax-lib = { version = "0.1.0-pre.1", git = "https://github.com/hacspec/hax"}` +# +# Optionally, you can set `HACL_HOME`. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +PATH_TO_CHILD_MAKEFILE := "$(abspath $(firstword $(MAKEFILE_LIST)))" +PATH_TO_TEMPLATE_MAKEFILE := "$(abspath $(lastword $(MAKEFILE_LIST)))" + +HACL_HOME ?= $(HOME)/.hax/hacl_home +# Expand variable FSTAR_BIN_DETECT now, so that we don't run this over and over + +FSTAR_BIN_DETECT := $(if $(shell command -v fstar.exe), fstar.exe, $(FSTAR_HOME)/bin/fstar.exe) +FSTAR_BIN ?= $(FSTAR_BIN_DETECT) + +GIT_ROOT_DIR := $(shell git rev-parse --show-toplevel)/ +CACHE_DIR ?= ${GIT_ROOT_DIR}.fstar-cache/checked +HINT_DIR ?= ${GIT_ROOT_DIR}.fstar-cache/hints + +# Makes command quiet by default +Q ?= @ + +# Verify the required executable are in PATH +EXECUTABLES = cargo cargo-hax jq +K := $(foreach exec,$(EXECUTABLES),\ + $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH"))) + +export ANSI_COLOR_BLUE=\033[34m +export ANSI_COLOR_RED=\033[31m +export ANSI_COLOR_BBLUE=\033[1;34m +export ANSI_COLOR_GRAY=\033[90m +export ANSI_COLOR_TONE=\033[35m +export ANSI_COLOR_RESET=\033[0m + +ifdef NO_COLOR +export ANSI_COLOR_BLUE= +export ANSI_COLOR_RED= +export ANSI_COLOR_BBLUE= +export ANSI_COLOR_GRAY= +export ANSI_COLOR_TONE= +export ANSI_COLOR_RESET= +endif + +# The following is a bash script that discovers F* libraries. +# Due to incompatibilities with make 4.3, I had to make a "oneliner" bash script... +define FINDLIBS + : "Prints a path if and only if it exists. Takes one argument: the path."; \ + function print_if_exists() { \ + if [ -d "$$1" ]; then \ + echo "$$1"; \ + fi; \ + } ; \ + : "Asks Cargo all the dependencies for the current crate or workspace,"; \ + : "and extract all "root" directories for each. Takes zero argument."; \ + function dependencies() { \ + cargo metadata --format-version 1 | \ + jq -r ".packages | .[] | .manifest_path | split(\"/\") | .[:-1] | join(\"/\")"; \ + } ; \ + : "Find hax libraries *around* a given path. Takes one argument: the"; \ + : "path."; \ + function find_hax_libraries_at_path() { \ + path="$$1" ; \ + : "if there is a [proofs/fstar/extraction] subfolder, then that s a F* library" ; \ + print_if_exists "$$path/proofs/fstar/extraction" ; \ + : "Maybe the [proof-libs] folder of hax is around?" ; \ + MAYBE_PROOF_LIBS=$$(realpath -q "$$path/../proof-libs/fstar") ; \ + if [ $$? -eq 0 ]; then \ + print_if_exists "$$MAYBE_PROOF_LIBS/core" ; \ + print_if_exists "$$MAYBE_PROOF_LIBS/rust_primitives" ; \ + fi ; \ + } ; \ + { while IFS= read path; do \ + find_hax_libraries_at_path "$$path"; \ + done < <(dependencies) ; } | sort -u +endef +export FINDLIBS + +FSTAR_INCLUDE_DIRS_EXTRA ?= +FINDLIBS_OUTPUT := $(shell bash -c '${FINDLIBS}') +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(FSTAR_INCLUDE_DIRS_EXTRA) $(FINDLIBS_OUTPUT) + +# Make sure FSTAR_INCLUDE_DIRS has the `proof-libs`, print hints and +# an error message otherwise +ifneq (,$(findstring proof-libs/fstar,$(FSTAR_INCLUDE_DIRS))) +else + K += $(info ) + ERROR := $(shell printf '${ANSI_COLOR_RED}Error: could not detect `proof-libs`!${ANSI_COLOR_RESET}') + K += $(info ${ERROR}) + ERROR := $(shell printf ' > Do you have `${ANSI_COLOR_BLUE}hax-lib${ANSI_COLOR_RESET}` in your `${ANSI_COLOR_BLUE}Cargo.toml${ANSI_COLOR_RESET}` as a ${ANSI_COLOR_BLUE}git${ANSI_COLOR_RESET} or ${ANSI_COLOR_BLUE}path${ANSI_COLOR_RESET} dependency?') + K += $(info ${ERROR}) + ERROR := $(shell printf ' ${ANSI_COLOR_BLUE}> Tip: you may want to run `cargo add --git https://github.com/hacspec/hax hax-lib`${ANSI_COLOR_RESET}') + K += $(info ${ERROR}) + K += $(info ) + K += $(error Fatal error: `proof-libs` is required.) +endif + +.PHONY: all verify clean + +all: + $(Q)rm -f .depend + $(Q)$(MAKE) .depend hax.fst.config.json verify + +all-keep-going: + $(Q)rm -f .depend + $(Q)$(MAKE) --keep-going .depend hax.fst.config.json verify + +# If $HACL_HOME doesn't exist, clone it +${HACL_HOME}: + $(Q)mkdir -p "${HACL_HOME}" + $(info Clonning Hacl* in ${HACL_HOME}...) + git clone --depth 1 https://github.com/hacl-star/hacl-star.git "${HACL_HOME}" + $(info Clonning Hacl* in ${HACL_HOME}... done!) + +# If no any F* file is detected, we run hax +ifeq "$(wildcard *.fst *fsti)" "" +$(shell cargo hax into fstar) +endif + +# By default, we process all the files in the current directory +ROOTS ?= $(wildcard *.fst *fsti) +ADMIT_MODULES ?= + +ADMIT_MODULE_FLAGS ?= --admit_smt_queries true + +# Can be useful for debugging purposes +FINDLIBS.sh: + $(Q)echo '${FINDLIBS}' > FINDLIBS.sh +include-dirs: + $(Q)bash -c '${FINDLIBS}' + +FSTAR_FLAGS = \ + --warn_error -321-331-241-274-239-271 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR := $(FSTAR_BIN) $(FSTAR_FLAGS) + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) $(HACL_HOME) + @$(FSTAR) --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR) $(CACHE_DIR): + $(Q)mkdir -p $@ + +define HELPMESSAGE +echo "hax' default Makefile for F*" +echo "" +echo "The available targets are:" +echo "" +function target() { + printf ' ${ANSI_COLOR_BLUE}%-20b${ANSI_COLOR_RESET} %s\n' "$$1" "$$2" +} +target "all" "Verify every F* files (stops whenever an F* fails first)" +target "all-keep-going" "Verify every F* files (tries as many F* module as possible)" +target "" "" +target "run/${ANSI_COLOR_TONE} " 'Runs F* on `MyModule.fst` only' +target "" "" +target "vscode" 'Generates a `hax.fst.config.json` file' +target "${ANSI_COLOR_TONE}${ANSI_COLOR_BLUE}-in " 'Useful for Emacs, outputs the F* prefix command to be used' +target "" "" +target "clean" 'Cleanup the target' +target "include-dirs" 'List the F* include directories' +target "" "" +target "describe" 'List the F* root modules, and describe the environment.' +echo "" +echo "Variables:" +target "NO_COLOR" "Set to anything to disable colors" +target "ADMIT_MODULES" "List of modules where F* will assume every SMT query" +target "FSTAR_INCLUDE_DIRS_EXTRA" "List of extra include F* dirs" +${EXTRA_HELPMESSAGE} +endef +export HELPMESSAGE + +describe: + @printf '${ANSI_COLOR_BBLUE}F* roots:${ANSI_COLOR_RESET}\n' + @for root in ${ROOTS}; do \ + filename=$$(basename -- "$$root") ;\ + ext="$${filename##*.}" ;\ + noext="$${filename%.*}" ;\ + printf "${ANSI_COLOR_GRAY}$$(dirname -- "$$root")/${ANSI_COLOR_RESET}%s${ANSI_COLOR_GRAY}.${ANSI_COLOR_TONE}%s${ANSI_COLOR_RESET}%b\n" "$$noext" "$$ext" $$([[ "${ADMIT_MODULES}" =~ (^| )$$root($$| ) ]] && echo '${ANSI_COLOR_RED}\t[ADMITTED]${ANSI_COLOR_RESET}'); \ + done + @printf '\n${ANSI_COLOR_BBLUE}Environment:${ANSI_COLOR_RESET}\n' + @printf ' - ${ANSI_COLOR_BLUE}HACL_HOME${ANSI_COLOR_RESET} = %s\n' '${HACL_HOME}' + @printf ' - ${ANSI_COLOR_BLUE}FSTAR_BIN${ANSI_COLOR_RESET} = %s\n' '${FSTAR_BIN}' + @printf ' - ${ANSI_COLOR_BLUE}GIT_ROOT_DIR${ANSI_COLOR_RESET} = %s\n' '${GIT_ROOT_DIR}' + @printf ' - ${ANSI_COLOR_BLUE}CACHE_DIR${ANSI_COLOR_RESET} = %s\n' '${CACHE_DIR}' + @printf ' - ${ANSI_COLOR_BLUE}HINT_DIR${ANSI_COLOR_RESET} = %s\n' '${HINT_DIR}' + @printf ' - ${ANSI_COLOR_BLUE}ADMIT_MODULE_FLAGS${ANSI_COLOR_RESET} = %s\n' '${ADMIT_MODULE_FLAGS}' + @printf ' - ${ANSI_COLOR_BLUE}FSTAR_INCLUDE_DIRS_EXTRA${ANSI_COLOR_RESET} = %s\n' '${FSTAR_INCLUDE_DIRS_EXTRA}' + +help: ;@bash -c "$$HELPMESSAGE" +h: ;@bash -c "$$HELPMESSAGE" + +HEADER = $(Q)printf '${ANSI_COLOR_BBLUE}[CHECK] %s ${ANSI_COLOR_RESET}\n' "$(basename $(notdir $@))" + +run/%: | .depend $(HINT_DIR) $(CACHE_DIR) $(HACL_HOME) + ${HEADER} + $(Q)$(FSTAR) $(OTHERFLAGS) $(@:run/%=%) + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(ROOTS))) +ADMIT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(ADMIT_MODULES))) + +$(ADMIT_CHECKED): + $(Q)printf '${ANSI_COLOR_BBLUE}[${ANSI_COLOR_TONE}ADMIT${ANSI_COLOR_BBLUE}] %s ${ANSI_COLOR_RESET}\n' "$(basename $(notdir $@))" + $(Q)$(FSTAR) $(OTHERFLAGS) $(ADMIT_MODULE_FLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints || { \ + echo "" ; \ + exit 1 ; \ + } + $(Q)printf "\n\n" + +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) $(HACL_HOME) + ${HEADER} + $(Q)$(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints || { \ + echo "" ; \ + exit 1 ; \ + } + touch $@ + $(Q)printf "\n\n" + +verify: $(VERIFIED_CHECKED) $(ADMIT_CHECKED) + +# Targets for Emacs +%.fst-in: + $(info $(FSTAR_FLAGS) $(OTHERFLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) +%.fsti-in: + $(info $(FSTAR_FLAGS) $(OTHERFLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + +# Targets for VSCode +hax.fst.config.json: .depend + $(Q)echo "$(FSTAR_INCLUDE_DIRS)" | jq --arg fstar "$(FSTAR_BIN)" -R 'split(" ") | {fstar_exe: $$fstar | gsub("^\\s+|\\s+$$";""), include_dirs: .}' > $@ +vscode: + $(Q)rm -f .depend + $(Q)$(MAKE) hax.fst.config.json + +SHELL=bash + +# Clean target +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst From 164406317a216f60559fffd096b8b83cecc86fa7 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 29 Oct 2024 22:40:18 +0100 Subject: [PATCH 27/74] make --- fstar-helpers/Makefile.base | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fstar-helpers/Makefile.base b/fstar-helpers/Makefile.base index b4e0d962b..6eb4fc9cc 100644 --- a/fstar-helpers/Makefile.base +++ b/fstar-helpers/Makefile.base @@ -1,5 +1,5 @@ # Base Makefile for F* in libcrux. -# This inherits from Makefile.generic, and adds the `specs` folder from HACL and the `libcrux-ml-kem/proofs/fstar/spec` folder. +# This inherits from Makefile.generic, and adds the `specs` folder from HACL. VERIFY_SLOW_MODULES ?= no ifeq (${VERIFY_SLOW_MODULES},no) @@ -10,5 +10,5 @@ EXTRA_HELPMESSAGE += printf "Libcrux specifics:\n"; EXTRA_HELPMESSAGE += target SLOW_MODULES 'a list of modules to verify fully only when `VERIFY_SLOW_MODULES` is set to `yes`. When `VERIFY_SLOW_MODULES`, those modules are admitted.'; EXTRA_HELPMESSAGE += target VERIFY_SLOW_MODULES '`yes` or `no`, defaults to `no`'; -FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec +FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.generic From 72f04723d1b41b9722c0b547b96f8098b5f431f6 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Wed, 30 Oct 2024 08:44:43 +0100 Subject: [PATCH 28/74] removed fstar libs needed for ml-kem from this PR --- fstar-helpers/Makefile.base | 2 +- .../proofs/fstar/extraction/Libcrux_platform.Platform.fsti | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fstar-helpers/Makefile.base b/fstar-helpers/Makefile.base index 6eb4fc9cc..54c2552b1 100644 --- a/fstar-helpers/Makefile.base +++ b/fstar-helpers/Makefile.base @@ -10,5 +10,5 @@ EXTRA_HELPMESSAGE += printf "Libcrux specifics:\n"; EXTRA_HELPMESSAGE += target SLOW_MODULES 'a list of modules to verify fully only when `VERIFY_SLOW_MODULES` is set to `yes`. When `VERIFY_SLOW_MODULES`, those modules are admitted.'; EXTRA_HELPMESSAGE += target VERIFY_SLOW_MODULES '`yes` or `no`, defaults to `no`'; -FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec +FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.generic diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti index e8713dad5..95dad6932 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul From 91cefaf3c494ad3e447e022b3e220e1abcab52fd Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 31 Oct 2024 11:29:00 +0100 Subject: [PATCH 29/74] resolved some comments --- Cargo.lock | 37 +++---------------- Cargo.toml | 2 +- libcrux-ml-dsa/src/hash_functions.rs | 28 -------------- .../src/simd/portable/arithmetic.rs | 1 + 4 files changed, 8 insertions(+), 60 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 60f52642b..e51145cce 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -702,9 +702,9 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" +source = "git+https://github.com/hacspec/hax/?branch=main#d3313f9a7f928810cf1750e3f7702fdfdb9b011c" dependencies = [ - "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", + "hax-lib-macros 0.1.0-alpha.1", "num-bigint", "num-traits", ] @@ -722,22 +722,9 @@ dependencies = [ [[package]] name = "hax-lib-macros" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" +source = "git+https://github.com/hacspec/hax/?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" dependencies = [ - "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions)", - "paste", - "proc-macro-error", - "proc-macro2", - "quote", - "syn 2.0.77", -] - -[[package]] -name = "hax-lib-macros" -version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" -dependencies = [ - "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax?branch=main)", + "hax-lib-macros-types 0.1.0-alpha.1", "paste", "proc-macro-error", "proc-macro2", @@ -761,19 +748,7 @@ dependencies = [ [[package]] name = "hax-lib-macros-types" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=fstar-proof-lib-small-additions#cb6661c67a922e402efd35efe2f8a005ac25a167" -dependencies = [ - "proc-macro2", - "quote", - "serde", - "serde_json", - "uuid", -] - -[[package]] -name = "hax-lib-macros-types" -version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" +source = "git+https://github.com/hacspec/hax/?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" dependencies = [ "proc-macro2", "quote", @@ -960,7 +935,7 @@ dependencies = [ "clap", "getrandom", "hax-lib 0.1.0-alpha.1", - "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax?branch=main)", + "hax-lib-macros 0.1.0-alpha.1", "hex", "libcrux", "libcrux-ecdh", diff --git a/Cargo.toml b/Cargo.toml index 561c1ce67..3a558d856 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -79,7 +79,7 @@ getrandom = { version = "0.2", features = ["js"], optional = true } # This is only required when doing proofs. [target.'cfg(hax)'.dependencies] hax-lib-macros = { git = "https://github.com/hacspec/hax", branch = "main" } -hax-lib = { git = "https://github.com/hacspec/hax/", branch = "fstar-proof-lib-small-additions" } +hax-lib = { git = "https://github.com/hacspec/hax/", branch = "main" } [dev-dependencies] libcrux = { path = ".", features = ["rand", "tests"] } diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index aa3cc1ab5..2d4864f3f 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -459,37 +459,9 @@ pub(crate) mod simd256 { } } - // TODO: Shake256 is only portable for now. If we don't want to change that, - // we should use the portable Xof impelmentation above. - /// AVX2 SHAKE 256 state pub(crate) type Shake256 = super::portable::Shake256; - // impl shake256::Xof for Shake256 { - // fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - // portable::shake256(out, input); - // } - - // fn init_absorb(input: &[u8]) -> Self { - // let mut state = portable::incremental::shake256_init(); - // portable::incremental::shake256_absorb_final(&mut state, input); - - // Self { state } - // } - - // fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - // let mut out = [0u8; shake256::BLOCK_SIZE]; - // portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - // out - // } - - // fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - // let mut out = [0u8; shake256::BLOCK_SIZE]; - // portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - // out - // } - // } - /// AVX2 SHAKE 256 x4 state. #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256x4 { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index a24847132..51e009243 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -99,6 +99,7 @@ pub(crate) fn montgomery_multiply( // to the standard unsigned range. #[inline(always)] fn power2round_element(t: i32) -> (i32, i32) { + // Hax issue: https://github.com/hacspec/hax/issues/1082 debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. From bc2b3adddd8437f62bde041e7ed9421207abce9b Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Thu, 31 Oct 2024 12:11:08 +0100 Subject: [PATCH 30/74] restored error prop --- .../Libcrux_intrinsics.Arm64_extract.fsti | 2 +- .../Libcrux_intrinsics.Avx2_extract.fsti | 2 +- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 15 +- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 311 +++++--------- .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 43 +- ...x_ml_dsa.Simd.Avx2.Encoding.Commitment.fst | 50 +-- ..._ml_dsa.Simd.Avx2.Encoding.Commitment.fsti | 2 +- ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 98 ++--- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 18 +- ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 108 ++--- ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 16 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst | 68 ++- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti | 9 +- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst | 50 +-- .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti | 6 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 397 ++++++------------ .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 71 +--- ...md.Avx2.Rejection_sample.Less_than_eta.fst | 50 +-- ...d.Avx2.Rejection_sample.Less_than_eta.fsti | 4 +- ...jection_sample.Less_than_field_modulus.fst | 34 +- ...ection_sample.Less_than_field_modulus.fsti | 2 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 12 +- .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 15 +- .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 90 ++-- libcrux-ml-dsa/src/ml_dsa_generic.rs | 203 +++++---- 25 files changed, 625 insertions(+), 1051 deletions(-) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti index a03c287ec..d4014e6a8 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Arm64_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 5ac496e48..8e2571881 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index e598421e9..21e45577e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -33,14 +33,6 @@ let derive_message_representative Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake ((let list = [ - cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) - (Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context - <: - Core.Option.t_Option (t_Array u8 (sz 11))) - <: - bool) - <: - u8 ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); @@ -604,10 +596,9 @@ let sign_pre_hashed (Core.Option.Option_Some d <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> - Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) - <: + | Core.Result.Result_Err (err) -> + Core.Result.Result_Err (Core.Convert.f_from err) + <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst index 3dd67c65e..6c88f5ff3 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -3,30 +3,27 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic open Core open FStar.Mul -let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs +let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs -let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 - in - let minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let compute_hint (v_GAMMA2: i32) (low high: u8) = + let gamma2:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 in + let minus_gamma2:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) in - let low_within_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let low_within_bound:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 low <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) gamma2 in - let low_equals_minus_gamma2:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let low_equals_minus_gamma2:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpeq_epi32 low minus_gamma2 in - let low_equals_minus_gamma2_and_high_is_nonzero:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let low_equals_minus_gamma2_and_high_is_nonzero:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high in - let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound low_equals_minus_gamma2_and_high_is_nonzero in @@ -38,19 +35,14 @@ let compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Ve in (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize), Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: Libcrux_intrinsics.Avx2_extract.t_Vec256 - ) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: u8) <: - (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) + (usize & u8) -let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) = - let absolute_values:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit - in - let bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) - in - let compare_with_bound:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let infinity_norm_exceeds (simd_unit: u8) (bound: i32) = + let absolute_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit in + let bound:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) in + let compare_with_bound:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound in let result:i32 = @@ -58,45 +50,36 @@ let infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) in if result =. 1l then false else true -let subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs +let subtract (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs -let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit - in - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) = + let shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit in + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l <: u8) in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l <: u8) in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" <: Rust_primitives.Hax.t_Never) in - let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1 - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA <: u8) in - let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 - in - let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 - in - let mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask - in - let field_modulus_and_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 in + let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 in + let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask in + let field_modulus_and_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 mask (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let r0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask + u8) in - r0, r1 <: (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask in + r0, r1 <: (u8 & u8) -let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let r0, r1:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) = - decompose v_GAMMA2 r - in - let all_zeros:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () - in - let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 - in - let negate_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints - in - let hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints - in - let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints - in +let use_hint (v_GAMMA2: i32) (r hint: u8) = + let r0, r1:(u8 & u8) = decompose v_GAMMA2 r in + let all_zeros:u8 = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () in + let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 in + let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints in + let hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints in + let r1_plus_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints in match v_GAMMA2 with | 95232l -> - let max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l - in - let r1_plus_hints:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let max:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l in + let r1_plus_hints:u8 = Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints in - let greater_than_or_equal_to_max:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let greater_than_or_equal_to_max:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max in Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints @@ -356,9 +259,7 @@ let use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) greater_than_or_equal_to_max | 261888l -> Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: u8) | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti index a8ec4e3d7..e11e02fab 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -3,43 +3,28 @@ module Libcrux_ml_dsa.Simd.Avx2.Arithmetic open Core open FStar.Mul -val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compute_hint (v_GAMMA2: i32) (low high: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val compute_hint (v_GAMMA2: i32) (low high: u8) + : Prims.Pure (usize & u8) Prims.l_True (fun _ -> Prims.l_True) -val infinity_norm_exceeds (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (bound: i32) +val infinity_norm_exceeds (simd_unit: u8) (bound: i32) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) -val subtract (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val subtract (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val to_unsigned_representatives (t: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val to_unsigned_representatives (t: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val power2round (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val power2round (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val montgomery_multiply (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant (lhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val montgomery_multiply_by_constant (lhs: u8) (constant: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val decompose (v_GAMMA2: i32) (r: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val decompose (v_GAMMA2: i32) (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val use_hint (v_GAMMA2: i32) (r hint: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val use_hint (v_GAMMA2: i32) (r hint: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst index 5f1406970..fba456933 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst @@ -3,34 +3,30 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment open Core open FStar.Mul -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in match cast (v_OUTPUT_SIZE <: usize) <: u8 with | 4uy -> - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8) in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) + u8) in let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized @@ -62,39 +58,33 @@ let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract <: Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) | 6uy -> - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: u8) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined in - let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_3_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let adjacent_3_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_3_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s < Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst index a8ea63851..be78d6aba 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -12,7 +12,7 @@ let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) = in () in - let bytes_in_simd_unit:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let bytes_in_simd_unit:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32) (cast (bytes.[ sz 2 ] <: u8) <: i32) (((cast (bytes.[ sz 2 ] <: u8) <: i32) < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti index 11a0e04cf..45782f6dc 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -12,26 +12,22 @@ let serialize_when_eta_is_2___ETA: i32 = 2l let serialize_when_eta_is_4___ETA: i32 = 4l val deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val deserialize (v_ETA: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_eta_is_2_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_eta_is_4_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst index c7012e6cb..929fa141e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -12,7 +12,7 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = in () in - let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let serialized_lower:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 @@ -22,7 +22,7 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = <: t_Slice u8) in - let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let serialized_upper:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { Core.Ops.Range.f_start = sz 2; Core.Ops.Range.f_end = sz 18 @@ -32,33 +32,31 @@ let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = <: t_Slice u8) in - let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let serialized:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) coefficients let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = @@ -70,7 +68,7 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = in () in - let serialized_lower:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let serialized_lower:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 @@ -80,7 +78,7 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = <: t_Slice u8) in - let serialized_upper:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let serialized_upper:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 20 @@ -90,33 +88,31 @@ let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = <: t_Slice u8) in - let serialized:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let serialized:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l <: u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) coefficients let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = @@ -129,45 +125,36 @@ let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = <: Rust_primitives.Hax.t_Never) -let serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = +let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let simd_unit_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 serialize_when_gamma1_is_2_pow_17___GAMMA1 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) simd_unit in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l <: u8) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 14l adjacent_2_combined in - let every_second_element:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let every_second_element:u8 = Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_2_combined in - let every_second_element_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let every_second_element_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 36l every_second_element in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_2_combined every_second_element_shifted in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L <: u8) in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -185,7 +172,7 @@ let serialize_when_gamma1_is_2_pow_17_ <: t_Slice u8) in - let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined in let serialized:t_Array u8 (sz 32) = @@ -218,38 +205,31 @@ let serialize_when_gamma1_is_2_pow_17_ <: Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) -let serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = +let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let simd_unit_shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let simd_unit_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 serialize_when_gamma1_is_2_pow_19___GAMMA1 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) simd_unit in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_2_combined in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y 0y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + u8) in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -267,7 +247,7 @@ let serialize_when_gamma1_is_2_pow_19_ <: t_Slice u8) in - let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined in let serialized:t_Array u8 (sz 32) = @@ -300,7 +280,7 @@ let serialize_when_gamma1_is_2_pow_19_ <: Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) -let serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = match cast (v_OUTPUT_SIZE <: usize) <: u8 with | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti index 09917efd7..655c1c899 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -18,23 +18,19 @@ let serialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_gamma1_is_2_pow_17_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val serialize_when_gamma1_is_2_pow_19_ - (v_OUTPUT_SIZE: usize) - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) -val serialize (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst index cf9feff51..f60e7085a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -3,8 +3,8 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 open Core open FStar.Mul -let change_interval (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let interval_end:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let change_interval (simd_unit: u8) = + let interval_end:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < Prims.l_True) +val change_interval (simd_unit: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) +val deserialize (serialized: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) +val serialize (simd_unit: u8) : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst index 5c03793af..c2206218a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst @@ -3,35 +3,27 @@ module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 open Core open FStar.Mul -let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize (simd_unit: u8) = let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l <: u8) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_2_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_2_combined in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l <: u8) in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8) in - let adjacent_4_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let adjacent_4_combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined in - let lower_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined - in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -49,7 +41,7 @@ let serialize (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in - let upper_4_:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined in let serialized:t_Array u8 (sz 24) = @@ -108,27 +100,21 @@ let deserialize (bytes: t_Slice u8) = <: t_Slice u8) in - let bytes_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let bytes_loaded:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes_extended <: t_Slice u8) in - let bytes_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let bytes_loaded:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded in + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 bytes_loaded (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 9y 8y (-1y) (-1y) 8y 7y (-1y) (-1y) 7y 6y (-1y) (-1y) 6y 5y (-1y) (-1y) 4y 3y (-1y) (-1y) 3y 2y (-1y) (-1y) 2y 1y (-1y) (-1y) 1y 0y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8) in Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti index 53c46df38..7999a014d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -5,8 +5,6 @@ open FStar.Mul let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) +val serialize (simd_unit: u8) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val deserialize (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index 73a72549a..0e6daf656 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -3,23 +3,14 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt open Core open FStar.Mul -let butterfly_2_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) - = - let a_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a - in - let b_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b - in - let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled - in - let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = + let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in + let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled in + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled in - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b3 zeta_b2 zeta_a3 @@ -29,42 +20,25 @@ let butterfly_2_ zeta_a1 zeta_a0 in - let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let zeta_products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas in - let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products - in - let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products - in - let a_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_terms_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms in - let b_terms_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let b_terms_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in - let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled - in - let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled - in - a_out, b_out - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled in + a_out, b_out <: (u8 & u8) -let butterfly_4_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) - = - let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b - in - let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b - in - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) = + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b in + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b in + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1 zeta_b1 zeta_a1 @@ -74,151 +48,91 @@ let butterfly_4_ zeta_a0 zeta_a0 in - let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let zeta_products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas in - let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products - in - let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products - in - let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms - in - let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms - in - a_out, b_out - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in + a_out, b_out <: (u8 & u8) -let butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = - let summands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let butterfly_8_ (a b: u8) (zeta0 zeta1: i32) = + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 b <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a <: u8) in - let zeta_multiplicands:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a - in - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a in + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 in - let zeta_products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let zeta_products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas in - let add_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products - in - let sub_terms:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products - in - let a_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 sub_terms <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let b_out:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms <: u8) in - a_out, b_out - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms in + a_out, b_out <: (u8 & u8) -let invert_ntt_at_layer_0_ - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i32) - = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let invert_ntt_at_layer_0_ (simd_unit: u8) (zeta0 zeta1 zeta2 zeta3: i32) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta3 0l zeta2 0l zeta1 0l zeta0 0l in - let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let add_by_signs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) 1l (-1l) 1l (-1l) 1l (-1l) 1l in - let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 177l simd_unit - in - let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs - in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by - in - let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas - in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 177l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l sums products -let invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 0l 0l zeta0 zeta0 0l 0l in - let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let add_by_signs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) 1l 1l (-1l) (-1l) 1l 1l in - let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 78l simd_unit - in - let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs - in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by - in - let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas - in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 78l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 204l sums products -let invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta zeta zeta zeta 0l 0l 0l 0l - in - let add_by_signs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta zeta zeta zeta 0l 0l 0l 0l in + let add_by_signs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) (-1l) (-1l) 1l 1l 1l 1l in - let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 78l simd_unit - in - let add_by:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs - in - let sums:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by - in - let products:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas - in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 78l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products -let ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - = +let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) = let step:usize = sz 1 <>! v_LAYER <: usize) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in let offset:usize = @@ -226,78 +140,59 @@ let ntt_at_layer_3_plus Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range offset (offset +! step_by <: usize) (fun re temp_1_ -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) re (fun re j -> - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = re in + let re:t_Array u8 (sz 32) = re in let j:usize = j in - let t:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let t:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +! step_by <: usize ] <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - t - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - t - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in re) in - re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + re, zeta_i <: (t_Array u8 (sz 32) & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + zeta_i, re <: (usize & t_Array u8 (sz 32)) -let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = +let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = + let re, zeta_i:(t_Array u8 (sz 32) & usize) = Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) - <: - usize) + (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) (sz 2) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let round:usize = round in - let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - butterfly_2_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ round +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a, b:(u8 & u8) = + butterfly_2_ (re.[ round ] <: u8) (re.[ round +! sz 1 <: usize ] <: u8) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: @@ -321,45 +216,37 @@ let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (round +! sz 1 <: usize) b in let zeta_i:usize = zeta_i +! sz 8 in - re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + re, zeta_i <: (t_Array u8 (sz 32) & usize)) in let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + zeta_i, re <: (usize & t_Array u8 (sz 32)) -let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = +let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = + let re, zeta_i:(t_Array u8 (sz 32) & usize) = Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) - <: - usize) + (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) (sz 2) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let round:usize = round in - let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - butterfly_4_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ round +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a, b:(u8 & u8) = + butterfly_4_ (re.[ round ] <: u8) + (re.[ round +! sz 1 <: usize ] <: u8) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: @@ -371,112 +258,88 @@ let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (round +! sz 1 <: usize) b in let zeta_i:usize = zeta_i +! sz 4 in - re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + re, zeta_i <: (t_Array u8 (sz 32) & usize)) in let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + zeta_i, re <: (usize & t_Array u8 (sz 32)) -let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = +let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = + let re, zeta_i:(t_Array u8 (sz 32) & usize) = Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #Libcrux_intrinsics.Avx2_extract.t_Vec256 - (re <: t_Slice Libcrux_intrinsics.Avx2_extract.t_Vec256) - <: - usize) + (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) (sz 2) (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize) = - temp_0_ - in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let a, b:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = - butterfly_8_ (re.[ round ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (re.[ round +! sz 1 <: usize ] <: Libcrux_intrinsics.Avx2_extract.t_Vec256) + let a, b:(u8 & u8) = + butterfly_8_ (re.[ round ] <: u8) + (re.[ round +! sz 1 <: usize ] <: u8) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] <: i32) in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (round +! sz 1 <: usize) b in let zeta_i:usize = zeta_i +! sz 1 in - re, zeta_i <: (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) & usize)) + re, zeta_i <: (t_Array u8 (sz 32) & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + zeta_i, re <: (usize & t_Array u8 (sz 32)) -let ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = +let ntt (re: t_Array u8 (sz 32)) = let zeta_i:usize = sz 0 in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_3_plus (sz 7) zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 7) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_3_plus (sz 6) zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 6) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_3_plus (sz 5) zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 5) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_3_plus (sz 4) zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 4) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_3_plus (sz 3) zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 3) zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_2_ zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_2_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_1_ zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_1_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) = - ntt_at_layer_0_ zeta_i re - in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_0_ zeta_i re in let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = tmp1 in + let re:t_Array u8 (sz 32) = tmp1 in let _:Prims.unit = () in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index b258ca10c..2b4b65ff5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -5,62 +5,35 @@ open FStar.Mul let butterfly_2___SHUFFLE: i32 = 216l -val butterfly_2_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val butterfly_4_ - (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val butterfly_8_ (a b: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec256 & Libcrux_intrinsics.Avx2_extract.t_Vec256) - Prims.l_True - (fun _ -> Prims.l_True) +val butterfly_8_ (a b: u8) (zeta0 zeta1: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_0_ - (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_at_layer_0_ (simd_unit: u8) (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_1_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_2_ (simd_unit: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i32) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) - (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (usize & t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt (re: t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - : Prims.Pure (t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) +val ntt (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst index 67e806244..51c69e1a1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst @@ -3,37 +3,31 @@ module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta open Core open FStar.Mul -let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let shift_interval (v_ETA: usize) (coefficients: u8) = match cast (v_ETA <: usize) <: u8 with | 2uy -> - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l <: u8) in - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient in + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l <: u8) in - let coefficients_mod_5_:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients_mod_5_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 coefficients quotient in Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (v_ETA <: usize) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) coefficients_mod_5_ | 4uy -> Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (v_ETA <: usize) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) coefficients | _ -> Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" @@ -42,7 +36,7 @@ let shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract Rust_primitives.Hax.t_Never) let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = - let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let potential_coefficients:u8 = Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input in let (interval_boundary: i32):i32 = @@ -55,11 +49,11 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = <: Rust_primitives.Hax.t_Never) in - let compare_with_interval_boundary:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let compare_with_interval_boundary:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 interval_boundary <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) potential_coefficients in let good:i32 = @@ -70,9 +64,7 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = in let good_lower_half:i32 = good &. 15l in let good_upper_half:i32 = good >>! 4l in - let shifted:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - shift_interval v_ETA potential_coefficients - in + let shifted:u8 = shift_interval v_ETA potential_coefficients in let lower_shuffles:t_Array u8 (sz 16) = Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half <: @@ -80,13 +72,11 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = <: usize ] in - let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles in let output:t_Slice i32 = @@ -114,13 +104,11 @@ let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = <: usize ] in - let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles in let output:t_Slice i32 = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti index b18b2e3aa..43361f3bb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti @@ -3,8 +3,8 @@ module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta open Core open FStar.Mul -val shift_interval (v_ETA: usize) (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val shift_interval (v_ETA: usize) (coefficients: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst index f3d66cf87..1ff5ab537 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst @@ -26,36 +26,32 @@ let bytestream_to_potential_coefficients (serialized: t_Slice u8) = <: t_Slice u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_u8 (serialized_extended <: t_Slice u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l <: u8) in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 bytestream_to_potential_coefficients__COEFFICIENT_MASK <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) let sample (input: t_Slice u8) (output: t_Slice i32) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS in - let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - bytestream_to_potential_coefficients input - in - let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let potential_coefficients:u8 = bytestream_to_potential_coefficients input in + let compare_with_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 field_modulus potential_coefficients in let good:i32 = @@ -73,13 +69,13 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = <: usize ] in - let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles in let output:t_Slice i32 = @@ -107,13 +103,13 @@ let sample (input: t_Slice u8) (output: t_Slice i32) = <: usize ] in - let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles in let output:t_Slice i32 = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti index 8d297cab8..185397a4b 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti @@ -6,7 +6,7 @@ open FStar.Mul let bytestream_to_potential_coefficients__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val sample (input: t_Slice u8) (output: t_Slice i32) : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst index 548a6a706..e220b31db 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -4,20 +4,16 @@ open Core open FStar.Mul let v_ZERO (_: Prims.unit) = - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: u8) let from_coefficient_array (coefficient_array: t_Slice i32) = - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array <: u8) let to_coefficient_array (x: t_AVX2SIMDUnit) = let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti index ec092f8da..052da1273 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -3,19 +3,14 @@ module Libcrux_ml_dsa.Simd.Avx2.Vector_type open Core open FStar.Mul -type t_AVX2SIMDUnit = { f_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +type t_AVX2SIMDUnit = { f_coefficients:u8 } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Core.Convert.t_From t_AVX2SIMDUnit Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let impl: Core.Convert.t_From t_AVX2SIMDUnit u8 = { - f_from_pre = (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> true); - f_from_post - = - (fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) (out: t_AVX2SIMDUnit) -> true); - f_from - = - fun (coefficients: Libcrux_intrinsics.Avx2_extract.t_Vec256) -> - { f_coefficients = coefficients } <: t_AVX2SIMDUnit + f_from_pre = (fun (coefficients: u8) -> true); + f_from_post = (fun (coefficients: u8) (out: t_AVX2SIMDUnit) -> true); + f_from = fun (coefficients: u8) -> { f_coefficients = coefficients } <: t_AVX2SIMDUnit } val v_ZERO: Prims.unit -> Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti index d14d3a5c7..46926e5bb 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -64,14 +64,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_subtract_pre = (fun @@ -93,14 +93,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_montgomery_multiply_by_constant_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> true); @@ -115,14 +115,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_montgomery_multiply_by_constant = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant simd_unit .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients constant <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_montgomery_multiply_pre = (fun @@ -144,14 +144,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_shift_left_then_reduce_pre = (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); @@ -166,13 +166,13 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_shift_left_then_reduce = (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_power2round_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); @@ -188,16 +188,15 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_power2round = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let lower, upper:(u8 & u8) = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients in - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve lower, - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve upper @@ -237,16 +236,15 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_decompose = (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - let lower, upper:(Libcrux_intrinsics.Avx2_extract.t_Vec256 & - Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let lower, upper:(u8 & u8) = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients in - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve lower, - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve upper @@ -277,13 +275,13 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - let count, hint:(usize & Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let count, hint:(usize & u8) = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients in count, - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve hint @@ -313,14 +311,14 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2 simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_rejection_sample_less_than_field_modulus_pre = (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); @@ -395,12 +393,10 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_gamma1_deserialize = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized <: u8)); f_commitment_serialize_pre = (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> @@ -447,12 +443,10 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_error_deserialize = (fun (v_ETA: usize) (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized <: u8)); f_t0_serialize_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); @@ -476,12 +470,10 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_t0_deserialize = (fun (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized <: u8)); f_t1_serialize_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); @@ -505,12 +497,10 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_t1_deserialize = (fun (serialized: t_Slice u8) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized <: u8)); f_ntt_pre = (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); @@ -524,24 +514,24 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_ntt = (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> - let result:t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32) = + let result:t_Array u8 (sz 32) = Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt (Core.Array.impl_23__map #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32) - #Libcrux_intrinsics.Avx2_extract.t_Vec256 + #u8 simd_units (fun x -> let x:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = x in x.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients) <: - t_Array Libcrux_intrinsics.Avx2_extract.t_Vec256 (sz 32)) + t_Array u8 (sz 32)) in - Core.Array.impl_23__map #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Array.impl_23__map #u8 (sz 32) #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit result (fun x -> - let x:Libcrux_intrinsics.Avx2_extract.t_Vec256 = x in - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + let x:u8 = x in + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve x @@ -577,7 +567,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (zeta2: i32) (zeta3: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_0_ simd_unit @@ -587,7 +577,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = zeta2 zeta3 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_invert_ntt_at_layer_1_pre = (fun @@ -612,7 +602,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = (zeta0: i32) (zeta1: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_1_ simd_unit @@ -620,7 +610,7 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = zeta0 zeta1 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256)); + u8)); f_invert_ntt_at_layer_2_pre = (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> true); @@ -635,12 +625,12 @@ Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = f_invert_ntt_at_layer_2_ = fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> - Core.Convert.f_into #Libcrux_intrinsics.Avx2_extract.t_Vec256 + Core.Convert.f_into #u8 #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit #FStar.Tactics.Typeclasses.solve (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_2_ simd_unit .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients zeta <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) } diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index b188342b7..85ba11ccf 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -13,7 +13,7 @@ use crate::{ vector_times_ring_element, }, ntt::ntt, - pre_hash::{DomainSeparationContext, DomainSeparationError, PreHash}, + pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4, simd::traits::Operations, @@ -121,31 +121,31 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash(message); - // TODO: Support implicit into() in ? so that this match becomes unnecessary - match DomainSeparationContext::new(context, Some(&PH::oid())) { - Ok(d) => sign_internal::< - SIMDUnit, - Shake128X4, - Shake256, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, &pre_hashed_message, Some(d), randomness), - - Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError), - } + sign_internal::< + SIMDUnit, + Shake128X4, + Shake256, + Shake256X4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >( + &signing_key, + &pre_hashed_message, + Some(DomainSeparationContext::new(context, Some(&PH::oid()))?), + randomness, + ) } #[allow(non_snake_case)] @@ -175,29 +175,31 @@ pub(crate) fn sign< randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { // TODO: Support implicit into() in ? so that this match becomes unnecessary - match DomainSeparationContext::new(context, None) { - Ok(d) => sign_internal::< - SIMDUnit, - Shake128X4, - Shake256, - Shake256X4, - ROWS_IN_A, - COLUMNS_IN_A, - ETA, - ERROR_RING_ELEMENT_SIZE, - GAMMA1_EXPONENT, - GAMMA2, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - GAMMA1_RING_ELEMENT_SIZE, - SIGNING_KEY_SIZE, - SIGNATURE_SIZE, - >(&signing_key, message, Some(d), randomness), - Err(DomainSeparationError::ContextTooLongError) => Err(SigningError::ContextTooLongError), - } + sign_internal::< + SIMDUnit, + Shake128X4, + Shake256, + Shake256X4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >( + &signing_key, + message, + Some(DomainSeparationContext::new(context, None)?), + randomness, + ) } /// The internal signing API. @@ -567,34 +569,29 @@ pub(crate) fn verify< signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { // TODO: Support implicit into() in ? so that this match becomes unnecessary - match DomainSeparationContext::new(context, None) { - Ok(d) => verify_internal::< - SIMDUnit, - Shake128X4, - Shake256, - ROWS_IN_A, - COLUMNS_IN_A, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - message, - Some(d), - &signature_serialized, - ), - Err(DomainSeparationError::ContextTooLongError) => { - Err(VerificationError::ContextTooLongError) - } - } + verify_internal::< + SIMDUnit, + Shake128X4, + Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >( + &verification_key_serialized, + message, + Some(DomainSeparationContext::new(context, None)?), + &signature_serialized, + ) } #[allow(non_snake_case)] @@ -625,33 +622,27 @@ pub(crate) fn verify_pre_hashed< ) -> Result<(), VerificationError> { let pre_hashed_message = PH::hash(message); - // TODO: Support implicit into() in ? so that this match becomes unnecessary - match DomainSeparationContext::new(context, Some(&PH::oid())) { - Ok(d) => verify_internal::< - SIMDUnit, - Shake128X4, - Shake256, - ROWS_IN_A, - COLUMNS_IN_A, - SIGNATURE_SIZE, - VERIFICATION_KEY_SIZE, - GAMMA1_EXPONENT, - GAMMA1_RING_ELEMENT_SIZE, - GAMMA2, - BETA, - COMMITMENT_RING_ELEMENT_SIZE, - COMMITMENT_VECTOR_SIZE, - COMMITMENT_HASH_SIZE, - ONES_IN_VERIFIER_CHALLENGE, - MAX_ONES_IN_HINT, - >( - &verification_key_serialized, - &pre_hashed_message, - Some(d), - &signature_serialized, - ), - Err(DomainSeparationError::ContextTooLongError) => { - Err(VerificationError::ContextTooLongError) - } - } + verify_internal::< + SIMDUnit, + Shake128X4, + Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >( + &verification_key_serialized, + &pre_hashed_message, + Some(DomainSeparationContext::new(context, Some(&PH::oid()))?), + &signature_serialized, + ) } From 7db214da292ce0b6f749e98804390a904399c2a8 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 1 Nov 2024 10:33:49 +0100 Subject: [PATCH 31/74] lax checks --- Cargo.lock | 218 +++++++++--------- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 59 +++-- sys/pqclean/src/bindings.rs | 2 +- 3 files changed, 148 insertions(+), 131 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e51145cce..4bd462b69 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -29,9 +29,9 @@ checksum = "4b46cbb362ab8752921c97e041f5e366ee6297bd428a31275b9fcf1e380f7299" [[package]] name = "anstream" -version = "0.6.15" +version = "0.6.17" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "64e15c1ab1f89faffbf04a634d5e1962e9074f2741eef6d97f3c4e322426d526" +checksum = "23a1e53f0f5d86382dafe1cf314783b2044280f406e7e1506368220ad11b1338" dependencies = [ "anstyle", "anstyle-parse", @@ -44,36 +44,36 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.8" +version = "1.0.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1" +checksum = "8365de52b16c035ff4fcafe0092ba9390540e3e352870ac09933bebcaa2c8c56" [[package]] name = "anstyle-parse" -version = "0.2.5" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb47de1e80c2b463c735db5b217a0ddc39d612e7ac9e2e96a5aed1f57616c1cb" +checksum = "3b2d16507662817a6a20a9ea92df6652ee4f94f914589377d69f3b21bc5798a9" dependencies = [ "utf8parse", ] [[package]] name = "anstyle-query" -version = "1.1.1" +version = "1.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6d36fc52c7f6c869915e99412912f22093507da8d9e942ceaf66fe4b7c14422a" +checksum = "79947af37f4177cfead1110013d678905c37501914fba0efea834c3fe9a8d60c" dependencies = [ - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] name = "anstyle-wincon" -version = "3.0.4" +version = "3.0.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5bf74e1b6e971609db8ca7a9ce79fd5768ab6ae46441c572e46cf596f59e57f8" +checksum = "2109dbce0e72be3ec00bed26e6a7479ca384ad226efdd66db8fa2e3a38c83125" dependencies = [ "anstyle", - "windows-sys 0.52.0", + "windows-sys 0.59.0", ] [[package]] @@ -84,9 +84,9 @@ checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110" [[package]] name = "autocfg" -version = "1.3.0" +version = "1.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" +checksum = "ace50bade8e6234aa140d9a2f552bbee1db4d353f69b8217bc503490fc1a9f26" [[package]] name = "base16ct" @@ -126,9 +126,9 @@ dependencies = [ [[package]] name = "bindgen" -version = "0.69.4" +version = "0.69.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a00dc851838a2120612785d195287475a3ac45514741da670b735818822129a0" +checksum = "271383c67ccabffb7381723dea0672a673f292304fcb45c01cc648c7a8d58088" dependencies = [ "bitflags", "cexpr", @@ -143,7 +143,7 @@ dependencies = [ "regex", "rustc-hash", "shlex", - "syn 2.0.77", + "syn 2.0.85", "which", ] @@ -191,9 +191,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.1.21" +version = "1.1.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" +checksum = "c2e7962b54006dcfcc61cb72735f4d89bb97061dd6a7ed882ec6b8ee53714c6f" dependencies = [ "jobserver", "libc", @@ -290,9 +290,9 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.18" +version = "4.5.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0956a43b323ac1afaffc053ed5c4b7c1f1800bacd1683c353aabbb752515dd3" +checksum = "b97f376d85a664d5837dbae44bf546e6477a679ff6610010f17276f686d867e8" dependencies = [ "clap_builder", "clap_derive", @@ -300,9 +300,9 @@ dependencies = [ [[package]] name = "clap_builder" -version = "4.5.18" +version = "4.5.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d72166dd41634086d5803a47eb71ae740e61d84709c36f3c34110173db3961b" +checksum = "19bc80abd44e4bed93ca373a0704ccbd1b710dc5749406201bb018272808dc54" dependencies = [ "anstream", "anstyle", @@ -319,7 +319,7 @@ dependencies = [ "heck", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] @@ -341,9 +341,9 @@ dependencies = [ [[package]] name = "colorchoice" -version = "1.0.2" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0" +checksum = "5b63caa9aa9397e2d9480a9b13673856c78d8ac123288526c37d7839f2a86990" [[package]] name = "console_error_panic_hook" @@ -483,7 +483,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] @@ -702,19 +702,19 @@ dependencies = [ [[package]] name = "hax-lib" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#d3313f9a7f928810cf1750e3f7702fdfdb9b011c" +source = "git+https://github.com/hacspec/hax/?branch=main#a28477cae71aee9d8138110abd8199392b4afcd7" dependencies = [ - "hax-lib-macros 0.1.0-alpha.1", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", "num-bigint", "num-traits", ] [[package]] name = "hax-lib" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#c2093b4963099522c65f5cd42b96d6433afb0617" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#a28477cae71aee9d8138110abd8199392b4afcd7" dependencies = [ - "hax-lib-macros 0.1.0-pre.1", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "num-bigint", "num-traits", ] @@ -722,33 +722,33 @@ dependencies = [ [[package]] name = "hax-lib-macros" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" +source = "git+https://github.com/hacspec/hax/?branch=main#a28477cae71aee9d8138110abd8199392b4afcd7" dependencies = [ - "hax-lib-macros-types 0.1.0-alpha.1", + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] name = "hax-lib-macros" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#c2093b4963099522c65f5cd42b96d6433afb0617" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#a28477cae71aee9d8138110abd8199392b4afcd7" dependencies = [ - "hax-lib-macros-types 0.1.0-pre.1", + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "paste", "proc-macro-error", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] name = "hax-lib-macros-types" version = "0.1.0-alpha.1" -source = "git+https://github.com/hacspec/hax/?branch=main#001a27e20755b65d6a780243a125076fe90e6d0b" +source = "git+https://github.com/hacspec/hax/?branch=main#a28477cae71aee9d8138110abd8199392b4afcd7" dependencies = [ "proc-macro2", "quote", @@ -759,8 +759,8 @@ dependencies = [ [[package]] name = "hax-lib-macros-types" -version = "0.1.0-pre.1" -source = "git+https://github.com/hacspec/hax/#c2093b4963099522c65f5cd42b96d6433afb0617" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#a28477cae71aee9d8138110abd8199392b4afcd7" dependencies = [ "proc-macro2", "quote", @@ -884,9 +884,9 @@ dependencies = [ [[package]] name = "js-sys" -version = "0.3.70" +version = "0.3.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1868808506b929d7b0cfa8f75951347aa71bb21144b7791bae35d9bccfcfe37a" +checksum = "6a88f1bda2bd75b0452a14784937d796722fdebfe50df998aeb3f0b7603019a9" dependencies = [ "wasm-bindgen", ] @@ -924,9 +924,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.158" +version = "0.2.161" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "8e9489c2807c139ffd9c1794f4af0ebe86a828db53ecdc7fea2111d0fed085d1" [[package]] name = "libcrux" @@ -934,8 +934,8 @@ version = "0.0.2-beta.2" dependencies = [ "clap", "getrandom", - "hax-lib 0.1.0-alpha.1", - "hax-lib-macros 0.1.0-alpha.1", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", "hex", "libcrux", "libcrux-ecdh", @@ -1026,7 +1026,7 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib 0.1.0-pre.1", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1042,7 +1042,7 @@ name = "libcrux-ml-kem" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib 0.1.0-pre.1", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1088,7 +1088,7 @@ version = "0.0.2-beta.2" dependencies = [ "cavp", "criterion", - "hax-lib 0.1.0-pre.1", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1147,9 +1147,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "minicov" -version = "0.3.5" +version = "0.3.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c71e683cd655513b99affab7d317deb690528255a0d5f717f1024093c12b169" +checksum = "def6d99771d7c499c26ad4d40eb6645eafd3a1553b35fc26ea5a489a45e82d9a" dependencies = [ "cc", "walkdir", @@ -1201,9 +1201,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "oorandom" @@ -1219,9 +1219,9 @@ checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" [[package]] name = "openssl" -version = "0.10.66" +version = "0.10.68" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9529f4786b70a3e8c61e11179af17ab6188ad8d0ded78c5529441ed39d4bd9c1" +checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" dependencies = [ "bitflags", "cfg-if", @@ -1240,14 +1240,14 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] name = "openssl-sys" -version = "0.9.103" +version = "0.9.104" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f9e8deee91df40a943c71b917e5874b951d32a802526c85721ce3b776c929d6" +checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" dependencies = [ "cc", "libc", @@ -1361,9 +1361,9 @@ dependencies = [ [[package]] name = "pqcrypto-internals" -version = "0.2.5" +version = "0.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d9d34bec6abe2283e6de7748b68b292d1ffa2203397e3e71380ff8418a49fb46" +checksum = "e10cdd9eee50fe65bbd4f40211f1a492f1ee52e97a51100950b6f1fa319ab7cd" dependencies = [ "cc", "dunce", @@ -1402,12 +1402,12 @@ dependencies = [ [[package]] name = "prettyplease" -version = "0.2.22" +version = "0.2.25" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "479cf940fbbb3426c32c5d5176f62ad57549a0bb84773423ba8be9d089f5faba" +checksum = "64d1ec885c64d0457d564db4ec299b2dae3f9c02808b8ad9c3a089c591b18033" dependencies = [ "proc-macro2", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] @@ -1445,9 +1445,9 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" dependencies = [ "unicode-ident", ] @@ -1535,9 +1535,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.10.6" +version = "1.11.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619" +checksum = "b544ef1b4eac5dc2db33ea63606ae9ffcfac26c1416a2806ae0bf5f56b201191" dependencies = [ "aho-corasick", "memchr", @@ -1547,9 +1547,9 @@ dependencies = [ [[package]] name = "regex-automata" -version = "0.4.7" +version = "0.4.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df" +checksum = "368758f23274712b504848e9d5a6f010445cc8b87a7cdb4d7cbee666c1288da3" dependencies = [ "aho-corasick", "memchr", @@ -1558,9 +1558,9 @@ dependencies = [ [[package]] name = "regex-syntax" -version = "0.8.4" +version = "0.8.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b" +checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c" [[package]] name = "rfc6979" @@ -1604,9 +1604,9 @@ dependencies = [ [[package]] name = "rustix" -version = "0.38.37" +version = "0.38.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811" +checksum = "aa260229e6538e52293eeb577aabd09945a09d6d9cc0fc550ed7529056c2e32a" dependencies = [ "bitflags", "errno", @@ -1658,29 +1658,29 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.210" +version = "1.0.214" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" +checksum = "f55c3193aca71c12ad7890f1785d2b73e1b9f63a0bbc353c08ef26fe03fc56b5" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.210" +version = "1.0.214" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" +checksum = "de523f781f095e28fa605cdce0f8307e451cc0fd14e2eb4cd2e98a355b147766" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] name = "serde_json" -version = "1.0.128" +version = "1.0.132" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" +checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" dependencies = [ "itoa", "memchr", @@ -1772,9 +1772,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.77" +version = "2.0.85" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "5023162dfcd14ef8f32034d8bcd4cc5ddc61ef7a247c024a33e24e1f24d21b56" dependencies = [ "proc-macro2", "quote", @@ -1836,9 +1836,9 @@ checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821" [[package]] name = "uuid" -version = "1.10.0" +version = "1.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "81dfa00651efa65069b0b6b651f4aaa31ba9e3c3ce0137aaad053604ee7e0314" +checksum = "f8c5f0a0af699448548ad1a2fbf920fb4bee257eae39953ba95cb84891a0446a" dependencies = [ "getrandom", ] @@ -1873,9 +1873,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" [[package]] name = "wasm-bindgen" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a82edfc16a6c469f5f44dc7b571814045d60404b55a0ee849f9bcfa2e63dd9b5" +checksum = "128d1e363af62632b8eb57219c8fd7877144af57558fb2ef0368d0087bddeb2e" dependencies = [ "cfg-if", "once_cell", @@ -1884,24 +1884,24 @@ dependencies = [ [[package]] name = "wasm-bindgen-backend" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9de396da306523044d3302746f1208fa71d7532227f15e347e2d93e4145dd77b" +checksum = "cb6dd4d3ca0ddffd1dd1c9c04f94b868c37ff5fac97c30b97cff2d74fce3a358" dependencies = [ "bumpalo", "log", "once_cell", "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-futures" -version = "0.4.43" +version = "0.4.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed" +checksum = "cc7ec4f8827a71586374db3e87abdb5a2bb3a15afed140221307c3ec06b1f63b" dependencies = [ "cfg-if", "js-sys", @@ -1911,9 +1911,9 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "585c4c91a46b072c92e908d99cb1dcdf95c5218eeb6f3bf1efa991ee7a68cccf" +checksum = "e79384be7f8f5a9dd5d7167216f022090cf1f9ec128e6e6a482a2cb5c5422c56" dependencies = [ "quote", "wasm-bindgen-macro-support", @@ -1921,28 +1921,28 @@ dependencies = [ [[package]] name = "wasm-bindgen-macro-support" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" +checksum = "26c6ab57572f7a24a4985830b120de1594465e5d500f24afe89e16b4e833ef68" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", "wasm-bindgen-backend", "wasm-bindgen-shared", ] [[package]] name = "wasm-bindgen-shared" -version = "0.2.93" +version = "0.2.95" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c62a0a307cb4a311d3a07867860911ca130c3494e8c2719593806c08bc5d0484" +checksum = "65fc09f10666a9f147042251e0dda9c18f166ff7de300607007e96bdebc1068d" [[package]] name = "wasm-bindgen-test" -version = "0.3.43" +version = "0.3.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68497a05fb21143a08a7d24fc81763384a3072ee43c44e86aad1744d6adef9d9" +checksum = "d381749acb0943d357dcbd8f0b100640679883fcdeeef04def49daf8d33a5426" dependencies = [ "console_error_panic_hook", "js-sys", @@ -1955,20 +1955,20 @@ dependencies = [ [[package]] name = "wasm-bindgen-test-macro" -version = "0.3.43" +version = "0.3.45" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4b8220be1fa9e4c889b30fd207d4906657e7e90b12e0e6b0c8b8d8709f5de021" +checksum = "c97b2ef2c8d627381e51c071c2ab328eac606d3f69dd82bcbca20a9e389d95f0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] name = "web-sys" -version = "0.3.70" +version = "0.3.72" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0" +checksum = "f6488b90108c040df0fe62fa815cbdee25124641df01814dd7282749234c6112" dependencies = [ "js-sys", "wasm-bindgen", @@ -2119,7 +2119,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] [[package]] @@ -2139,5 +2139,5 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.77", + "syn 2.0.85", ] diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 21e45577e..878dd2cb5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -33,6 +33,14 @@ let derive_message_representative Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake ((let list = [ + cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) + (Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + bool) + <: + u8 ] in FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); @@ -525,18 +533,21 @@ let sign Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok d -> + | Core.Result.Result_Ok hoist36 -> sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message - (Core.Option.Option_Some d + (Core.Option.Option_Some hoist36 <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + | Core.Result.Result_Err err -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -587,18 +598,22 @@ let sign_pre_hashed <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok d -> + | Core.Result.Result_Ok hoist39 -> sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some d + (Core.Option.Option_Some hoist39 <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness - | Core.Result.Result_Err (err) -> - Core.Result.Result_Err (Core.Convert.f_from err) - <: + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -782,19 +797,20 @@ let verify Libcrux_ml_dsa.Pre_hash.impl_1__new context (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok d -> + | Core.Result.Result_Ok hoist41 -> verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message - (Core.Option.Option_Some d + (Core.Option.Option_Some hoist41 <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + | Core.Result.Result_Err err -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError @@ -833,20 +849,21 @@ let verify_pre_hashed <: Core.Option.t_Option (t_Array u8 (sz 11))) with - | Core.Result.Result_Ok d -> + | Core.Result.Result_Ok hoist43 -> verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized (pre_hashed_message <: t_Slice u8) - (Core.Option.Option_Some d + (Core.Option.Option_Some hoist43 <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized - | Core.Result.Result_Err (Libcrux_ml_dsa.Pre_hash.DomainSeparationError_ContextTooLongError ) -> + | Core.Result.Result_Err err -> Core.Result.Result_Err - (Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError - <: - Libcrux_ml_dsa.Types.t_VerificationError) + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs index 5f6602af9..9c1755073 100644 --- a/sys/pqclean/src/bindings.rs +++ b/sys/pqclean/src/bindings.rs @@ -1,4 +1,4 @@ -/* automatically generated by rust-bindgen 0.69.4 */ +/* automatically generated by rust-bindgen 0.69.5 */ pub const SHAKE128_RATE: u32 = 168; pub const SHAKE256_RATE: u32 = 136; From 60ffea0ebe55a1cdc51fdc08a249e96e8554c5f8 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Sat, 2 Nov 2024 09:13:47 +0100 Subject: [PATCH 32/74] fstar refresh --- .gitignore | 4 ++-- Cargo.toml | 4 ++-- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 2 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 2 +- libcrux-ml-dsa/src/simd/portable/vector_type.rs | 2 +- libcrux-ml-kem/src/vector/portable/vector_type.rs | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.gitignore b/.gitignore index e1ba64f55..3eb7f0598 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,6 @@ kyber-crate/ # F* .fstar-cache .depend -**/proofs/fstar/*/#*# -**/proofs/fstar/*/.#* +/proofs/fstar/*/#*# +/proofs/fstar/*/.#* hax.fst.config.json diff --git a/Cargo.toml b/Cargo.toml index 3a558d856..22a1c40af 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -78,8 +78,8 @@ getrandom = { version = "0.2", features = ["js"], optional = true } # When using the hax toolchain, we have more dependencies. # This is only required when doing proofs. [target.'cfg(hax)'.dependencies] -hax-lib-macros = { git = "https://github.com/hacspec/hax", branch = "main" } -hax-lib = { git = "https://github.com/hacspec/hax/", branch = "main" } +hax-lib-macros = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax", branch = "main" } +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/", branch = "main" } [dev-dependencies] libcrux = { path = ".", features = ["rand", "tests"] } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 4ae0fc6fa..94d8aa1dd 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -239,7 +239,7 @@ fn ntt_at_layer_3_plus( re[j + step_by] = arithmetic::subtract(re[j], t); re[j] = arithmetic::add(re[j], t); } - () + () // This is because of https://github.com/hacspec/hax/issues/720 } () } diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index df0db5a8a..93a049c21 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -216,7 +216,7 @@ fn ntt_at_layer_3_plus( re[j] = arithmetic::add(&re[j], &t); } } - () + () // Needed because of https://github.com/hacspec/hax/issues/720 } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs index 6cecdac4c..3a71624d9 100644 --- a/libcrux-ml-dsa/src/simd/portable/vector_type.rs +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -1,5 +1,5 @@ use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; -/// Values having this type hold a representative 'x' of the Kyber field. +/// Values having this type hold a representative 'x' of the ML-DSA field. /// We use 'fe' as a shorthand for this type. pub(crate) type FieldElement = i32; diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs index 75b3b30c6..266b738e8 100644 --- a/libcrux-ml-kem/src/vector/portable/vector_type.rs +++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs @@ -1,6 +1,6 @@ use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR; -/// Values having this type hold a representative 'x' of the Kyber field. +/// Values having this type hold a representative 'x' of the ML-DSA field. /// We use 'fe' as a shorthand for this type. pub(crate) type FieldElement = i16; From 0a837fbb55bef09a514c34f7d3423dcb78507fc2 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sun, 3 Nov 2024 12:00:42 +0100 Subject: [PATCH 33/74] qemu based s390x ci for ml-kem C --- .github/workflows/s390x.yml | 44 +++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/s390x.yml diff --git a/.github/workflows/s390x.yml b/.github/workflows/s390x.yml new file mode 100644 index 000000000..141c8ca47 --- /dev/null +++ b/.github/workflows/s390x.yml @@ -0,0 +1,44 @@ +name: s390x - Build & Test + +on: + push: + pull_request: + branches: ["main", "dev"] + workflow_dispatch: + merge_group: + +env: + CARGO_TERM_COLOR: always + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + s390x: + runs-on: ubuntu-latest + name: Build on ubuntu-latest s390x + steps: + - uses: actions/checkout@v4 + - uses: uraimo/run-on-arch-action@v2 + name: Run + id: runcmd + with: + arch: s390x + distro: ubuntu22.04 + + # Speed up builds by storing container images in + # a GitHub package registry. + githubToken: ${{ github.token }} + + run: | + apt-get -y update + apt-get install -y curl gcc g++ make cmake ninja-build git + cd libcrux-ml-kem/c + cmake -B build -G"Ninja Multi-Config" + cmake --build build + ./build/Debug/ml_kem_test + cd ../cg + cmake -B build -G"Ninja Multi-Config" + cmake --build build + ./build/Debug/ml_kem_test From 587a3798d8361a5a83cc222b6505afa71bd62b18 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sun, 3 Nov 2024 12:01:45 +0100 Subject: [PATCH 34/74] fix ml-kem C in cg for big endian machines --- libcrux-ml-kem/cg/eurydice_glue.h | 11 +- libcrux-ml-kem/cg/karamel/endianness.h | 228 +++++++++++++++++++++++++ 2 files changed, 232 insertions(+), 7 deletions(-) create mode 100644 libcrux-ml-kem/cg/karamel/endianness.h diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index cdd27af77..ae93f494c 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -18,6 +18,7 @@ extern "C" { #include #include "karamel/target.h" +#include "karamel/endianness.h" // SLICES, ARRAYS, ETC. @@ -130,18 +131,14 @@ static inline void Eurydice_slice_to_array3(uint8_t *dst_tag, char *dst_ok, // CORE STUFF (conversions, endianness, ...) static inline void core_num__u64_9__to_le_bytes(uint64_t v, uint8_t buf[8]) { - memcpy(buf, &v, sizeof(v)); + store64_le(buf, v); } static inline uint64_t core_num__u64_9__from_le_bytes(uint8_t buf[8]) { - uint64_t v; - memcpy(&v, buf, sizeof(v)); - return v; + return load64_le(buf); } static inline uint32_t core_num__u32_8__from_le_bytes(uint8_t buf[4]) { - uint32_t v; - memcpy(&v, buf, sizeof(v)); - return v; + return load32_le(buf); } static inline uint32_t core_num__u8_6__count_ones(uint8_t x0) { diff --git a/libcrux-ml-kem/cg/karamel/endianness.h b/libcrux-ml-kem/cg/karamel/endianness.h new file mode 100644 index 000000000..d59d9854d --- /dev/null +++ b/libcrux-ml-kem/cg/karamel/endianness.h @@ -0,0 +1,228 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 and MIT Licenses. */ + +#ifndef __LOWSTAR_ENDIANNESS_H +#define __LOWSTAR_ENDIANNESS_H + +#include +#include + +/******************************************************************************/ +/* Implementing C.fst (part 2: endian-ness macros) */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) || \ + defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) +#include + +/* ... for OSX */ +#elif defined(__APPLE__) +#include +#define htole64(x) OSSwapHostToLittleInt64(x) +#define le64toh(x) OSSwapLittleToHostInt64(x) +#define htobe64(x) OSSwapHostToBigInt64(x) +#define be64toh(x) OSSwapBigToHostInt64(x) + +#define htole16(x) OSSwapHostToLittleInt16(x) +#define le16toh(x) OSSwapLittleToHostInt16(x) +#define htobe16(x) OSSwapHostToBigInt16(x) +#define be16toh(x) OSSwapBigToHostInt16(x) + +#define htole32(x) OSSwapHostToLittleInt32(x) +#define le32toh(x) OSSwapLittleToHostInt32(x) +#define htobe32(x) OSSwapHostToBigInt32(x) +#define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +#include +#define htole64(x) LE_64(x) +#define le64toh(x) LE_64(x) +#define htobe64(x) BE_64(x) +#define be64toh(x) BE_64(x) + +#define htole16(x) LE_16(x) +#define le16toh(x) LE_16(x) +#define htobe16(x) BE_16(x) +#define be16toh(x) BE_16(x) + +#define htole32(x) LE_32(x) +#define le32toh(x) LE_32(x) +#define htobe32(x) BE_32(x) +#define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +#include +#elif defined(__OpenBSD__) +#include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +#include +#define htobe16(x) _byteswap_ushort(x) +#define htole16(x) (x) +#define be16toh(x) _byteswap_ushort(x) +#define le16toh(x) (x) + +#define htobe32(x) _byteswap_ulong(x) +#define htole32(x) (x) +#define be32toh(x) _byteswap_ulong(x) +#define le32toh(x) (x) + +#define htobe64(x) _byteswap_uint64(x) +#define htole64(x) (x) +#define be64toh(x) _byteswap_uint64(x) +#define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) && \ + (defined(__GNUC__) || defined(__clang__)) + +#define htobe16(x) __builtin_bswap16(x) +#define htole16(x) (x) +#define be16toh(x) __builtin_bswap16(x) +#define le16toh(x) (x) + +#define htobe32(x) __builtin_bswap32(x) +#define htole32(x) (x) +#define be32toh(x) __builtin_bswap32(x) +#define le32toh(x) (x) + +#define htobe64(x) __builtin_bswap64(x) +#define htole64(x) (x) +#define be64toh(x) __builtin_bswap64(x) +#define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always + * big-endian */ +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \ + defined(_AIX) + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +#define htobe32(x) (x) +#define be32toh(x) (x) +#define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define le32toh(x) (htole32((x))) + +#define htobe64(x) (x) +#define be64toh(x) (x) +#define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +#define htole32(x) (x) +#define le32toh(x) (x) +#define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define be32toh(x) (htobe32((x))) + +#define htole64(x) (x) +#define le64toh(x) (x) +#define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +#error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); } + +inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); } + +inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); } + +/* Legacy accessors so that this header can serve as an implementation of + * C.Endianness */ +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/* Co-existence of LowStar.Endianness and FStar.Endianness generates name + * conflicts, because of course both insist on having no prefixes. Until a + * prefix is added, or until we truly retire FStar.Endianness, solve this issue + * in an elegant way. */ +#define load16_le0 load16_le +#define store16_le0 store16_le +#define load16_be0 load16_be +#define store16_be0 store16_be + +#define load32_le0 load32_le +#define store32_le0 store32_le +#define load32_be0 load32_be +#define store32_be0 store32_be + +#define load64_le0 load64_le +#define store64_le0 store64_le +#define load64_be0 load64_be +#define store64_be0 store64_be + +#define load128_le0 load128_le +#define store128_le0 store128_le +#define load128_be0 load128_be +#define store128_be0 store128_be + +#endif From 5f3f123b7e1e337de9f92ff48d6de369b5a58c3e Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Sun, 3 Nov 2024 12:02:02 +0100 Subject: [PATCH 35/74] don't build ml-kem C benchmarks by default --- .github/workflows/c.yml | 12 +---- libcrux-ml-kem/c/CMakeLists.txt | 88 ++++++++++++++++---------------- libcrux-ml-kem/cg/CMakeLists.txt | 86 ++++++++++++++++--------------- 3 files changed, 91 insertions(+), 95 deletions(-) diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index c3535185b..55ec29418 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -118,7 +118,7 @@ jobs: - name: 🔨 Build run: | - cmake -B build + LIBCRUX_BENCHMARKS=1 cmake -B build cmake --build build - name: 🏃🏻‍♀️ Test @@ -132,7 +132,7 @@ jobs: - name: 🔨 Build Release run: | rm -rf build - cmake -B build -DCMAKE_BUILD_TYPE=Release + LIBCRUX_BENCHMARKS=1 cmake -B build -DCMAKE_BUILD_TYPE=Release cmake --build build --config Release if: ${{ matrix.os != 'windows-latest' }} @@ -159,14 +159,6 @@ jobs: cmake -B build cmake --build build # FIXME: Benchmark build for cg on Windows CI is not working right now. - if: ${{ matrix.os != 'windows-latest' }} - - # FIXME: Benchmark build for cg on Windows CI are not working right now. - # - name: 🏃🏻‍♀️ Test (cg) - # working-directory: libcrux-ml-kem/cg - # run: ./build/Debug/ml_kem_test - # if: ${{ matrix.os == 'windows-latest' }} - name: 🏃🏻‍♀️ Test run: ./build/ml_kem_test - if: ${{ matrix.os != 'windows-latest' }} diff --git a/libcrux-ml-kem/c/CMakeLists.txt b/libcrux-ml-kem/c/CMakeLists.txt index 121558310..7eb5cd5ca 100644 --- a/libcrux-ml-kem/c/CMakeLists.txt +++ b/libcrux-ml-kem/c/CMakeLists.txt @@ -17,6 +17,7 @@ if(NOT MSVC) # TODO: Clean up add_compile_options( -Wall + # -Wextra # -pedantic # -Wconversion @@ -29,6 +30,7 @@ if(NOT MSVC) endif(NOT MSVC) set(CMAKE_COLOR_DIAGNOSTICS "ON") + # For LSP-based editors set(CMAKE_EXPORT_COMPILE_COMMANDS 1) include_directories( @@ -101,12 +103,10 @@ if(CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64|arm64|arm64v8" AND DEFINED ENV{LIBCRU endif() # --- Tests - if(DEFINED ENV{LIBCRUX_UNPACKED}) add_compile_definitions(LIBCRUX_UNPACKED) endif(DEFINED ENV{LIBCRUX_UNPACKED}) - # Get gtests include(FetchContent) FetchContent_Declare(googletest @@ -144,52 +144,54 @@ target_link_libraries(sha3_test PRIVATE ) # --- Benchmarks -FetchContent_Declare(benchmark - GIT_REPOSITORY https://github.com/google/benchmark.git - GIT_TAG v1.8.4 -) -FetchContent_MakeAvailable(benchmark) +if(DEFINED ENV{LIBCRUX_BENCHMARKS}) + FetchContent_Declare(benchmark + GIT_REPOSITORY https://github.com/google/benchmark.git + GIT_TAG v1.8.4 + ) + FetchContent_MakeAvailable(benchmark) -add_executable(ml_kem_bench - ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc -) -target_link_libraries(ml_kem_bench PRIVATE - ml_kem_static - benchmark::benchmark -) + add_executable(ml_kem_bench + ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc + ) + target_link_libraries(ml_kem_bench PRIVATE + ml_kem_static + benchmark::benchmark + ) -if(DEFINED ENV{SYMCRYPT_PATH}) - message("Symcrypt path: $ENV{SYMCRYPT_PATH}") - add_compile_definitions(LIBCRUX_SYMCRYPT) - target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) - target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) - target_link_libraries(ml_kem_bench PRIVATE symcrypt) -endif(DEFINED ENV{SYMCRYPT_PATH}) + if(DEFINED ENV{SYMCRYPT_PATH}) + message("Symcrypt path: $ENV{SYMCRYPT_PATH}") + add_compile_definitions(LIBCRUX_SYMCRYPT) + target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) + target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) + target_link_libraries(ml_kem_bench PRIVATE symcrypt) + endif(DEFINED ENV{SYMCRYPT_PATH}) -add_executable(ml_kem_keygen - ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc -) -target_link_libraries(ml_kem_keygen PRIVATE - ml_kem_static - benchmark::benchmark -) - -add_executable(ml_kem_encaps - ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc -) -target_link_libraries(ml_kem_encaps PRIVATE - ml_kem_static - benchmark::benchmark -) + add_executable(ml_kem_keygen + ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc + ) + target_link_libraries(ml_kem_keygen PRIVATE + ml_kem_static + benchmark::benchmark + ) -if(NOT MSVC) - # We benchmark internal functions here that are inlined and thus not available - # in MSVC. - add_executable(sha3_bench - ${PROJECT_SOURCE_DIR}/benches/sha3.cc + add_executable(ml_kem_encaps + ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc ) - target_link_libraries(sha3_bench PRIVATE + target_link_libraries(ml_kem_encaps PRIVATE ml_kem_static benchmark::benchmark ) -endif(NOT MSVC) + + if(NOT MSVC) + # We benchmark internal functions here that are inlined and thus not available + # in MSVC. + add_executable(sha3_bench + ${PROJECT_SOURCE_DIR}/benches/sha3.cc + ) + target_link_libraries(sha3_bench PRIVATE + ml_kem_static + benchmark::benchmark + ) + endif(NOT MSVC) +endif(DEFINED ENV{LIBCRUX_BENCHMARKS}) diff --git a/libcrux-ml-kem/cg/CMakeLists.txt b/libcrux-ml-kem/cg/CMakeLists.txt index ce8ed53c2..e18520d55 100644 --- a/libcrux-ml-kem/cg/CMakeLists.txt +++ b/libcrux-ml-kem/cg/CMakeLists.txt @@ -26,10 +26,10 @@ if(NOT MSVC) endif(NOT MSVC) if((CMAKE_C_COMPILER_ID STREQUAL "Clang" AND - CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR - (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND - CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6")) - add_compile_options(-Werror -Wframe-larger-than=25344) + CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.0.0") OR + (CMAKE_C_COMPILER_ID STREQUAL "AppleClang" AND + CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL "13.1.6")) + add_compile_options(-Werror -Wframe-larger-than=25344) endif() set(CMAKE_COLOR_DIAGNOSTICS "ON") @@ -95,48 +95,50 @@ target_link_libraries(sha3_test PRIVATE ) # --- Benchmarks -FetchContent_Declare(benchmark - GIT_REPOSITORY https://github.com/google/benchmark.git - GIT_TAG v1.8.4 -) -FetchContent_MakeAvailable(benchmark) - -add_executable(ml_kem_bench - ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc -) -target_link_libraries(ml_kem_bench PRIVATE - benchmark::benchmark -) +if(DEFINED ENV{LIBCRUX_BENCHMARKS}) + FetchContent_Declare(benchmark + GIT_REPOSITORY https://github.com/google/benchmark.git + GIT_TAG v1.8.4 + ) + FetchContent_MakeAvailable(benchmark) -if(DEFINED ENV{SYMCRYPT_PATH}) - message("Symcrypt path: $ENV{SYMCRYPT_PATH}") - add_compile_definitions(LIBCRUX_SYMCRYPT) - target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) - target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) - target_link_libraries(ml_kem_bench PRIVATE symcrypt) -endif(DEFINED ENV{SYMCRYPT_PATH}) + add_executable(ml_kem_bench + ${PROJECT_SOURCE_DIR}/benches/mlkem768.cc + ) + target_link_libraries(ml_kem_bench PRIVATE + benchmark::benchmark + ) -add_executable(ml_kem_keygen - ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc -) -target_link_libraries(ml_kem_keygen PRIVATE - benchmark::benchmark -) + if(DEFINED ENV{SYMCRYPT_PATH}) + message("Symcrypt path: $ENV{SYMCRYPT_PATH}") + add_compile_definitions(LIBCRUX_SYMCRYPT) + target_include_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}) + target_link_directories(ml_kem_bench PRIVATE $ENV{SYMCRYPT_PATH}/bin/lib) + target_link_libraries(ml_kem_bench PRIVATE symcrypt) + endif(DEFINED ENV{SYMCRYPT_PATH}) -add_executable(ml_kem_encaps - ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc -) -target_link_libraries(ml_kem_encaps PRIVATE - benchmark::benchmark -) + add_executable(ml_kem_keygen + ${PROJECT_SOURCE_DIR}/benches/mlkem768_keygen.cc + ) + target_link_libraries(ml_kem_keygen PRIVATE + benchmark::benchmark + ) -if(NOT MSVC) - # We benchmark internal functions here that are inlined and thus not available - # in MSVC. - add_executable(sha3_bench - ${PROJECT_SOURCE_DIR}/benches/sha3.cc + add_executable(ml_kem_encaps + ${PROJECT_SOURCE_DIR}/benches/mlkem768_encaps.cc ) - target_link_libraries(sha3_bench PRIVATE + target_link_libraries(ml_kem_encaps PRIVATE benchmark::benchmark ) -endif(NOT MSVC) + + if(NOT MSVC) + # We benchmark internal functions here that are inlined and thus not available + # in MSVC. + add_executable(sha3_bench + ${PROJECT_SOURCE_DIR}/benches/sha3.cc + ) + target_link_libraries(sha3_bench PRIVATE + benchmark::benchmark + ) + endif(NOT MSVC) +endif(DEFINED ENV{LIBCRUX_BENCHMARKS}) From 300abc00ce32a8085365aec5d5c1aa1640f33ed1 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 4 Nov 2024 12:36:26 +0100 Subject: [PATCH 36/74] Update .github/workflows/s390x.yml Co-authored-by: Jonas Schneider-Bensch <124457079+jschneider-bensch@users.noreply.github.com> --- .github/workflows/s390x.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/s390x.yml b/.github/workflows/s390x.yml index 141c8ca47..e76c37b62 100644 --- a/.github/workflows/s390x.yml +++ b/.github/workflows/s390x.yml @@ -17,7 +17,7 @@ concurrency: jobs: s390x: runs-on: ubuntu-latest - name: Build on ubuntu-latest s390x + name: Build on ubuntu-22.04 s390x steps: - uses: actions/checkout@v4 - uses: uraimo/run-on-arch-action@v2 From b21616488a27596a4dc8b9847340ddc4e0775fcf Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 4 Nov 2024 12:37:13 +0100 Subject: [PATCH 37/74] fix cg eurydice glue for Windows --- libcrux-ml-kem/cg/eurydice_glue.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index ae93f494c..0c910a68a 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -89,7 +89,7 @@ typedef struct { #define Eurydice_slice_copy(dst, src, t) \ memcpy(dst.ptr, src.ptr, dst.len * sizeof(t)) #define core_array___Array_T__N__23__as_slice(len_, ptr_, t, _ret_t) \ - ((Eurydice_slice){.ptr = ptr_, .len = len_}) + (CLITERAL(Eurydice_slice){.ptr = ptr_, .len = len_}) #define core_array___core__clone__Clone_for__Array_T__N___20__clone( \ len, src, dst, elem_type, _ret_t) \ From 249e0b31f39674d34556568ada15387ee7e2bbc9 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 4 Nov 2024 12:58:53 +0100 Subject: [PATCH 38/74] don't run mlkem C tests on Windows ci --- .github/workflows/c.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index 55ec29418..7bc42fa39 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -162,3 +162,4 @@ jobs: - name: 🏃🏻‍♀️ Test run: ./build/ml_kem_test + if: ${{ matrix.os == 'windows-latest' }} From 1ec5a9f2bffb6dd9d9d3265881c383c7ee32c7f2 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 21 Oct 2024 13:22:56 +0200 Subject: [PATCH 39/74] Enable AVX2 target feature --- libcrux-ml-dsa/src/lib.rs | 1 + libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs | 7 +------ 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/libcrux-ml-dsa/src/lib.rs b/libcrux-ml-dsa/src/lib.rs index 3a9090beb..dda8312c1 100644 --- a/libcrux-ml-dsa/src/lib.rs +++ b/libcrux-ml-dsa/src/lib.rs @@ -1,4 +1,5 @@ #![no_std] +#![deny(unsafe_code)] mod arithmetic; mod constants; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index aa859d7d5..15936617b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -305,12 +305,7 @@ instantiate! {portable, // AVX2 generic implementation. #[cfg(feature = "simd256")] -instantiate! {avx2, - crate::simd::avx2::AVX2SIMDUnit, - crate::hash_functions::simd256::Shake128x4, - crate::hash_functions::simd256::Shake256, - crate::hash_functions::simd256::Shake256x4 -} +pub mod avx2; // NEON generic implementation. #[cfg(feature = "simd128")] From 0031d3c06b6638aac7f0dd6d67293785c5a26c0c Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 21 Oct 2024 13:50:12 +0200 Subject: [PATCH 40/74] Inlining to help AVX2 optimization --- libcrux-ml-dsa/src/hash_functions.rs | 39 +++++++++++++++++++++++++++- libcrux-ml-dsa/src/ml_dsa_generic.rs | 8 ++++++ libcrux-ml-dsa/src/sample.rs | 1 + libcrux-ml-dsa/src/simd/avx2.rs | 32 ++++++++++++++++++++--- 4 files changed, 76 insertions(+), 4 deletions(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 2d4864f3f..ba8f9e952 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -433,10 +433,12 @@ pub(crate) mod simd256 { impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. + #[inline(always)] fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { init_absorb(input0, input1, input2, input3) } + #[inline(always)] fn squeeze_first_five_blocks( &mut self, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], @@ -447,6 +449,7 @@ pub(crate) mod simd256 { squeeze_first_five_blocks(self, out0, out1, out2, out3); } + #[inline(always)] fn squeeze_next_block( &mut self, ) -> ( @@ -460,7 +463,37 @@ pub(crate) mod simd256 { } /// AVX2 SHAKE 256 state - pub(crate) type Shake256 = super::portable::Shake256; + pub(crate) struct Shake256 { + state: portable::KeccakState, + } + impl shake256::Xof for Shake256 { + #[inline(always)] + fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + portable::shake256(out, input); + } + + #[inline(always)] + fn init_absorb(input: &[u8]) -> Self { + let mut state = portable::incremental::shake256_init(); + portable::incremental::shake256_absorb_final(&mut state, input); + + Self { state } + } + + #[inline(always)] + fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); + out + } + + #[inline(always)] + fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); + out + } + } /// AVX2 SHAKE 256 x4 state. #[cfg_attr(hax, hax_lib::opaque_type)] @@ -534,10 +567,12 @@ pub(crate) mod simd256 { } impl shake256::XofX4 for Shake256x4 { + #[inline(always)] fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { init_absorb_x4(input0, input1, input2, input3) } + #[inline(always)] fn squeeze_first_block_x4( &mut self, ) -> ( @@ -549,6 +584,7 @@ pub(crate) mod simd256 { squeeze_first_block_x4(self) } + #[inline(always)] fn squeeze_next_block_x4( &mut self, ) -> ( @@ -560,6 +596,7 @@ pub(crate) mod simd256 { squeeze_next_block_x4(self) } + #[inline(always)] fn shake256_x4( input0: &[u8], input1: &[u8], diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index 85ba11ccf..9b0443525 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -26,6 +26,7 @@ pub(crate) mod instantiations; pub(crate) mod multiplexing; /// Generate a key pair. +#[inline(always)] pub(crate) fn generate_key_pair< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -90,6 +91,7 @@ pub(crate) fn generate_key_pair< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -149,6 +151,7 @@ pub(crate) fn sign_pre_hashed< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn sign< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -207,6 +210,7 @@ pub(crate) fn sign< /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn sign_internal< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -413,6 +417,7 @@ pub(crate) fn sign_internal< /// for details on the domain separation for regular ML-DSA. Line /// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA /// variant. +#[inline(always)] fn derive_message_representative( verification_key_hash: [u8; 64], domain_separation_context: Option, @@ -445,6 +450,7 @@ fn derive_message_representative( /// If no `domain_separation_context` is supplied, it is assumed that /// `message` already contains the domain separation. #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn verify_internal< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -545,6 +551,7 @@ pub(crate) fn verify_internal< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn verify< SIMDUnit: Operations, Shake128X4: shake128::XofX4, @@ -595,6 +602,7 @@ pub(crate) fn verify< } #[allow(non_snake_case)] +#[inline(always)] pub(crate) fn verify_pre_hashed< SIMDUnit: Operations, Shake128X4: shake128::XofX4, diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index f1558eb7f..99e7d33f2 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -322,6 +322,7 @@ pub(crate) fn sample_four_error_ring_elements< ) } +#[inline(always)] fn update_seed(mut seed: [u8; 66], domain_separator: &mut u16) -> [u8; 66] { seed[64] = *domain_separator as u8; seed[65] = (*domain_separator >> 8) as u8; diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index f891d39be..3c324f2f3 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -9,109 +9,133 @@ mod vector_type; pub(crate) use vector_type::AVX2SIMDUnit; impl Operations for AVX2SIMDUnit { + #[inline(always)] fn ZERO() -> Self { vector_type::ZERO() } + #[inline(always)] fn from_coefficient_array(coefficient_array: &[i32]) -> Self { vector_type::from_coefficient_array(coefficient_array) } + #[inline(always)] fn to_coefficient_array(&self) -> [i32; 8] { vector_type::to_coefficient_array(&self) } - + #[inline(always)] fn add(lhs: &Self, rhs: &Self) -> Self { arithmetic::add(lhs.coefficients, rhs.coefficients).into() } - + #[inline(always)] fn subtract(lhs: &Self, rhs: &Self) -> Self { arithmetic::subtract(lhs.coefficients, rhs.coefficients).into() } - + #[inline(always)] fn montgomery_multiply_by_constant(simd_unit: Self, constant: i32) -> Self { arithmetic::montgomery_multiply_by_constant(simd_unit.coefficients, constant).into() } + #[inline(always)] fn montgomery_multiply(lhs: Self, rhs: Self) -> Self { arithmetic::montgomery_multiply(lhs.coefficients, rhs.coefficients).into() } + #[inline(always)] fn shift_left_then_reduce(simd_unit: Self) -> Self { arithmetic::shift_left_then_reduce::(simd_unit.coefficients).into() } + #[inline(always)] fn power2round(simd_unit: Self) -> (Self, Self) { let (lower, upper) = arithmetic::power2round(simd_unit.coefficients); (lower.into(), upper.into()) } + #[inline(always)] fn infinity_norm_exceeds(simd_unit: Self, bound: i32) -> bool { arithmetic::infinity_norm_exceeds(simd_unit.coefficients, bound) } + #[inline(always)] fn decompose(simd_unit: Self) -> (Self, Self) { let (lower, upper) = arithmetic::decompose::(simd_unit.coefficients); (lower.into(), upper.into()) } + #[inline(always)] fn compute_hint(low: Self, high: Self) -> (usize, Self) { let (count, hint) = arithmetic::compute_hint::(low.coefficients, high.coefficients); (count, hint.into()) } + #[inline(always)] fn use_hint(simd_unit: Self, hint: Self) -> Self { arithmetic::use_hint::(simd_unit.coefficients, hint.coefficients).into() } + #[inline(always)] fn rejection_sample_less_than_field_modulus(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_field_modulus::sample(randomness, out) } + #[inline(always)] fn rejection_sample_less_than_eta_equals_2(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_eta::sample::<2>(randomness, out) } + #[inline(always)] fn rejection_sample_less_than_eta_equals_4(randomness: &[u8], out: &mut [i32]) -> usize { rejection_sample::less_than_eta::sample::<4>(randomness, out) } + #[inline(always)] fn gamma1_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { encoding::gamma1::serialize::(simd_unit.coefficients) } + #[inline(always)] fn gamma1_deserialize(serialized: &[u8]) -> Self { encoding::gamma1::deserialize::(serialized).into() } + #[inline(always)] fn commitment_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { encoding::commitment::serialize::(simd_unit.coefficients) } + #[inline(always)] fn error_serialize(simd_unit: Self) -> [u8; OUTPUT_SIZE] { encoding::error::serialize::(simd_unit.coefficients) } + #[inline(always)] fn error_deserialize(serialized: &[u8]) -> Self { encoding::error::deserialize::(serialized).into() } + #[inline(always)] fn t0_serialize(simd_unit: Self) -> [u8; 13] { encoding::t0::serialize(simd_unit.coefficients) } + #[inline(always)] fn t0_deserialize(serialized: &[u8]) -> Self { encoding::t0::deserialize(serialized).into() } + #[inline(always)] fn t1_serialize(simd_unit: Self) -> [u8; 10] { encoding::t1::serialize(simd_unit.coefficients) } + #[inline(always)] fn t1_deserialize(serialized: &[u8]) -> Self { encoding::t1::deserialize(serialized).into() } + #[inline(always)] fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { let result = ntt::ntt(simd_units.map(|x| x.coefficients)); result.map(|x| x.into()) } + #[inline(always)] fn invert_ntt_at_layer_0( simd_unit: Self, zeta0: i32, @@ -121,9 +145,11 @@ impl Operations for AVX2SIMDUnit { ) -> Self { ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into() } + #[inline(always)] fn invert_ntt_at_layer_1(simd_unit: Self, zeta0: i32, zeta1: i32) -> Self { ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into() } + #[inline(always)] fn invert_ntt_at_layer_2(simd_unit: Self, zeta: i32) -> Self { ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into() } From 4bc6554647a36dab0a711acd7fead1ad0efd8157 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 22 Oct 2024 08:47:23 +0200 Subject: [PATCH 41/74] Missing module --- .../src/ml_dsa_generic/instantiations/avx2.rs | 584 ++++++++++++++++++ 1 file changed, 584 insertions(+) create mode 100644 libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs new file mode 100644 index 000000000..716fd2f59 --- /dev/null +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -0,0 +1,584 @@ +use crate::{ + constants::*, + ml_dsa_generic::{SigningError, VerificationError}, + pre_hash::SHAKE128_PH, + types::*, +}; + +mod avx2_feature { + use super::*; + + /// Generate key pair. + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn generate_key_pair< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + >( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], + ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { + crate::ml_dsa_generic::generate_key_pair::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + VERIFICATION_KEY_SIZE, + >(randomness) + } + + /// Sign. + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn sign< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, + >( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::sign::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, context, randomness) + } + + /// Sign (internal API) + #[cfg(feature = "acvp")] + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn sign_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, + >( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::sign_internal::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, None, randomness) + } + + /// Sign (pre-hashed). + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn sign_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, + >( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], + ) -> Result, SigningError> { + crate::ml_dsa_generic::sign_pre_hashed::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + crate::hash_functions::simd256::Shake256x4, + SHAKE128_PH, + 256, + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(&signing_key, message, context, randomness) + } + + /// Verify. + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn verify< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::verify::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } + + /// Verify (internal API). + #[cfg(feature = "acvp")] + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn verify_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::verify_internal::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, None, signature) + } + + /// Verify (pre-hashed with SHAKE-128). + #[target_feature(enable = "avx2")] + #[allow(unsafe_code)] + pub(super) unsafe fn verify_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + >( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], + ) -> Result<(), VerificationError> { + crate::ml_dsa_generic::verify_pre_hashed::< + crate::simd::avx2::AVX2SIMDUnit, + crate::hash_functions::simd256::Shake128x4, + crate::hash_functions::simd256::Shake256, + SHAKE128_PH, + 256, + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } +} + +/// Generate key pair. +#[allow(unsafe_code)] +pub(crate) fn generate_key_pair< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, +>( + randomness: [u8; KEY_GENERATION_RANDOMNESS_SIZE], +) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { + unsafe { + avx2_feature::generate_key_pair::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + VERIFICATION_KEY_SIZE, + >(randomness) + } +} + +/// Sign. +#[allow(unsafe_code)] +pub(crate) fn sign< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, +>( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result, SigningError> { + unsafe { + avx2_feature::sign::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(signing_key, message, context, randomness) + } +} + +/// Sign (internal API) +#[cfg(feature = "acvp")] +#[allow(unsafe_code)] +pub(crate) fn sign_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, +>( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result, SigningError> { + unsafe { + avx2_feature::sign_internal::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(signing_key, message, randomness) + } +} + +/// Sign (pre-hashed). +#[allow(unsafe_code)] +pub(crate) fn sign_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const ETA: usize, + const ERROR_RING_ELEMENT_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA2: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const SIGNING_KEY_SIZE: usize, + const SIGNATURE_SIZE: usize, +>( + signing_key: &[u8; SIGNING_KEY_SIZE], + message: &[u8], + context: &[u8], + randomness: [u8; SIGNING_RANDOMNESS_SIZE], +) -> Result, SigningError> { + unsafe { + avx2_feature::sign_pre_hashed_shake128::< + ROWS_IN_A, + COLUMNS_IN_A, + ETA, + ERROR_RING_ELEMENT_SIZE, + GAMMA1_EXPONENT, + GAMMA2, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + GAMMA1_RING_ELEMENT_SIZE, + SIGNING_KEY_SIZE, + SIGNATURE_SIZE, + >(signing_key, message, context, randomness) + } +} + +/// Verify. +#[allow(unsafe_code)] +pub(crate) fn verify< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, +>( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], +) -> Result<(), VerificationError> { + unsafe { + avx2_feature::verify::< + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } +} + +/// Verify (internal API). +#[cfg(feature = "acvp")] +#[allow(unsafe_code)] +pub(crate) fn verify_internal< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, +>( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + signature: &[u8; SIGNATURE_SIZE], +) -> Result<(), VerificationError> { + unsafe { + avx2_feature::verify_internal::< + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, signature) + } +} + +/// Verify (pre-hashed with SHAKE-128). +#[allow(unsafe_code)] +pub(crate) fn verify_pre_hashed_shake128< + const ROWS_IN_A: usize, + const COLUMNS_IN_A: usize, + const SIGNATURE_SIZE: usize, + const VERIFICATION_KEY_SIZE: usize, + const GAMMA1_EXPONENT: usize, + const GAMMA1_RING_ELEMENT_SIZE: usize, + const GAMMA2: i32, + const BETA: i32, + const COMMITMENT_RING_ELEMENT_SIZE: usize, + const COMMITMENT_VECTOR_SIZE: usize, + const COMMITMENT_HASH_SIZE: usize, + const ONES_IN_VERIFIER_CHALLENGE: usize, + const MAX_ONES_IN_HINT: usize, +>( + verification_key: &[u8; VERIFICATION_KEY_SIZE], + message: &[u8], + context: &[u8], + signature: &[u8; SIGNATURE_SIZE], +) -> Result<(), VerificationError> { + unsafe { + avx2_feature::verify_pre_hashed_shake128::< + ROWS_IN_A, + COLUMNS_IN_A, + SIGNATURE_SIZE, + VERIFICATION_KEY_SIZE, + GAMMA1_EXPONENT, + GAMMA1_RING_ELEMENT_SIZE, + GAMMA2, + BETA, + COMMITMENT_RING_ELEMENT_SIZE, + COMMITMENT_VECTOR_SIZE, + COMMITMENT_HASH_SIZE, + ONES_IN_VERIFIER_CHALLENGE, + MAX_ONES_IN_HINT, + >(verification_key, message, context, signature) + } +} From f946f53653518dd89c110a3eb806faf31c1e0f3e Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Thu, 24 Oct 2024 15:36:23 +0200 Subject: [PATCH 42/74] Attempt to reduce stack size --- libcrux-ml-dsa/src/simd/avx2.rs | 3 ++- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 3c324f2f3..e4c7189c6 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -129,8 +129,9 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] + #[allow(unsafe_code)] fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { - let result = ntt::ntt(simd_units.map(|x| x.coefficients)); + let result = unsafe{ntt::ntt(simd_units.map(|x| x.coefficients))}; result.map(|x| x.into()) } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 94d8aa1dd..512669e28 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -244,8 +244,9 @@ fn ntt_at_layer_3_plus( () } -#[inline(always)] -pub(crate) fn ntt( +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +pub(crate) unsafe fn ntt( mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] { let mut zeta_i = 0; From a86ce0029bf9122fb3075a9ac46c9a5951eb81af Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Thu, 24 Oct 2024 15:36:43 +0200 Subject: [PATCH 43/74] Format --- libcrux-ml-dsa/src/simd/avx2.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index e4c7189c6..c83c24caa 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -131,7 +131,7 @@ impl Operations for AVX2SIMDUnit { #[inline(always)] #[allow(unsafe_code)] fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { - let result = unsafe{ntt::ntt(simd_units.map(|x| x.coefficients))}; + let result = unsafe { ntt::ntt(simd_units.map(|x| x.coefficients)) }; result.map(|x| x.into()) } From 23120b2f7d7e14a7df9f61bbfc0f5e9ef7c2a887 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Thu, 31 Oct 2024 16:52:17 +0100 Subject: [PATCH 44/74] ACVP uninlined inner functions --- libcrux-ml-dsa/tests/acvp.rs | 268 ++++++++++++++++++++--------------- 1 file changed, 150 insertions(+), 118 deletions(-) diff --git a/libcrux-ml-dsa/tests/acvp.rs b/libcrux-ml-dsa/tests/acvp.rs index ebdc2ce9f..75f0c1ddf 100644 --- a/libcrux-ml-dsa/tests/acvp.rs +++ b/libcrux-ml-dsa/tests/acvp.rs @@ -63,8 +63,6 @@ struct ResultPromptTestGroup { #[test] fn keygen() { - use libcrux_ml_dsa::*; - let prompts: Prompts = read("keygen", "prompt.json"); assert!(prompts.algorithm == "ML-DSA"); assert!(prompts.revision == "FIPS204"); @@ -83,37 +81,50 @@ fn keygen() { eprintln!("{parameter_set}"); for test in kat.tests { - eprintln!(" {}", test.tcId); - fn check( - keys: MLDSAKeyPair, - result: &KeyGenResult, - ) { - assert_eq!(result.pk, keys.verification_key.as_slice()); - assert_eq!(result.sk, keys.signing_key.as_slice()); - } - - let expected_result = results - .testGroups - .iter() - .find(|tg| tg.tgId == kat.tgId) - .unwrap() - .tests - .iter() - .find(|t| t.tcId == test.tcId) - .unwrap(); - - match parameter_set.as_str() { - "ML-DSA-44" => check(ml_dsa_44::generate_key_pair(test.seed), expected_result), - - "ML-DSA-65" => check(ml_dsa_65::generate_key_pair(test.seed), expected_result), - - "ML-DSA-87" => check(ml_dsa_87::generate_key_pair(test.seed), expected_result), - _ => unimplemented!(), - } + keygen_inner(test, &results, kat.tgId, ¶meter_set); } } } +#[inline(never)] +#[allow(non_snake_case)] +fn keygen_inner( + test: KeyGenPrompt, + results: &Results, + tgId: usize, + parameter_set: &String, +) { + use libcrux_ml_dsa::*; + eprintln!(" {}", test.tcId); + #[inline(never)] + fn check( + keys: MLDSAKeyPair, + result: &KeyGenResult, + ) { + assert_eq!(result.pk, keys.verification_key.as_slice()); + assert_eq!(result.sk, keys.signing_key.as_slice()); + } + + let expected_result = results + .testGroups + .iter() + .find(|tg| tg.tgId == tgId) + .unwrap() + .tests + .iter() + .find(|t| t.tcId == test.tcId) + .unwrap(); + + match parameter_set.as_str() { + "ML-DSA-44" => check(ml_dsa_44::generate_key_pair(test.seed), expected_result), + + "ML-DSA-65" => check(ml_dsa_65::generate_key_pair(test.seed), expected_result), + + "ML-DSA-87" => check(ml_dsa_87::generate_key_pair(test.seed), expected_result), + _ => unimplemented!(), + } +} + fn read(variant: &str, file: &str) -> T { let katfile_path = Path::new("tests") .join("kats") @@ -128,8 +139,6 @@ fn read(variant: &str, file: &str) -> T { #[test] fn siggen() { - use libcrux_ml_dsa::*; - let prompts: Prompts = read("siggen", "prompt.json"); assert!(prompts.algorithm == "ML-DSA"); assert!(prompts.revision == "FIPS204"); @@ -148,59 +157,69 @@ fn siggen() { eprintln!("{parameter_set}"); for test in kat.tests { - eprintln!(" {}", test.tcId); - let expected_result = results - .testGroups - .iter() - .find(|tg| tg.tgId == kat.tgId) - .unwrap() - .tests - .iter() - .find(|t| t.tcId == test.tcId) - .unwrap(); - - let Randomness(rnd) = test.rnd.unwrap_or(Randomness([0u8; 32])); - - match parameter_set.as_str() { - "ML-DSA-44" => { - let signature = ml_dsa_44::sign_internal( - &MLDSASigningKey(test.sk.try_into().unwrap()), - &test.message, - rnd, - ) - .unwrap(); - assert_eq!(signature.as_slice(), expected_result.signature); - } - - "ML-DSA-65" => { - let signature = ml_dsa_65::sign_internal( - &MLDSASigningKey(test.sk.try_into().unwrap()), - &test.message, - rnd, - ) - .unwrap(); - assert_eq!(signature.as_slice(), expected_result.signature); - } - - "ML-DSA-87" => { - let signature = ml_dsa_87::sign_internal( - &MLDSASigningKey(test.sk.try_into().unwrap()), - &test.message, - rnd, - ) - .unwrap(); - assert_eq!(signature.as_slice(), expected_result.signature); - } - _ => unimplemented!(), - } + siggen_inner(test, &results, kat.tgId, ¶meter_set); } } } -#[test] -fn sigver() { +#[inline(never)] +#[allow(non_snake_case)] +fn siggen_inner( + test: SigGenTest, + results: &Results, + tgId: usize, + parameter_set: &String, +) { use libcrux_ml_dsa::*; + eprintln!(" {}", test.tcId); + let expected_result = results + .testGroups + .iter() + .find(|tg| tg.tgId == tgId) + .unwrap() + .tests + .iter() + .find(|t| t.tcId == test.tcId) + .unwrap(); + + let Randomness(rnd) = test.rnd.unwrap_or(Randomness([0u8; 32])); + + match parameter_set.as_str() { + "ML-DSA-44" => { + let signature = ml_dsa_44::sign_internal( + &MLDSASigningKey(test.sk.try_into().unwrap()), + &test.message, + rnd, + ) + .unwrap(); + assert_eq!(signature.as_slice(), expected_result.signature); + } + "ML-DSA-65" => { + let signature = ml_dsa_65::sign_internal( + &MLDSASigningKey(test.sk.try_into().unwrap()), + &test.message, + rnd, + ) + .unwrap(); + assert_eq!(signature.as_slice(), expected_result.signature); + } + + "ML-DSA-87" => { + let signature = ml_dsa_87::sign_internal( + &MLDSASigningKey(test.sk.try_into().unwrap()), + &test.message, + rnd, + ) + .unwrap(); + assert_eq!(signature.as_slice(), expected_result.signature); + } + _ => unimplemented!(), + } +} + +#[test] +fn sigver() { let prompts: Prompts = read("sigver", "prompt.json"); assert!(prompts.algorithm == "ML-DSA"); assert!(prompts.revision == "FIPS204"); @@ -219,47 +238,60 @@ fn sigver() { eprintln!("{parameter_set}"); for test in kat.tests { - eprintln!(" {}", test.tcId); - let expected_result = results - .testGroups - .iter() - .find(|tg| tg.tgId == kat.tgId) - .unwrap() - .tests - .iter() - .find(|t| t.tcId == test.tcId) - .unwrap(); - - match parameter_set.as_str() { - "ML-DSA-44" => { - let valid = ml_dsa_44::verify_internal( - &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()), - &test.message, - &MLDSASignature(test.signature.try_into().unwrap()), - ); - assert_eq!(valid.is_ok(), expected_result.testPassed); - } - - "ML-DSA-65" => { - let valid = ml_dsa_65::verify_internal( - &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()), - &test.message, - &MLDSASignature(test.signature.try_into().unwrap()), - ); - assert_eq!(valid.is_ok(), expected_result.testPassed); - } - - "ML-DSA-87" => { - let valid = ml_dsa_87::verify_internal( - &MLDSAVerificationKey(kat.pk.clone().try_into().unwrap()), - &test.message, - &MLDSASignature(test.signature.try_into().unwrap()), - ); - assert_eq!(valid.is_ok(), expected_result.testPassed); - } - _ => unimplemented!(), - } + sigver_inner(test, &results, kat.tgId, &kat.pk, ¶meter_set); + } + } +} + +#[inline(never)] +#[allow(non_snake_case)] +fn sigver_inner( + test: SigVerTest, + results: &Results, + tgId: usize, + pk: &[u8], + parameter_set: &String, +) { + use libcrux_ml_dsa::*; + eprintln!(" {}", test.tcId); + let expected_result = results + .testGroups + .iter() + .find(|tg| tg.tgId == tgId) + .unwrap() + .tests + .iter() + .find(|t| t.tcId == test.tcId) + .unwrap(); + + match parameter_set.as_str() { + "ML-DSA-44" => { + let valid = ml_dsa_44::verify_internal( + &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()), + &test.message, + &MLDSASignature(test.signature.try_into().unwrap()), + ); + assert_eq!(valid.is_ok(), expected_result.testPassed); + } + + "ML-DSA-65" => { + let valid = ml_dsa_65::verify_internal( + &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()), + &test.message, + &MLDSASignature(test.signature.try_into().unwrap()), + ); + assert_eq!(valid.is_ok(), expected_result.testPassed); + } + + "ML-DSA-87" => { + let valid = ml_dsa_87::verify_internal( + &MLDSAVerificationKey(pk.to_owned().try_into().unwrap()), + &test.message, + &MLDSASignature(test.signature.try_into().unwrap()), + ); + assert_eq!(valid.is_ok(), expected_result.testPassed); } + _ => unimplemented!(), } } From 30c7de7a00fe3f666e0ec9b397e002f77643c85e Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 4 Nov 2024 11:40:18 +0100 Subject: [PATCH 45/74] Remove Zeta arrays Changes cherry-picked from `07084ab4` and `6022f6e4` --- libcrux-ml-dsa/src/ntt.rs | 303 +++++++++++++++-------- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 306 +++++++++++++++++------- libcrux-ml-dsa/src/simd/portable/ntt.rs | 259 +++++++++++++++----- libcrux-ml-dsa/src/simd/traits.rs | 29 --- 4 files changed, 631 insertions(+), 266 deletions(-) diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index 7094faaa5..df925fae8 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -1,39 +1,9 @@ use crate::{ arithmetic::FieldElementTimesMontgomeryR, - constants::COEFFICIENTS_IN_RING_ELEMENT, polynomial::PolynomialRingElement, simd::traits::{montgomery_multiply_by_fer, Operations, COEFFICIENTS_IN_SIMD_UNIT}, }; -const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 256] = [ - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, - -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, - -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, - 280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, - -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694, - -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724, - -2556880, 2071892, -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, - 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, -671102, -1228525, - -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992, - 44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, - -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669, - -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500, - 3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352, - -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, - -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, - 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150, - 1265009, 4055324, 1247620, 2486353, 1595974, -3767016, 1250494, 2635921, -3548272, -2994039, - 1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, - -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412, - -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455, - -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149, - 1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, - 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036, - -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306, - -1362209, 3937738, 1400424, -846154, 1976782, -]; - #[inline(always)] pub(crate) fn ntt( re: PolynomialRingElement, @@ -44,96 +14,237 @@ pub(crate) fn ntt( } #[inline(always)] -fn invert_ntt_at_layer_0( - zeta_i: &mut usize, - re: &mut PolynomialRingElement, -) { - *zeta_i -= 1; - - for round in 0..re.simd_units.len() { - re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_0( - re.simd_units[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3], - ); - - *zeta_i -= 4; +fn invert_ntt_at_layer_0(re: &mut PolynomialRingElement) { + macro_rules! round { + ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { + re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0( + re.simd_units[$i], + $zeta_0, + $zeta_1, + $zeta_2, + $zeta_3, + ); + }; } - *zeta_i += 1; + round!(0, 1976782, -846154, 1400424, 3937738); + round!(1, -1362209, -48306, 3919660, -554416); + round!(2, -3545687, 1612842, -976891, 183443); + round!(3, -2286327, -420899, -2235985, -2939036); + round!(4, -3833893, -260646, -1104333, -1667432); + round!(5, 1910376, -1803090, 1723600, -426683); + round!(6, 472078, 1717735, -975884, 2213111); + round!(7, 269760, 3866901, 3523897, -3038916); + round!(8, -1799107, -3694233, 1652634, 810149); + round!(9, 3014001, 1616392, 162844, -3183426); + round!(10, -1207385, 185531, 3369112, 1957272); + round!(11, -164721, 2454455, 2432395, -2013608); + round!(12, -3776993, 594136, -3724270, -2584293); + round!(13, -1846953, -1671176, -2831860, -542412); + round!(14, 3406031, 2235880, 777191, 1500165); + round!(15, -1374803, -2546312, 1917081, -1279661); + round!(16, -1962642, 3306115, 1312455, -451100); + round!(17, -1430225, -3318210, 1237275, -1333058); + round!(18, -1050970, 1903435, 1869119, -2994039); + round!(19, -3548272, 2635921, 1250494, -3767016); + round!(20, 1595974, 2486353, 1247620, 4055324); + round!(21, 1265009, -2590150, 2691481, 2842341); + round!(22, 203044, 1735879, -3342277, 3437287); + round!(23, 4108315, -2437823, 286988, 342297); + round!(24, -3595838, -768622, -525098, -3556995); + round!(25, 3207046, 2031748, -3122442, -655327); + round!(26, -522500, -43260, -1613174, 495491); + round!(27, 819034, 909542, 1859098, 900702); + round!(28, -3193378, -1197226, -3759364, -3520352); + round!(29, 3513181, -1235728, 2434439, 266997); + round!(30, -3562462, -2446433, 2244091, -3342478); + round!(31, 3817976, 2316500, 3407706, 2091667); } + #[inline(always)] -fn invert_ntt_at_layer_1( - zeta_i: &mut usize, - re: &mut PolynomialRingElement, -) { - *zeta_i -= 1; +fn invert_ntt_at_layer_1(re: &mut PolynomialRingElement) { + macro_rules! round { + ($i:literal, $zeta_0:literal, $zeta_1:literal) => { + re.simd_units[$i] = + SIMDUnit::invert_ntt_at_layer_1(re.simd_units[$i], $zeta_0, $zeta_1); + }; + } - for round in 0..(256 / COEFFICIENTS_IN_SIMD_UNIT) { - re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_1( - re.simd_units[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], - ); - *zeta_i -= 2; + round!(0, 3839961, -3628969); + round!(1, -3881060, -3019102); + round!(2, -1439742, -812732); + round!(3, -1584928, 1285669); + round!(4, 1341330, 1315589); + round!(5, -177440, -2409325); + round!(6, -1851402, 3159746); + round!(7, -3553272, 189548); + round!(8, -1316856, 759969); + round!(9, -210977, 2389356); + round!(10, -3249728, 1653064); + round!(11, -8578, -3724342); + round!(12, 3958618, 904516); + round!(13, -1100098, 44288); + round!(14, 3097992, 508951); + round!(15, 264944, -3343383); + round!(16, -1430430, 1852771); + round!(17, 1349076, -381987); + round!(18, -1308169, -22981); + round!(19, -1228525, -671102); + round!(20, -2477047, -411027); + round!(21, -3693493, -2967645); + round!(22, 2715295, 2147896); + round!(23, -983419, 3412210); + round!(24, 126922, -3632928); + round!(25, -3157330, -3190144); + round!(26, -1000202, -4083598); + round!(27, 1939314, -1257611); + round!(28, -1585221, 2176455); + round!(29, 3475950, -1452451); + round!(30, -3041255, -3677745); + round!(31, -1528703, -3930395); +} + +#[inline(always)] +fn invert_ntt_at_layer_2(re: &mut PolynomialRingElement) { + macro_rules! round { + ($i:literal, $zeta:literal) => { + re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[$i], $zeta); + }; } - *zeta_i += 1; + round!(0, -2797779); + round!(1, 2071892); + round!(2, -2556880); + round!(3, 3900724); + round!(4, 3881043); + round!(5, 954230); + round!(6, 531354); + round!(7, 811944); + round!(8, 3699596); + round!(9, -1600420); + round!(10, -2140649); + round!(11, 3507263); + round!(12, -3821735); + round!(13, 3505694); + round!(14, -1643818); + round!(15, -1699267); + round!(16, -539299); + round!(17, 2348700); + round!(18, -300467); + round!(19, 3539968); + round!(20, -2867647); + round!(21, 3574422); + round!(22, -3043716); + round!(23, -3861115); + round!(24, 3915439); + round!(25, -2537516); + round!(26, -3592148); + round!(27, -1661693); + round!(28, 3530437); + round!(29, 3077325); + round!(30, 95776); + round!(31, 2706023); } + #[inline(always)] -fn invert_ntt_at_layer_2( - zeta_i: &mut usize, +fn outer_3_plus< + SIMDUnit: Operations, + const OFFSET: usize, + const STEP_BY: usize, + const ZETA: FieldElementTimesMontgomeryR, +>( re: &mut PolynomialRingElement, ) { - for round in 0..(256 / COEFFICIENTS_IN_SIMD_UNIT) { - *zeta_i -= 1; - re.simd_units[round] = SIMDUnit::invert_ntt_at_layer_2( - re.simd_units[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ); + for j in OFFSET..OFFSET + STEP_BY { + let a_minus_b = SIMDUnit::subtract(&re.simd_units[j + STEP_BY], &re.simd_units[j]); + re.simd_units[j] = SIMDUnit::add(&re.simd_units[j], &re.simd_units[j + STEP_BY]); + re.simd_units[j + STEP_BY] = montgomery_multiply_by_fer(a_minus_b, ZETA); } () } + #[inline(always)] -fn invert_ntt_at_layer_3_plus( - zeta_i: &mut usize, - re: &mut PolynomialRingElement, -) { - let step = 1 << LAYER; +fn invert_ntt_at_layer_3(re: &mut PolynomialRingElement) { + const STEP: usize = 8; // 1 << LAYER; + const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; - for round in 0..(128 >> LAYER) { - *zeta_i -= 1; + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::( + re, + ); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::( + re, + ); + outer_3_plus::(re); + outer_3_plus::(re); +} - let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT; - let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; +#[inline(always)] +fn invert_ntt_at_layer_4(re: &mut PolynomialRingElement) { + const STEP: usize = 16; // 1 << LAYER; + const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; - for j in offset..offset + step_by { - let a_minus_b = SIMDUnit::subtract(&re.simd_units[j + step_by], &re.simd_units[j]); - re.simd_units[j] = SIMDUnit::add(&re.simd_units[j], &re.simd_units[j + step_by]); - re.simd_units[j + step_by] = - montgomery_multiply_by_fer(a_minus_b, ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); - } - () - } - () + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); +} + +#[inline(always)] +fn invert_ntt_at_layer_5(re: &mut PolynomialRingElement) { + const STEP: usize = 32; // 1 << LAYER; + const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); + outer_3_plus::(re); +} + +#[inline(always)] +fn invert_ntt_at_layer_6(re: &mut PolynomialRingElement) { + const STEP: usize = 64; // 1 << LAYER; + const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::(re); + outer_3_plus::(re); +} + +#[inline(always)] +fn invert_ntt_at_layer_7(re: &mut PolynomialRingElement) { + const STEP: usize = 128; // 1 << LAYER; + const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::(re); } #[inline(always)] pub(crate) fn invert_ntt_montgomery( mut re: PolynomialRingElement, ) -> PolynomialRingElement { - let mut zeta_i = COEFFICIENTS_IN_RING_ELEMENT; - - invert_ntt_at_layer_0(&mut zeta_i, &mut re); - invert_ntt_at_layer_1(&mut zeta_i, &mut re); - invert_ntt_at_layer_2(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); - invert_ntt_at_layer_3_plus::(&mut zeta_i, &mut re); + invert_ntt_at_layer_0(&mut re); + invert_ntt_at_layer_1(&mut re); + invert_ntt_at_layer_2(&mut re); + invert_ntt_at_layer_3(&mut re); + invert_ntt_at_layer_4(&mut re); + invert_ntt_at_layer_5(&mut re); + invert_ntt_at_layer_6(&mut re); + invert_ntt_at_layer_7(&mut re); for i in 0..re.simd_units.len() { // After invert_ntt_at_layer, elements are of the form a * MONTGOMERY_R^{-1} diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 512669e28..60b98fc25 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -1,7 +1,5 @@ use super::arithmetic; -use crate::simd::traits::{ - COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, -}; +use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; use libcrux_intrinsics::avx2::*; @@ -124,28 +122,42 @@ pub fn invert_ntt_at_layer_0( } #[inline(always)] -fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; - for round in (0..re.len()).step_by(2) { - let (a, b) = butterfly_2( - re[round], - re[round + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 4], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 5], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 6], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 7], - ); - re[round] = a; - re[round + 1] = b; - - *zeta_i += 8; +fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal, $zeta_4:literal, $zeta_5:literal, $zeta_6:literal, $zeta_7:literal) => { + let (a, b) = butterfly_2( + re[$i], + re[$i + 1], + $zeta_0, + $zeta_1, + $zeta_2, + $zeta_3, + $zeta_4, + $zeta_5, + $zeta_6, + $zeta_7, + ); + re[$i] = a; + re[$i + 1] = b; + }; } - *zeta_i -= 1; + round!(0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462); + round!(2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378); + round!(4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500); + round!(6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838); + round!(8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044); + round!(10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974); + round!(12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970); + round!(14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642); + round!(16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031); + round!(18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993); + round!(20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385); + round!(22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107); + round!(24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078); + round!(26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893); + round!(28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687); + round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782); } #[inline(always)] @@ -164,24 +176,31 @@ pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec25 } #[inline(always)] -fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; - for round in (0..re.len()).step_by(2) { - let (a, b) = butterfly_4( - re[round], - re[round + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], - ); - re[round] = a; - re[round + 1] = b; - - *zeta_i += 4; +fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { + let (a, b) = butterfly_4(re[$i], re[$i + 1], $zeta_0, $zeta_1, $zeta_2, $zeta_3); + re[$i] = a; + re[$i + 1] = b; + }; } - *zeta_i -= 1; + round!(0, -3930395, -1528703, -3677745, -3041255); + round!(2, -1452451, 3475950, 2176455, -1585221); + round!(4, -1257611, 1939314, -4083598, -1000202); + round!(6, -3190144, -3157330, -3632928, 126922); + round!(8, 3412210, -983419, 2147896, 2715295); + round!(10, -2967645, -3693493, -411027, -2477047); + round!(12, -671102, -1228525, -22981, -1308169); + round!(14, -381987, 1349076, 1852771, -1430430); + round!(16, -3343383, 264944, 508951, 3097992); + round!(18, 44288, -1100098, 904516, 3958618); + round!(20, -3724342, -8578, 1653064, -3249728); + round!(22, 2389356, -210977, 759969, -1316856); + round!(24, 189548, -3553272, 3159746, -1851402); + round!(26, -2409325, -177440, 1315589, 1341330); + round!(28, 1285669, -1584928, -812732, -1439742); + round!(30, -3019102, -3881060, -3628969, 3839961); } #[inline(always)] @@ -200,46 +219,173 @@ pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { } #[inline(always)] -fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - for round in (0..re.len()).step_by(2) { - *zeta_i += 1; - let (a, b) = butterfly_8( - re[round], - re[round + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ); - re[round] = a; - re[round + 1] = b; - - *zeta_i += 1; +fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($round:literal, $zeta_0:literal, $zeta_1:literal) => { + let (a, b) = butterfly_8(re[$round], re[$round + 1], $zeta_0, $zeta_1); + re[$round] = a; + re[$round + 1] = b; + }; } - () + + round!(0, 2706023, 95776); + round!(2, 3077325, 3530437); + round!(4, -1661693, -3592148); + round!(6, -2537516, 3915439); + round!(8, -3861115, -3043716); + round!(10, 3574422, -2867647); + round!(12, 3539968, -300467); + round!(14, 2348700, -539299); + round!(16, -1699267, -1643818); + round!(18, 3505694, -3821735); + round!(20, 3507263, -2140649); + round!(22, -1600420, 3699596); + round!(24, 811944, 531354); + round!(26, 954230, 3881043); + round!(28, 3900724, -2556880); + round!(30, 2071892, -2797779); } +/// This is equivalent to the pqclean 0 and 1 +/// +/// This does 32 Montgomery multiplications (192 multiplications). +/// This is the same as in pqclean. The only difference is locality of registers. #[inline(always)] -fn ntt_at_layer_3_plus( - zeta_i: &mut usize, - re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], -) { - let step = 1 << LAYER; - - for round in 0..(128 >> LAYER) { - *zeta_i += 1; - - let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT; - let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; - - for j in offset..offset + step_by { - let t = arithmetic::montgomery_multiply_by_constant( - re[j + step_by], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], +fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS); + let inverse_of_modulus_mod_montgomery_r = + mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); + + macro_rules! mul { + ($i:expr, $zeta:expr, $step_by:expr) => { + let prod02 = mm256_mul_epi32(re[$i + $step_by], $zeta); + let prod13 = mm256_mul_epi32( + mm256_shuffle_epi32::<0b11_11_01_01>(re[$i + $step_by]), // 0xF5 + mm256_shuffle_epi32::<0b11_11_01_01>($zeta), // 0xF5 ); + let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r); + let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r); + + let c02 = mm256_mul_epi32(k02, field_modulus); + let c13 = mm256_mul_epi32(k13, field_modulus); + + let res02 = mm256_sub_epi32(prod02, c02); + let res13 = mm256_sub_epi32(prod13, c13); + let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5 + let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA + + re[$i + $step_by] = arithmetic::subtract(re[$i], t); + re[$i] = arithmetic::add(re[$i], t); + }; + } + + macro_rules! layer { + ($start:literal, $zeta:expr, $step_by:expr) => {{ + mul!($start, $zeta, $step_by); + mul!($start + 1, $zeta, $step_by); + mul!($start + 2, $zeta, $step_by); + mul!($start + 3, $zeta, $step_by); + }}; + } + + const STEP_BY_7: usize = 2 * COEFFICIENTS_IN_SIMD_UNIT; + const STEP_BY_6: usize = (1 << 6) / COEFFICIENTS_IN_SIMD_UNIT; + + let zeta7 = mm256_set1_epi32(25847); + let zeta60 = mm256_set1_epi32(-2608894); + let zeta61 = mm256_set1_epi32(-518909); + + layer!(0, zeta7, STEP_BY_7); + layer!(8, zeta7, STEP_BY_7); + layer!(0, zeta60, STEP_BY_6); + layer!(16, zeta61, STEP_BY_6); + + layer!(4, zeta7, STEP_BY_7); + layer!(12, zeta7, STEP_BY_7); + layer!(4, zeta60, STEP_BY_6); + layer!(20, zeta61, STEP_BY_6); +} + +/// Layer 5, 4, 3 +/// +/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total +/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) +#[inline(always)] +fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($i:literal, $zeta: literal) => { + let rhs = mm256_set1_epi32($zeta); + let offset = ($i * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; + + for j in offset..offset + STEP_BY { + let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs); + + re[j + STEP_BY] = arithmetic::subtract(re[j], t); + re[j] = arithmetic::add(re[j], t); + } + }; + } + + // Layer 5 + { + // 0: 0, 1, 2, 3 + // 1: 8, 9, 10, 11 + // 2: 16, 17, 18, 19 + // 3: 24, 25, 26, 27 + const STEP: usize = 1 << 5; + const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; + + round!(0, 237124); + round!(1, -777960); + round!(2, -876248); + round!(3, 466468); + } + + // Layer 4 + { + // 0: 0, 1 + // 1: 4, 5 + // 2: 8, 9 + // 3: 12, 13 + // 4: 16, 17 + // 5: 20, 21 + // 6: 24, 25 + // 7: 28, 29 + const STEP: usize = 1 << 4; + const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; + + round!(0, 1826347); + round!(1, 2353451); + round!(2, -359251); + round!(3, -2091905); + round!(4, 3119733); + round!(5, -2884855); + round!(6, 3111497); + round!(7, 2680103); + } - re[j + step_by] = arithmetic::subtract(re[j], t); - re[j] = arithmetic::add(re[j], t); - } - () // This is because of https://github.com/hacspec/hax/issues/720 + // Layer 3 + { + // 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 + const STEP: usize = 1 << 3; + const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; + + round!(0, 2725464); + round!(1, 1024112); + round!(2, -1079900); + round!(3, 3585928); + round!(4, -549488); + round!(5, -1119584); + round!(6, 2619752); + round!(7, -2108549); + round!(8, -2118186); + round!(9, -3859737); + round!(10, -1399561); + round!(11, -3277672); + round!(12, 1757237); + round!(13, -19422); + round!(14, 4010497); + round!(15, 280005); } () } @@ -249,15 +395,11 @@ fn ntt_at_layer_3_plus( pub(crate) unsafe fn ntt( mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] { - let mut zeta_i = 0; - ntt_at_layer_3_plus::<7>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<6>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<5>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<4>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<3>(&mut zeta_i, &mut re); - ntt_at_layer_2(&mut zeta_i, &mut re); - ntt_at_layer_1(&mut zeta_i, &mut re); - ntt_at_layer_0(&mut zeta_i, &mut re); + ntt_at_layer_7_and_6(&mut re); + ntt_at_layer_5_to_3(&mut re); + ntt_at_layer_2(&mut re); + ntt_at_layer_1(&mut re); + ntt_at_layer_0(&mut re); re } diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 93a049c21..bc6301aef 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,7 +1,10 @@ -use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer}; -use super::vector_type::PortableSIMDUnit; -use crate::simd::traits::{ - COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, +use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; +use crate::simd::{ + portable::PortableSIMDUnit, + traits::{ + montgomery_multiply_by_fer, FieldElementTimesMontgomeryR, COEFFICIENTS_IN_SIMD_UNIT, + SIMD_UNITS_IN_RING_ELEMENT, + }, }; #[inline(always)] @@ -151,88 +154,226 @@ pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> Port } #[inline(always)] -fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; +fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { + re[$i] = simd_unit_ntt_at_layer_0(re[$i], $zeta_0, $zeta_1, $zeta_2, $zeta_3); + }; + } - for round in 0..re.len() { - re[round] = simd_unit_ntt_at_layer_0( - re[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], - ); + round!(0, 2091667, 3407706, 2316500, 3817976); + round!(1, -3342478, 2244091, -2446433, -3562462); + round!(2, 266997, 2434439, -1235728, 3513181); + round!(3, -3520352, -3759364, -1197226, -3193378); + round!(4, 900702, 1859098, 909542, 819034); + round!(5, 495491, -1613174, -43260, -522500); + round!(6, -655327, -3122442, 2031748, 3207046); + round!(7, -3556995, -525098, -768622, -3595838); + round!(8, 342297, 286988, -2437823, 4108315); + round!(9, 3437287, -3342277, 1735879, 203044); + round!(10, 2842341, 2691481, -2590150, 1265009); + round!(11, 4055324, 1247620, 2486353, 1595974); + round!(12, -3767016, 1250494, 2635921, -3548272); + round!(13, -2994039, 1869119, 1903435, -1050970); + round!(14, -1333058, 1237275, -3318210, -1430225); + round!(15, -451100, 1312455, 3306115, -1962642); + round!(16, -1279661, 1917081, -2546312, -1374803); + round!(17, 1500165, 777191, 2235880, 3406031); + round!(18, -542412, -2831860, -1671176, -1846953); + round!(19, -2584293, -3724270, 594136, -3776993); + round!(20, -2013608, 2432395, 2454455, -164721); + round!(21, 1957272, 3369112, 185531, -1207385); + round!(22, -3183426, 162844, 1616392, 3014001); + round!(23, 810149, 1652634, -3694233, -1799107); + round!(24, -3038916, 3523897, 3866901, 269760); + round!(25, 2213111, -975884, 1717735, 472078); + round!(26, -426683, 1723600, -1803090, 1910376); + round!(27, -1667432, -1104333, -260646, -3833893); + round!(28, -2939036, -2235985, -420899, -2286327); + round!(29, 183443, -976891, 1612842, -3545687); + round!(30, -554416, 3919660, -48306, -1362209); + round!(31, 3937738, 1400424, -846154, 1976782); +} - *zeta_i += 4; +#[inline(always)] +fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($i:literal, $zeta_0:literal, $zeta_1:literal) => { + re[$i] = simd_unit_ntt_at_layer_1(re[$i], $zeta_0, $zeta_1); + }; } - *zeta_i -= 1; + round!(0, -3930395, -1528703); + round!(1, -3677745, -3041255); + round!(2, -1452451, 3475950); + round!(3, 2176455, -1585221); + round!(4, -1257611, 1939314); + round!(5, -4083598, -1000202); + round!(6, -3190144, -3157330); + round!(7, -3632928, 126922); + round!(8, 3412210, -983419); + round!(9, 2147896, 2715295); + round!(10, -2967645, -3693493); + round!(11, -411027, -2477047); + round!(12, -671102, -1228525); + round!(13, -22981, -1308169); + round!(14, -381987, 1349076); + round!(15, 1852771, -1430430); + round!(16, -3343383, 264944); + round!(17, 508951, 3097992); + round!(18, 44288, -1100098); + round!(19, 904516, 3958618); + round!(20, -3724342, -8578); + round!(21, 1653064, -3249728); + round!(22, 2389356, -210977); + round!(23, 759969, -1316856); + round!(24, 189548, -3553272); + round!(25, 3159746, -1851402); + round!(26, -2409325, -177440); + round!(27, 1315589, 1341330); + round!(28, 1285669, -1584928); + round!(29, -812732, -1439742); + round!(30, -3019102, -3881060); + round!(31, -3628969, 3839961); } #[inline(always)] -fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - *zeta_i += 1; +fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + macro_rules! round { + ($i:literal, $zeta:literal) => { + re[$i] = simd_unit_ntt_at_layer_2(re[$i], $zeta); + }; + } - for round in 0..re.len() { - re[round] = simd_unit_ntt_at_layer_1( - re[round], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i], - ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], - ); + round!(0, 2706023); + round!(1, 95776); + round!(2, 3077325); + round!(3, 3530437); + round!(4, -1661693); + round!(5, -3592148); + round!(6, -2537516); + round!(7, 3915439); + round!(8, -3861115); + round!(9, -3043716); + round!(10, 3574422); + round!(11, -2867647); + round!(12, 3539968); + round!(13, -300467); + round!(14, 2348700); + round!(15, -539299); + round!(16, -1699267); + round!(17, -1643818); + round!(18, 3505694); + round!(19, -3821735); + round!(20, 3507263); + round!(21, -2140649); + round!(22, -1600420); + round!(23, 3699596); + round!(24, 811944); + round!(25, 531354); + round!(26, 954230); + round!(27, 3881043); + round!(28, 3900724); + round!(29, -2556880); + round!(30, 2071892); + round!(31, -2797779); +} - *zeta_i += 2; +#[inline(always)] +fn outer_3_plus< + const OFFSET: usize, + const STEP_BY: usize, + const ZETA: FieldElementTimesMontgomeryR, +>( + re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], +) { + for j in OFFSET..OFFSET + STEP_BY { + let t = montgomery_multiply_by_fer(re[j + STEP_BY], ZETA); + + re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); + re[j] = arithmetic::add(&re[j], &t); } + () // Needed because of https://github.com/hacspec/hax/issues/720 +} - *zeta_i -= 1; +#[inline(always)] +fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 8; // 1 << LAYER; + const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2725464>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1024112>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1079900>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3585928>(re); + outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -549488>(re); + outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1119584>(re); + outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2619752>(re); + outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2108549>(re); + outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2118186>(re); + outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3859737>(re); + outer_3_plus::<{ (10 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1399561>(re); + outer_3_plus::<{ (11 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3277672>(re); + outer_3_plus::<{ (12 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1757237>(re); + outer_3_plus::<{ (13 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -19422>(re); + outer_3_plus::<{ (14 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 4010497>(re); + outer_3_plus::<{ (15 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 280005>(re); } #[inline(always)] -fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - for round in 0..re.len() { - *zeta_i += 1; - re[round] = simd_unit_ntt_at_layer_2(re[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); - } - () +fn ntt_at_layer_4(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 16; // 1 << LAYER; + const STEP_BY: usize = 2; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1826347>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2353451>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -359251>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2091905>(re); + outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3119733>(re); + outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2884855>(re); + outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3111497>(re); + outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2680103>(re); } #[inline(always)] -fn ntt_at_layer_3_plus( - zeta_i: &mut usize, - re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], -) { - let step = 1 << LAYER; +fn ntt_at_layer_5(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 32; // 1 << LAYER; + const STEP_BY: usize = 4; // step / COEFFICIENTS_IN_SIMD_UNIT; + + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 237124>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -777960>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -876248>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 466468>(re); +} - for round in 0..(128 >> LAYER) { - *zeta_i += 1; +#[inline(always)] +fn ntt_at_layer_6(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 64; // 1 << LAYER; + const STEP_BY: usize = 8; // step / COEFFICIENTS_IN_SIMD_UNIT; - let offset = (round * step * 2) / COEFFICIENTS_IN_SIMD_UNIT; - let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2608894>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -518909>(re); +} - for j in offset..offset + step_by { - let t = - montgomery_multiply_by_constant(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); +#[inline(always)] +fn ntt_at_layer_7(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { + const STEP: usize = 128; // 1 << LAYER; + const STEP_BY: usize = 16; // step / COEFFICIENTS_IN_SIMD_UNIT; - re[j + step_by] = arithmetic::subtract(&re[j], &t); - re[j] = arithmetic::add(&re[j], &t); - } - } - () // Needed because of https://github.com/hacspec/hax/issues/720 + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 25847>(re); } #[inline(always)] pub(crate) fn ntt( mut re: [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], ) -> [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT] { - let mut zeta_i = 0; - - ntt_at_layer_3_plus::<7>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<6>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<5>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<4>(&mut zeta_i, &mut re); - ntt_at_layer_3_plus::<3>(&mut zeta_i, &mut re); - ntt_at_layer_2(&mut zeta_i, &mut re); - ntt_at_layer_1(&mut zeta_i, &mut re); - ntt_at_layer_0(&mut zeta_i, &mut re); + ntt_at_layer_7(&mut re); + ntt_at_layer_6(&mut re); + ntt_at_layer_5(&mut re); + ntt_at_layer_4(&mut re); + ntt_at_layer_3(&mut re); + ntt_at_layer_2(&mut re); + ntt_at_layer_1(&mut re); + ntt_at_layer_0(&mut re); re } diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index c50ff8537..38715a115 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -14,35 +14,6 @@ pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58_728_449; /// We use 'fer' as a shorthand for this type. pub(crate) type FieldElementTimesMontgomeryR = i32; -pub(crate) const ZETAS_TIMES_MONTGOMERY_R: [FieldElementTimesMontgomeryR; 256] = [ - 0, 25847, -2608894, -518909, 237124, -777960, -876248, 466468, 1826347, 2353451, -359251, - -2091905, 3119733, -2884855, 3111497, 2680103, 2725464, 1024112, -1079900, 3585928, -549488, - -1119584, 2619752, -2108549, -2118186, -3859737, -1399561, -3277672, 1757237, -19422, 4010497, - 280005, 2706023, 95776, 3077325, 3530437, -1661693, -3592148, -2537516, 3915439, -3861115, - -3043716, 3574422, -2867647, 3539968, -300467, 2348700, -539299, -1699267, -1643818, 3505694, - -3821735, 3507263, -2140649, -1600420, 3699596, 811944, 531354, 954230, 3881043, 3900724, - -2556880, 2071892, -2797779, -3930395, -1528703, -3677745, -3041255, -1452451, 3475950, - 2176455, -1585221, -1257611, 1939314, -4083598, -1000202, -3190144, -3157330, -3632928, 126922, - 3412210, -983419, 2147896, 2715295, -2967645, -3693493, -411027, -2477047, -671102, -1228525, - -22981, -1308169, -381987, 1349076, 1852771, -1430430, -3343383, 264944, 508951, 3097992, - 44288, -1100098, 904516, 3958618, -3724342, -8578, 1653064, -3249728, 2389356, -210977, 759969, - -1316856, 189548, -3553272, 3159746, -1851402, -2409325, -177440, 1315589, 1341330, 1285669, - -1584928, -812732, -1439742, -3019102, -3881060, -3628969, 3839961, 2091667, 3407706, 2316500, - 3817976, -3342478, 2244091, -2446433, -3562462, 266997, 2434439, -1235728, 3513181, -3520352, - -3759364, -1197226, -3193378, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, - -522500, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, 342297, - 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, 2842341, 2691481, -2590150, - 1265009, 4055324, 1247620, 2486353, 1595974, -3767016, 1250494, 2635921, -3548272, -2994039, - 1869119, 1903435, -1050970, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, - -1962642, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, -542412, - -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, -2013608, 2432395, 2454455, - -164721, 1957272, 3369112, 185531, -1207385, -3183426, 162844, 1616392, 3014001, 810149, - 1652634, -3694233, -1799107, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, - 472078, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, -2939036, - -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, -554416, 3919660, -48306, - -1362209, 3937738, 1400424, -846154, 1976782, -]; - pub(crate) trait Operations: Copy + Clone { #[allow(non_snake_case)] fn ZERO() -> Self; From 0703c5ba349bf587e1cfb3f9628fc61693e61119 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 4 Nov 2024 11:46:19 +0100 Subject: [PATCH 46/74] SHA-3 AVX2 target feature Changes cherry-picked from `a87318d8` --- libcrux-ml-dsa/Cargo.toml | 2 +- libcrux-sha3/Cargo.toml | 4 +- libcrux-sha3/src/lib.rs | 55 +-------------- libcrux-sha3/src/simd/avx2.rs | 122 +++++++++++++++++++++++----------- 4 files changed, 86 insertions(+), 97 deletions(-) diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index 3358b8678..0949b4a9c 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -34,7 +34,7 @@ pqcrypto-dilithium = { version = "0.5.0" } #, default-features = false [features] simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"] simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"] -acvp = [] # expose internal API for ACVP testing +acvp = [] # expose internal API for ACVP testing [[bench]] name = "manual44" diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index 85ed0be95..23b21b401 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -23,8 +23,8 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] -simd128 = [] -simd256 = [] +simd128 = ["libcrux-intrinsics/simd128"] +simd256 = ["libcrux-intrinsics/simd256"] [[bench]] name = "sha3" diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index c1395155d..d48dea15f 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -3,7 +3,7 @@ //! A SHA3 implementation with optional simd optimisations. #![no_std] -#![forbid(unsafe_code)] +#![deny(unsafe_code)] #![deny(missing_docs)] pub mod simd; @@ -92,7 +92,6 @@ pub fn hash(algorithm: Algorithm, payload: &[u8]) -> [u8; LEN] pub use hash as sha3; /// SHA3 224 -#[inline(always)] pub fn sha224(data: &[u8]) -> Sha3_224Digest { let mut out = [0u8; 28]; sha224_ema(&mut out, data); @@ -103,7 +102,6 @@ pub fn sha224(data: &[u8]) -> Sha3_224Digest { /// /// Preconditions: /// - `digest.len() == 28` -#[inline(always)] pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 28); @@ -112,7 +110,6 @@ pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) { } /// SHA3 256 -#[inline(always)] pub fn sha256(data: &[u8]) -> Sha3_256Digest { let mut out = [0u8; 32]; sha256_ema(&mut out, data); @@ -120,7 +117,6 @@ pub fn sha256(data: &[u8]) -> Sha3_256Digest { } /// SHA3 256 -#[inline(always)] pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 32); @@ -129,7 +125,6 @@ pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) { } /// SHA3 384 -#[inline(always)] pub fn sha384(data: &[u8]) -> Sha3_384Digest { let mut out = [0u8; 48]; sha384_ema(&mut out, data); @@ -137,7 +132,6 @@ pub fn sha384(data: &[u8]) -> Sha3_384Digest { } /// SHA3 384 -#[inline(always)] pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 48); @@ -146,7 +140,6 @@ pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) { } /// SHA3 512 -#[inline(always)] pub fn sha512(data: &[u8]) -> Sha3_512Digest { let mut out = [0u8; 64]; sha512_ema(&mut out, data); @@ -154,7 +147,6 @@ pub fn sha512(data: &[u8]) -> Sha3_512Digest { } /// SHA3 512 -#[inline(always)] pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 64); @@ -166,7 +158,6 @@ pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) { /// /// Note that the output length `BYTES` must fit into 32 bit. If it is longer, /// the output will only return `u32::MAX` bytes. -#[inline(always)] pub fn shake128(data: &[u8]) -> [u8; BYTES] { let mut out = [0u8; BYTES]; portable::shake128(&mut out, data); @@ -176,7 +167,6 @@ pub fn shake128(data: &[u8]) -> [u8; BYTES] { /// SHAKE 128 /// /// Writes `out.len()` bytes. -#[inline(always)] pub fn shake128_ema(out: &mut [u8], data: &[u8]) { portable::shake128(out, data); } @@ -185,7 +175,6 @@ pub fn shake128_ema(out: &mut [u8], data: &[u8]) { /// /// Note that the output length `BYTES` must fit into 32 bit. If it is longer, /// the output will only return `u32::MAX` bytes. -#[inline(always)] pub fn shake256(data: &[u8]) -> [u8; BYTES] { let mut out = [0u8; BYTES]; portable::shake256(&mut out, data); @@ -195,7 +184,6 @@ pub fn shake256(data: &[u8]) -> [u8; BYTES] { /// SHAKE 256 /// /// Writes `out.len()` bytes. -#[inline(always)] pub fn shake256_ema(out: &mut [u8], data: &[u8]) { portable::shake256(out, data); } @@ -221,37 +209,31 @@ pub mod portable { } /// A portable SHA3 224 implementation. - #[inline(always)] pub fn sha224(digest: &mut [u8], data: &[u8]) { keccakx1::<144, 0x06u8>([data], [digest]); } /// A portable SHA3 256 implementation. - #[inline(always)] pub fn sha256(digest: &mut [u8], data: &[u8]) { keccakx1::<136, 0x06u8>([data], [digest]); } /// A portable SHA3 384 implementation. - #[inline(always)] pub fn sha384(digest: &mut [u8], data: &[u8]) { keccakx1::<104, 0x06u8>([data], [digest]); } /// A portable SHA3 512 implementation. - #[inline(always)] pub fn sha512(digest: &mut [u8], data: &[u8]) { keccakx1::<72, 0x06u8>([data], [digest]); } /// A portable SHAKE128 implementation. - #[inline(always)] pub fn shake128(digest: &mut [u8], data: &[u8]) { keccakx1::<168, 0x1fu8>([data], [digest]); } /// A portable SHAKE256 implementation. - #[inline(always)] pub fn shake256(digest: &mut [u8], data: &[u8]) { keccakx1::<136, 0x1fu8>([data], [digest]); } @@ -366,7 +348,6 @@ pub mod portable { } /// Create a new SHAKE-128 state object. - #[inline(always)] pub fn shake128_init() -> KeccakState { KeccakState { state: GenericState::<1, u64>::new(), @@ -374,31 +355,26 @@ pub mod portable { } /// Absorb - #[inline(always)] pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8]) { absorb_final::<1, u64, 168, 0x1fu8>(&mut s.state, [data0]); } /// Squeeze three blocks - #[inline(always)] pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState, out0: &mut [u8]) { squeeze_first_three_blocks::<1, u64, 168>(&mut s.state, [out0]) } /// Squeeze five blocks - #[inline(always)] pub fn shake128_squeeze_first_five_blocks(s: &mut KeccakState, out0: &mut [u8]) { squeeze_first_five_blocks::<1, u64, 168>(&mut s.state, [out0]) } /// Squeeze another block - #[inline(always)] pub fn shake128_squeeze_next_block(s: &mut KeccakState, out0: &mut [u8]) { squeeze_next_block::<1, u64, 168>(&mut s.state, [out0]) } /// Create a new SHAKE-256 state object. - #[inline(always)] pub fn shake256_init() -> KeccakState { KeccakState { state: GenericState::<1, u64>::new(), @@ -406,19 +382,16 @@ pub mod portable { } /// Absorb some data for SHAKE-256 for the last time - #[inline(always)] pub fn shake256_absorb_final(s: &mut KeccakState, data: &[u8]) { absorb_final::<1, u64, 136, 0x1fu8>(&mut s.state, [data]); } /// Squeeze the first SHAKE-256 block - #[inline(always)] pub fn shake256_squeeze_first_block(s: &mut KeccakState, out: &mut [u8]) { squeeze_first_block::<1, u64, 136>(&mut s.state, [out]) } /// Squeeze the next SHAKE-256 block - #[inline(always)] pub fn shake256_squeeze_next_block(s: &mut KeccakState, out: &mut [u8]) { squeeze_next_block::<1, u64, 136>(&mut s.state, [out]) } @@ -444,7 +417,6 @@ pub mod neon { /// A portable SHA3 224 implementation. #[allow(unused_variables)] - #[inline(always)] pub fn sha224(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -457,7 +429,6 @@ pub mod neon { /// A portable SHA3 256 implementation. #[allow(unused_variables)] - #[inline(always)] pub fn sha256(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -470,7 +441,6 @@ pub mod neon { /// A portable SHA3 384 implementation. #[allow(unused_variables)] - #[inline(always)] pub fn sha384(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -483,7 +453,6 @@ pub mod neon { /// A portable SHA3 512 implementation. #[allow(unused_variables)] - #[inline(always)] pub fn sha512(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -496,7 +465,6 @@ pub mod neon { /// A portable SHAKE128 implementation. #[allow(unused_variables)] - #[inline(always)] pub fn shake128(digest: &mut [u8; LEN], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -509,7 +477,6 @@ pub mod neon { /// A portable SHAKE256 implementation. #[allow(unused_variables)] - #[inline(always)] pub fn shake256(digest: &mut [u8; LEN], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -529,7 +496,6 @@ pub mod neon { /// /// Writes the two results into `out0` and `out1` #[allow(unused_variables)] - #[inline(always)] pub fn shake256(input0: &[u8], input1: &[u8], out0: &mut [u8], out1: &mut [u8]) { // TODO: make argument ordering consistent #[cfg(not(feature = "simd128"))] @@ -596,7 +562,6 @@ pub mod neon { } /// Initialise the `KeccakState2`. - #[inline(always)] pub fn init() -> KeccakState { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -614,7 +579,6 @@ pub mod neon { } /// Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. - #[inline(always)] #[allow(unused_variables)] pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) { #[cfg(not(feature = "simd128"))] @@ -634,7 +598,6 @@ pub mod neon { } /// Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. - #[inline(always)] #[allow(unused_variables)] pub fn shake256_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) { #[cfg(not(feature = "simd128"))] @@ -684,7 +647,6 @@ pub mod neon { /// Squeeze 2 times the first three blocks in parallel in the /// [`KeccakState`] and return the output in `out0` and `out1`. #[allow(unused_variables)] - #[inline(always)] pub fn shake128_squeeze_first_three_blocks( s: &mut KeccakState, out0: &mut [u8], @@ -708,7 +670,6 @@ pub mod neon { /// Squeeze five blocks #[allow(unused_variables)] - #[inline(always)] pub fn shake128_squeeze_first_five_blocks( s: &mut KeccakState, out0: &mut [u8], @@ -724,7 +685,6 @@ pub mod neon { } /// Squeeze block - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_first_block( s: &mut KeccakState, @@ -741,7 +701,6 @@ pub mod neon { } /// Squeeze next block - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_next_block( s: &mut KeccakState, @@ -816,7 +775,6 @@ pub mod neon { /// Squeeze 2 times the next block in parallel in the /// [`KeccakState`] and return the output in `out0` and `out1`. #[allow(unused_variables)] - #[inline(always)] pub fn shake128_squeeze_next_block( s: &mut KeccakState, out0: &mut [u8], @@ -843,7 +801,6 @@ pub mod neon { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] - #[inline(always)] fn _shake128_squeezexN( state: &mut [KeccakState; 2], ) -> [[u8; LEN]; N] { @@ -907,7 +864,6 @@ pub mod avx2 { /// Perform 4 SHAKE256 operations in parallel #[allow(unused_variables, clippy::too_many_arguments)] // TODO: decide if we want to fall back here - #[inline(always)] pub fn shake256( input0: &[u8], input1: &[u8], @@ -944,7 +900,6 @@ pub mod avx2 { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] - #[inline(always)] fn _shake256xN(input: &[[u8; 33]; N]) -> [[u8; LEN]; N] { debug_assert!(N == 2 || N == 3 || N == 4); let mut out = [[0u8; LEN]; N]; @@ -1030,7 +985,6 @@ pub mod avx2 { pub type KeccakState = [crate::portable::KeccakState; 4]; /// Initialise the [`KeccakState`]. - #[inline(always)] pub fn init() -> KeccakState { #[cfg(not(feature = "simd256"))] unimplemented!(); @@ -1057,7 +1011,6 @@ pub mod avx2 { } /// Absorb - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_absorb_final( s: &mut KeccakState, @@ -1095,7 +1048,6 @@ pub mod avx2 { } /// Absorb - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_absorb_final( s: &mut KeccakState, @@ -1111,7 +1063,6 @@ pub mod avx2 { } /// Squeeze block - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_first_block( s: &mut KeccakState, @@ -1127,7 +1078,6 @@ pub mod avx2 { } /// Squeeze next block - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_next_block( s: &mut KeccakState, @@ -1175,7 +1125,6 @@ pub mod avx2 { } /// Squeeze three blocks - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_first_three_blocks( s: &mut KeccakState, @@ -1216,7 +1165,6 @@ pub mod avx2 { } /// Squeeze five blocks - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_first_five_blocks( s: &mut KeccakState, @@ -1286,7 +1234,6 @@ pub mod avx2 { } /// Squeeze another block - #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_next_block( s: &mut KeccakState, diff --git a/libcrux-sha3/src/simd/avx2.rs b/libcrux-sha3/src/simd/avx2.rs index 07578e1d1..f957fe115 100644 --- a/libcrux-sha3/src/simd/avx2.rs +++ b/libcrux-sha3/src/simd/avx2.rs @@ -1,46 +1,59 @@ use crate::traits::internal::*; use libcrux_intrinsics::avx2::*; -#[inline(always)] -fn rotate_left(x: Vec256) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn rotate_left(x: Vec256) -> Vec256 { debug_assert!(LEFT + RIGHT == 64); // XXX: This could be done more efficiently, if the shift values are multiples of 8. mm256_xor_si256(mm256_slli_epi64::(x), mm256_srli_epi64::(x)) } -#[inline(always)] -fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 { let ab = mm256_xor_si256(a, b); let cd = mm256_xor_si256(c, d); let abcd = mm256_xor_si256(ab, cd); mm256_xor_si256(abcd, e) } -#[inline(always)] -fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 { mm256_xor_si256(a, rotate_left::<1, 63>(b)) } -#[inline(always)] -fn _vxarq_u64(a: Vec256, b: Vec256) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn _vxarq_u64(a: Vec256, b: Vec256) -> Vec256 { let ab = mm256_xor_si256(a, b); rotate_left::(ab) } -#[inline(always)] -fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 { mm256_xor_si256(a, mm256_andnot_si256(c, b)) } -#[inline(always)] -fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 { // Casting here is required, doesn't change the value. let c = mm256_set1_epi64x(c as i64); mm256_xor_si256(a, c) } -#[inline(always)] -pub(crate) fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn xor(a: Vec256, b: Vec256) -> Vec256 { + mm256_xor_si256(a, b) +} + +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) { debug_assert!(RATE <= blocks[0].len() && RATE % 8 == 0 && (RATE % 32 == 8 || RATE % 32 == 16)); for i in 0..RATE / 32 { let v0 = mm256_loadu_si256_u8(&blocks[0][32 * i..32 * (i + 1)]); @@ -92,20 +105,24 @@ pub(crate) fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [& } #[inline(always)] +#[allow(unsafe_code)] pub(crate) fn load_block_full(s: &mut [[Vec256; 5]; 5], blocks: [[u8; 200]; 4]) { - load_block::( - s, - [ - &blocks[0] as &[u8], - &blocks[1] as &[u8], - &blocks[2] as &[u8], - &blocks[3] as &[u8], - ], - ); + unsafe { + load_block::( + s, + [ + &blocks[0] as &[u8], + &blocks[1] as &[u8], + &blocks[2] as &[u8], + &blocks[3] as &[u8], + ], + ) + }; } -#[inline(always)] -pub(crate) fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) { for i in 0..RATE / 32 { let v0l = mm256_permute2x128_si256::<0x20>( s[(4 * i) / 5][(4 * i) % 5], @@ -159,17 +176,19 @@ pub(crate) fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u } #[inline(always)] +#[allow(unsafe_code)] pub(crate) fn store_block_full(s: &[[Vec256; 5]; 5]) -> [[u8; 200]; 4] { let mut out0 = [0u8; 200]; let mut out1 = [0u8; 200]; let mut out2 = [0u8; 200]; let mut out3 = [0u8; 200]; - store_block::(s, [&mut out0, &mut out1, &mut out2, &mut out3]); + unsafe { store_block::(s, [&mut out0, &mut out1, &mut out2, &mut out3]) }; [out0, out1, out2, out3] } -#[inline(always)] -fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { [ &a[0][start..start + len], &a[1][start..start + len], @@ -178,8 +197,9 @@ fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { ] } -#[inline(always)] -fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { let [out0, out1, out2, out3] = out; let (out00, out01) = out0.split_at_mut(mid); let (out10, out11) = out1.split_at_mut(mid); @@ -193,53 +213,75 @@ impl KeccakItem<4> for Vec256 { fn zero() -> Self { mm256_set1_epi64x(0) } + #[inline(always)] + #[allow(unsafe_code)] fn xor5(a: Self, b: Self, c: Self, d: Self, e: Self) -> Self { - _veor5q_u64(a, b, c, d, e) + unsafe { _veor5q_u64(a, b, c, d, e) } } + #[inline(always)] + #[allow(unsafe_code)] fn rotate_left1_and_xor(a: Self, b: Self) -> Self { - _vrax1q_u64(a, b) + unsafe { _vrax1q_u64(a, b) } } + #[inline(always)] + #[allow(unsafe_code)] fn xor_and_rotate(a: Self, b: Self) -> Self { - _vxarq_u64::(a, b) + unsafe { _vxarq_u64::(a, b) } } + #[inline(always)] + #[allow(unsafe_code)] fn and_not_xor(a: Self, b: Self, c: Self) -> Self { - _vbcaxq_u64(a, b, c) + unsafe { _vbcaxq_u64(a, b, c) } } + #[inline(always)] + #[allow(unsafe_code)] fn xor_constant(a: Self, c: u64) -> Self { - _veorq_n_u64(a, c) + unsafe { _veorq_n_u64(a, c) } } + #[inline(always)] + #[allow(unsafe_code)] fn xor(a: Self, b: Self) -> Self { - mm256_xor_si256(a, b) + unsafe { xor(a, b) } } + #[inline(always)] + #[allow(unsafe_code)] fn load_block(a: &mut [[Self; 5]; 5], b: [&[u8]; 4]) { - load_block::(a, b) + unsafe { load_block::(a, b) } } + #[inline(always)] + #[allow(unsafe_code)] fn store_block(a: &[[Self; 5]; 5], b: [&mut [u8]; 4]) { - store_block::(a, b) + unsafe { store_block::(a, b) } } + #[inline(always)] fn load_block_full(a: &mut [[Self; 5]; 5], b: [[u8; 200]; 4]) { load_block_full::(a, b) } + #[inline(always)] fn store_block_full(a: &[[Self; 5]; 5]) -> [[u8; 200]; 4] { store_block_full::(a) } + #[inline(always)] + #[allow(unsafe_code)] fn slice_n(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { - slice_4(a, start, len) + unsafe { slice_4(a, start, len) } } + #[inline(always)] + #[allow(unsafe_code)] fn split_at_mut_n(a: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { - split_at_mut_4(a, mid) + unsafe { split_at_mut_4(a, mid) } } // TODO: Do we need this, or not? cf. https://github.com/cryspen/libcrux/issues/482 From 5d85370983d5fb1389573a87deb933614e1532a9 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 4 Nov 2024 11:54:55 +0100 Subject: [PATCH 47/74] Inlining + target feature changes around inverse NTT Changes cherry-picked from `a87318d8` --- .../src/ml_dsa_generic/instantiations/avx2.rs | 1 + libcrux-ml-dsa/src/simd/avx2.rs | 13 ++++-- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 40 +++++++++++-------- libcrux-ml-dsa/src/simd/portable/ntt.rs | 20 +++++----- 4 files changed, 45 insertions(+), 29 deletions(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 716fd2f59..40111939b 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -333,6 +333,7 @@ pub(crate) fn generate_key_pair< /// Sign. #[allow(unsafe_code)] +#[inline(always)] pub(crate) fn sign< const ROWS_IN_A: usize, const COLUMNS_IN_A: usize, diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index c83c24caa..f4236caa2 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -137,6 +137,7 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] + #[allow(unsafe_code)] fn invert_ntt_at_layer_0( simd_unit: Self, zeta0: i32, @@ -144,14 +145,20 @@ impl Operations for AVX2SIMDUnit { zeta2: i32, zeta3: i32, ) -> Self { - ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into() + unsafe { + ntt::invert_ntt_at_layer_0(simd_unit.coefficients, zeta0, zeta1, zeta2, zeta3).into() + } } + #[inline(always)] + #[allow(unsafe_code)] fn invert_ntt_at_layer_1(simd_unit: Self, zeta0: i32, zeta1: i32) -> Self { - ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into() + unsafe { ntt::invert_ntt_at_layer_1(simd_unit.coefficients, zeta0, zeta1).into() } } + #[inline(always)] + #[allow(unsafe_code)] fn invert_ntt_at_layer_2(simd_unit: Self, zeta: i32) -> Self { - ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into() + unsafe { ntt::invert_ntt_at_layer_2(simd_unit.coefficients, zeta).into() } } } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 60b98fc25..b764e6178 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -100,8 +100,9 @@ fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) (a_out, b_out) } -#[inline(always)] -pub fn invert_ntt_at_layer_0( +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +pub(super) unsafe fn invert_ntt_at_layer_0( simd_unit: Vec256, zeta0: i32, zeta1: i32, @@ -121,8 +122,9 @@ pub fn invert_ntt_at_layer_0( mm256_blend_epi32::<0b1_0_1_0_1_0_1_0>(sums, products) } -#[inline(always)] -fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal, $zeta_4:literal, $zeta_5:literal, $zeta_6:literal, $zeta_7:literal) => { let (a, b) = butterfly_2( @@ -160,8 +162,9 @@ fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782); } -#[inline(always)] -pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 { let zetas = mm256_set_epi32(zeta1, zeta1, 0, 0, zeta0, zeta0, 0, 0); let add_by_signs = mm256_set_epi32(-1, -1, 1, 1, -1, -1, 1, 1); @@ -175,8 +178,9 @@ pub fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec25 mm256_blend_epi32::<0b1_1_0_0_1_1_0_0>(sums, products) } -#[inline(always)] -fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { let (a, b) = butterfly_4(re[$i], re[$i + 1], $zeta_0, $zeta_1, $zeta_2, $zeta_3); @@ -203,8 +207,9 @@ fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { round!(30, -3019102, -3881060, -3628969, 3839961); } -#[inline(always)] -pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { let zetas = mm256_set_epi32(zeta, zeta, zeta, zeta, 0, 0, 0, 0); let add_by_signs = mm256_set_epi32(-1, -1, -1, -1, 1, 1, 1, 1); @@ -218,8 +223,9 @@ pub fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { mm256_blend_epi32::<0b1_1_1_1_0_0_0_0>(sums, products) } -#[inline(always)] -fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { ($round:literal, $zeta_0:literal, $zeta_1:literal) => { let (a, b) = butterfly_8(re[$round], re[$round + 1], $zeta_0, $zeta_1); @@ -250,8 +256,9 @@ fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { /// /// This does 32 Montgomery multiplications (192 multiplications). /// This is the same as in pqclean. The only difference is locality of registers. -#[inline(always)] -fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS); let inverse_of_modulus_mod_montgomery_r = mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); @@ -310,8 +317,9 @@ fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { /// /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) -#[inline(always)] -fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { +#[target_feature(enable = "avx2")] +#[allow(unsafe_code)] +unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { ($i:literal, $zeta: literal) => { let rhs = mm256_set1_epi32($zeta); diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index bc6301aef..3f4e7f12a 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -301,16 +301,16 @@ fn ntt_at_layer_3(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 8; // 1 << LAYER; const STEP_BY: usize = 1; // step / COEFFICIENTS_IN_SIMD_UNIT; - outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2725464>(re); - outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1024112>(re); - outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1079900>(re); - outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3585928>(re); - outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -549488>(re); - outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1119584>(re); - outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2619752>(re); - outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2108549>(re); - outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2118186>(re); - outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3859737>(re); + outer_3_plus::<{ (0 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2725464>(re); + outer_3_plus::<{ (1 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1024112>(re); + outer_3_plus::<{ (2 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1079900>(re); + outer_3_plus::<{ (3 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 3585928>(re); + outer_3_plus::<{ (4 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -549488>(re); + outer_3_plus::<{ (5 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1119584>(re); + outer_3_plus::<{ (6 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 2619752>(re); + outer_3_plus::<{ (7 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2108549>(re); + outer_3_plus::<{ (8 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -2118186>(re); + outer_3_plus::<{ (9 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3859737>(re); outer_3_plus::<{ (10 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -1399561>(re); outer_3_plus::<{ (11 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, -3277672>(re); outer_3_plus::<{ (12 * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT }, STEP_BY, 1757237>(re); From 6c8fdc37504b0076d70f7d910733d7b5a1e64a8a Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 4 Nov 2024 13:09:59 +0100 Subject: [PATCH 48/74] Header-only extraction update --- libcrux-ml-kem/cg/code_gen.txt | 2 +- libcrux-ml-kem/cg/libcrux_core.h | 2 +- libcrux-ml-kem/cg/libcrux_ct_ops.h | 2 +- libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h | 2 +- .../cg/libcrux_mlkem768_avx2_types.h | 2 +- libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 2 +- .../cg/libcrux_mlkem768_portable_types.h | 2 +- libcrux-ml-kem/cg/libcrux_sha3_avx2.h | 231 ++++++++---------- libcrux-ml-kem/cg/libcrux_sha3_portable.h | 126 +++++----- 9 files changed, 169 insertions(+), 202 deletions(-) diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index 15fc24b99..ec74b2b30 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -3,4 +3,4 @@ Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc -Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 +Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index b7054262c..b96c41ebd 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index 1b4a85c28..5c325dd1c 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_ct_ops_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index ef9105a0b..30f56aa6c 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h index a3e9c8d25..7bf29c82c 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_mlkem768_avx2_types_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index 0835aa2cc..4968a4688 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h index 679052284..c5ed62a6d 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_mlkem768_portable_types_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index c6845ceeb..c3db3f651 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_sha3_avx2_H @@ -33,8 +33,9 @@ static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_zero_ef(void) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veor5q_u64( - __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) { +static inline __m256i libcrux_sha3_simd_avx2__veor5q_u64(__m256i a, __m256i b, + __m256i c, __m256i d, + __m256i e) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); __m256i cd = libcrux_intrinsics_avx2_mm256_xor_si256(c, d); __m256i abcd = libcrux_intrinsics_avx2_mm256_xor_si256(ab, cd); @@ -58,16 +59,14 @@ with const generics - RIGHT= 63 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)1, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)63, x, __m256i)); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, __m256i b) { __m256i uu____0 = a; return libcrux_intrinsics_avx2_mm256_xor_si256( uu____0, libcrux_sha3_simd_avx2_rotate_left_76(b)); @@ -84,9 +83,8 @@ libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(__m256i a, __m256i b) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, - __m256i b, - __m256i c) { +static inline __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, __m256i b, + __m256i c) { return libcrux_intrinsics_avx2_mm256_xor_si256( a, libcrux_intrinsics_avx2_mm256_andnot_si256(c, b)); } @@ -102,8 +100,8 @@ libcrux_sha3_simd_avx2_and_not_xor_ef(__m256i a, __m256i b, __m256i c) { } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a, - uint64_t c) { +static inline __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a, + uint64_t c) { __m256i c0 = libcrux_intrinsics_avx2_mm256_set1_epi64x( (int64_t) /* Casting here is required, doesn't change the value. */ c); @@ -120,6 +118,11 @@ libcrux_sha3_simd_avx2_xor_constant_ef(__m256i a, uint64_t c) { return libcrux_sha3_simd_avx2__veorq_n_u64(a, c); } +KRML_ATTRIBUTE_TARGET("avx2") +static inline __m256i libcrux_sha3_simd_avx2_xor(__m256i a, __m256i b) { + return libcrux_intrinsics_avx2_mm256_xor_si256(a, b); +} + /** This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: usize> for core::core_arch::x86::__m256i)} @@ -127,12 +130,13 @@ usize> for core::core_arch::x86::__m256i)} KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor_ef(__m256i a, __m256i b) { - return libcrux_intrinsics_avx2_mm256_xor_si256(a, b); + return libcrux_sha3_simd_avx2_xor(a, b); } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4( - Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { +static inline void libcrux_sha3_simd_avx2_slice_4(Eurydice_slice a[4U], + size_t start, size_t len, + Eurydice_slice ret[4U]) { ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); @@ -155,7 +159,7 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef( } KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2 +static inline Eurydice_slice_uint8_t_4size_t__x2 libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) { Eurydice_slice out0 = out[0U]; Eurydice_slice out1 = out[1U]; @@ -260,7 +264,7 @@ with const generics - RATE= 136 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_5b( +static inline void libcrux_sha3_simd_avx2_load_block_5b( __m256i (*s)[5U], Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; @@ -406,8 +410,7 @@ with const generics - RIGHT= 28 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)28, x, __m256i)); @@ -420,8 +423,8 @@ with const generics - RIGHT= 28 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_02(ab); } @@ -449,8 +452,7 @@ with const generics - RIGHT= 61 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)3, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)61, x, __m256i)); @@ -463,8 +465,8 @@ with const generics - RIGHT= 61 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_ac(ab); } @@ -492,8 +494,7 @@ with const generics - RIGHT= 23 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)41, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)23, x, __m256i)); @@ -506,8 +507,8 @@ with const generics - RIGHT= 23 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_020(ab); } @@ -535,8 +536,7 @@ with const generics - RIGHT= 46 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)18, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)46, x, __m256i)); @@ -549,8 +549,8 @@ with const generics - RIGHT= 46 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_a9(ab); } @@ -578,8 +578,8 @@ with const generics - RIGHT= 63 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_76(ab); } @@ -607,8 +607,7 @@ with const generics - RIGHT= 20 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)44, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)20, x, __m256i)); @@ -621,8 +620,8 @@ with const generics - RIGHT= 20 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_58(ab); } @@ -650,8 +649,7 @@ with const generics - RIGHT= 54 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)10, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)54, x, __m256i)); @@ -664,8 +662,8 @@ with const generics - RIGHT= 54 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_e0(ab); } @@ -693,8 +691,7 @@ with const generics - RIGHT= 19 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)45, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)19, x, __m256i)); @@ -707,8 +704,8 @@ with const generics - RIGHT= 19 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_63(ab); } @@ -736,8 +733,7 @@ with const generics - RIGHT= 62 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)2, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)62, x, __m256i)); @@ -750,8 +746,8 @@ with const generics - RIGHT= 62 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_6a(ab); } @@ -779,8 +775,7 @@ with const generics - RIGHT= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)62, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)2, x, __m256i)); @@ -793,8 +788,8 @@ with const generics - RIGHT= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_ab(ab); } @@ -822,8 +817,7 @@ with const generics - RIGHT= 58 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)6, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)58, x, __m256i)); @@ -836,8 +830,8 @@ with const generics - RIGHT= 58 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_5b(ab); } @@ -865,8 +859,7 @@ with const generics - RIGHT= 21 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)43, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)21, x, __m256i)); @@ -879,8 +872,8 @@ with const generics - RIGHT= 21 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_6f(ab); } @@ -908,8 +901,7 @@ with const generics - RIGHT= 49 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)15, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)49, x, __m256i)); @@ -922,8 +914,8 @@ with const generics - RIGHT= 49 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_62(ab); } @@ -951,8 +943,7 @@ with const generics - RIGHT= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)61, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)3, x, __m256i)); @@ -965,8 +956,8 @@ with const generics - RIGHT= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_23(ab); } @@ -994,8 +985,7 @@ with const generics - RIGHT= 36 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)28, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)36, x, __m256i)); @@ -1008,8 +998,8 @@ with const generics - RIGHT= 36 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_37(ab); } @@ -1037,8 +1027,7 @@ with const generics - RIGHT= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)55, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)9, x, __m256i)); @@ -1051,8 +1040,8 @@ with const generics - RIGHT= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_bb(ab); } @@ -1080,8 +1069,7 @@ with const generics - RIGHT= 39 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)25, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)39, x, __m256i)); @@ -1094,8 +1082,8 @@ with const generics - RIGHT= 39 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_b9(ab); } @@ -1123,8 +1111,7 @@ with const generics - RIGHT= 43 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)21, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)43, x, __m256i)); @@ -1137,8 +1124,8 @@ with const generics - RIGHT= 43 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_54(ab); } @@ -1166,8 +1153,7 @@ with const generics - RIGHT= 8 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)56, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)8, x, __m256i)); @@ -1180,8 +1166,8 @@ with const generics - RIGHT= 8 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_4c(ab); } @@ -1209,8 +1195,7 @@ with const generics - RIGHT= 37 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)27, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)37, x, __m256i)); @@ -1223,8 +1208,8 @@ with const generics - RIGHT= 37 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_ce(ab); } @@ -1252,8 +1237,7 @@ with const generics - RIGHT= 44 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)20, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)44, x, __m256i)); @@ -1266,8 +1250,8 @@ with const generics - RIGHT= 44 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_77(ab); } @@ -1295,8 +1279,7 @@ with const generics - RIGHT= 25 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)39, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)25, x, __m256i)); @@ -1309,8 +1292,8 @@ with const generics - RIGHT= 25 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_25(ab); } @@ -1338,8 +1321,7 @@ with const generics - RIGHT= 56 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)8, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)56, x, __m256i)); @@ -1352,8 +1334,8 @@ with const generics - RIGHT= 56 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_af(ab); } @@ -1381,8 +1363,7 @@ with const generics - RIGHT= 50 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i -libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) { +static inline __m256i libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)14, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)50, x, __m256i)); @@ -1395,8 +1376,8 @@ with const generics - RIGHT= 50 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a, - __m256i b) { +static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_fd(ab); } @@ -1689,7 +1670,7 @@ with const generics - RATE= 136 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_5b( +static inline void libcrux_sha3_simd_avx2_store_block_5b( __m256i (*s)[5U], Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; @@ -2032,7 +2013,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_fb( Perform 4 SHAKE256 operations in parallel */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256( +static inline void libcrux_sha3_avx2_x4_shake256( Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2056,7 +2037,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_55 Initialise the [`KeccakState`]. */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 +static inline libcrux_sha3_generic_keccak_KeccakState_55 libcrux_sha3_avx2_x4_incremental_init(void) { return libcrux_sha3_generic_keccak_new_89_a6(); } @@ -2067,7 +2048,7 @@ with const generics - RATE= 168 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_3a( +static inline void libcrux_sha3_simd_avx2_load_block_3a( __m256i (*s)[5U], Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; @@ -2258,8 +2239,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb0( Absorb */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( +static inline void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { Eurydice_slice buf[4U] = {data0, data1, data2, data3}; @@ -2272,7 +2252,7 @@ with const generics - RATE= 168 */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_3a( +static inline void libcrux_sha3_simd_avx2_store_block_3a( __m256i (*s)[5U], Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; @@ -2422,8 +2402,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970( Squeeze another block */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( +static inline void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; @@ -2475,7 +2454,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97( Squeeze three blocks */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void +static inline void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2529,7 +2508,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97( Squeeze five blocks */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void +static inline void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2541,8 +2520,7 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( Absorb */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( +static inline void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { Eurydice_slice buf[4U] = {data0, data1, data2, data3}; @@ -2553,7 +2531,7 @@ libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( Squeeze block */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void +static inline void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2565,8 +2543,7 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( Squeeze next block */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( +static inline void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index 69ff6f317..65f8d5cb2 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 */ #ifndef __libcrux_sha3_portable_H @@ -1662,8 +1662,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_96( /** A portable SHA3 512 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_96(buf0, buf); @@ -2021,8 +2021,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad( /** A portable SHA3 256 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad(buf0, buf); @@ -2150,8 +2150,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad0( /** A portable SHAKE256 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( - Eurydice_slice digest, Eurydice_slice data) { +static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad0(buf0, buf); @@ -2163,7 +2163,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17 /** Create a new SHAKE-128 state object. */ -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +static inline libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake128_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -2256,8 +2256,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e2( /** Absorb */ -static KRML_MUSTINLINE void -libcrux_sha3_portable_incremental_shake128_absorb_final( +static inline void libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) { Eurydice_slice buf[1U] = {data0}; libcrux_sha3_generic_keccak_absorb_final_9e2(s, buf); @@ -2311,7 +2310,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61( /** Squeeze another block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -2360,7 +2359,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6( /** Squeeze three blocks */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -2757,8 +2756,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_1e( /** A portable SHA3 224 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_1e(buf0, buf); @@ -3116,8 +3115,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_7c( /** A portable SHA3 384 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_7c(buf0, buf); @@ -3129,16 +3128,15 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, Preconditions: - `digest.len() == 28` */ -static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha224(digest, payload); } /** SHA3 224 */ -static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, - uint8_t ret[28U]) { +static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { uint8_t out[28U] = {0U}; libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), data); @@ -3148,16 +3146,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, /** SHA3 256 */ -static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha256(digest, payload); } /** SHA3 256 */ -static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, - uint8_t ret[32U]) { +static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { uint8_t out[32U] = {0U}; libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), data); @@ -3167,16 +3164,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, /** SHA3 384 */ -static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha384(digest, payload); } /** SHA3 384 */ -static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, - uint8_t ret[48U]) { +static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { uint8_t out[48U] = {0U}; libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), data); @@ -3186,16 +3182,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, /** SHA3 512 */ -static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha512(digest, payload); } /** SHA3 512 */ -static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, - uint8_t ret[64U]) { +static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { uint8_t out[64U] = {0U}; libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), data); @@ -3412,8 +3407,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_c6( /** A portable SHAKE128 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( - Eurydice_slice digest, Eurydice_slice data) { +static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_c6(buf0, buf); @@ -3424,8 +3419,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( Writes `out.len()` bytes. */ -static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, - Eurydice_slice data) { +static inline void libcrux_sha3_shake128_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake128(out, data); } @@ -3434,8 +3429,8 @@ static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, Writes `out.len()` bytes. */ -static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, - Eurydice_slice data) { +static inline void libcrux_sha3_shake256_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake256(out, data); } @@ -3456,8 +3451,8 @@ static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = { /** A portable SHA3 224 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_neon_sha224(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3466,8 +3461,8 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, /** A portable SHA3 256 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_neon_sha256(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3476,8 +3471,8 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, /** A portable SHA3 384 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_neon_sha384(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3486,8 +3481,8 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, /** A portable SHA3 512 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_neon_sha512(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3498,10 +3493,10 @@ static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, Writes the two results into `out0` and `out1` */ -static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, - Eurydice_slice input1, - Eurydice_slice out0, - Eurydice_slice out1) { +static inline void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice out0, + Eurydice_slice out1) { /* TODO: make argument ordering consistent */ KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -3515,7 +3510,7 @@ typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { /** Initialise the `KeccakState2`. */ -static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState +static inline libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_init(void) { /* XXX: These functions could alternatively implement the same with the * portable implementation { let s0 = KeccakState::new(); let s1 = @@ -3528,8 +3523,7 @@ libcrux_sha3_neon_x2_incremental_init(void) { /** Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -static KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake128_absorb_final( +static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -3545,7 +3539,7 @@ libcrux_sha3_neon_x2_incremental_shake128_absorb_final( Squeeze 2 times the first three blocks in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { @@ -3562,8 +3556,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( Squeeze 2 times the next block in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -static KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( +static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { /* XXX: These functions could alternatively implement the same with the @@ -3578,7 +3571,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( /** Squeeze five blocks */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { @@ -3590,8 +3583,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( /** Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -static KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake256_absorb_final( +static inline void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -3606,7 +3598,7 @@ libcrux_sha3_neon_x2_incremental_shake256_absorb_final( /** Squeeze block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { @@ -3618,8 +3610,7 @@ libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( /** Squeeze next block */ -static KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( +static inline void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -3671,7 +3662,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6( /** Squeeze five blocks */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -3681,8 +3672,7 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( /** Absorb some data for SHAKE-256 for the last time */ -static KRML_MUSTINLINE void -libcrux_sha3_portable_incremental_shake256_absorb_final( +static inline void libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) { Eurydice_slice buf[1U] = {data}; libcrux_sha3_generic_keccak_absorb_final_9e1(s, buf); @@ -3691,7 +3681,7 @@ libcrux_sha3_portable_incremental_shake256_absorb_final( /** Create a new SHAKE-256 state object. */ -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +static inline libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake256_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -3699,7 +3689,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) { /** Squeeze the first SHAKE-256 block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; @@ -3709,7 +3699,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block( /** Squeeze the next SHAKE-256 block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; From 51e2d6d0745a788daf02298b7f62d585b53aa827 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 4 Nov 2024 14:19:22 +0100 Subject: [PATCH 49/74] Update C extraction --- libcrux-ml-kem/c/code_gen.txt | 2 +- libcrux-ml-kem/c/internal/libcrux_core.h | 2 +- .../c/internal/libcrux_mlkem_avx2.h | 2 +- .../c/internal/libcrux_mlkem_portable.h | 2 +- libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h | 2 +- .../c/internal/libcrux_sha3_internal.h | 22 ++- libcrux-ml-kem/c/libcrux_core.c | 2 +- libcrux-ml-kem/c/libcrux_core.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem512.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem768.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_mlkem_portable.c | 2 +- libcrux-ml-kem/c/libcrux_mlkem_portable.h | 2 +- libcrux-ml-kem/c/libcrux_sha3.h | 62 ++++---- libcrux-ml-kem/c/libcrux_sha3_avx2.c | 143 +++++++++--------- libcrux-ml-kem/c/libcrux_sha3_avx2.h | 2 +- libcrux-ml-kem/c/libcrux_sha3_internal.h | 2 +- libcrux-ml-kem/c/libcrux_sha3_neon.c | 41 ++--- libcrux-ml-kem/c/libcrux_sha3_neon.h | 2 +- 33 files changed, 152 insertions(+), 174 deletions(-) diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index 15fc24b99..a9f0fcd1a 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -3,4 +3,4 @@ Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc -Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 +Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index 52703ecb0..a6219b29c 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __internal_libcrux_core_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 33c98d681..122098dd0 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __internal_libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index d80891e09..fe31b4dfe 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __internal_libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 2beea56d8..822ba71c9 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index e2ca80283..c033eebf3 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __internal_libcrux_sha3_internal_H @@ -27,7 +27,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17 /** Create a new SHAKE-128 state object. */ -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +static inline libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake128_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -35,8 +35,7 @@ libcrux_sha3_portable_incremental_shake128_init(void) { /** Absorb */ -static KRML_MUSTINLINE void -libcrux_sha3_portable_incremental_shake128_absorb_final( +static inline void libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) { Eurydice_slice buf[1U] = {data0}; libcrux_sha3_generic_keccak_absorb_final_9e(s, buf); @@ -45,7 +44,7 @@ libcrux_sha3_portable_incremental_shake128_absorb_final( /** Squeeze another block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -82,7 +81,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6( /** Squeeze three blocks */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -185,7 +184,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6( /** Squeeze five blocks */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -195,8 +194,7 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( /** Absorb some data for SHAKE-256 for the last time */ -static KRML_MUSTINLINE void -libcrux_sha3_portable_incremental_shake256_absorb_final( +static inline void libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) { Eurydice_slice buf[1U] = {data}; libcrux_sha3_generic_keccak_absorb_final_9e0(s, buf); @@ -205,7 +203,7 @@ libcrux_sha3_portable_incremental_shake256_absorb_final( /** Create a new SHAKE-256 state object. */ -static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 +static inline libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake256_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -213,7 +211,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) { /** Squeeze the first SHAKE-256 block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; @@ -223,7 +221,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block( /** Squeeze the next SHAKE-256 block */ -static KRML_MUSTINLINE void +static inline void libcrux_sha3_portable_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 7d801f811..380560655 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "internal/libcrux_core.h" diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index dc2e18e7c..a9ea4ae31 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index a3e68cfa9..2a1bac2bc 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index cdc2a0839..e998b91fa 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index 55db6393c..c6b5f62bf 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index b78aeb6bb..575ffc15b 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_mlkem1024_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index f1477247e..623f86b6a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index 788f751a1..e50855804 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index 8d68264c8..b45918ce0 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index a3453b05a..a24272f38 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index 905fbe942..1aca3e46a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_mlkem512_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 24bfa2755..82f656696 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index 099d61839..4c486fa96 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 68249136f..7754cb2d5 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index a982114cb..b0f6e449c 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index 7cef4d22c..cadac4f79 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_mlkem768_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index a0533a218..58f4deb7e 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index c1141b005..450e14514 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "internal/libcrux_mlkem_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index cfcfeb508..b072c10b8 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 82eab7539..5ada2704e 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "internal/libcrux_mlkem_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 53c97bc62..6750e40b5 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index 51d13a375..4f9736e53 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_sha3_H @@ -25,8 +25,8 @@ extern "C" { /** A portable SHA3 512 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_96(buf0, buf); @@ -35,8 +35,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, /** A portable SHA3 256 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad(buf0, buf); @@ -45,8 +45,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, /** A portable SHAKE256 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( - Eurydice_slice digest, Eurydice_slice data) { +static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad0(buf0, buf); @@ -55,8 +55,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( /** A portable SHA3 224 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_1e(buf0, buf); @@ -65,8 +65,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, /** A portable SHA3 384 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, - Eurydice_slice data) { +static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_7c(buf0, buf); @@ -78,16 +78,15 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, Preconditions: - `digest.len() == 28` */ -static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha224(digest, payload); } /** SHA3 224 */ -static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, - uint8_t ret[28U]) { +static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { uint8_t out[28U] = {0U}; libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), data); @@ -97,16 +96,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, /** SHA3 256 */ -static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha256(digest, payload); } /** SHA3 256 */ -static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, - uint8_t ret[32U]) { +static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { uint8_t out[32U] = {0U}; libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), data); @@ -116,16 +114,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, /** SHA3 384 */ -static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha384(digest, payload); } /** SHA3 384 */ -static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, - uint8_t ret[48U]) { +static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { uint8_t out[48U] = {0U}; libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), data); @@ -135,16 +132,15 @@ static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, /** SHA3 512 */ -static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha512(digest, payload); } /** SHA3 512 */ -static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, - uint8_t ret[64U]) { +static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { uint8_t out[64U] = {0U}; libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), data); @@ -154,8 +150,8 @@ static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, /** A portable SHAKE128 implementation. */ -static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( - Eurydice_slice digest, Eurydice_slice data) { +static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_c6(buf0, buf); @@ -166,8 +162,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( Writes `out.len()` bytes. */ -static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, - Eurydice_slice data) { +static inline void libcrux_sha3_shake128_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake128(out, data); } @@ -176,8 +172,8 @@ static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, Writes `out.len()` bytes. */ -static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, - Eurydice_slice data) { +static inline void libcrux_sha3_shake256_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake256(out, data); } diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index 004fb251f..7fc037744 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "internal/libcrux_sha3_avx2.h" @@ -23,8 +23,8 @@ static KRML_MUSTINLINE __m256i zero_ef(void) { return mm256_set1_epi64x((int64_t)0); } -static KRML_MUSTINLINE __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c, - __m256i d, __m256i e) { +static __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c, __m256i d, + __m256i e) { __m256i ab = mm256_xor_si256(a, b); __m256i cd = mm256_xor_si256(c, d); __m256i abcd = mm256_xor_si256(ab, cd); @@ -46,12 +46,12 @@ with const generics - LEFT= 1 - RIGHT= 63 */ -static KRML_MUSTINLINE __m256i rotate_left_76(__m256i x) { +static __m256i rotate_left_76(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)1, x, __m256i), mm256_srli_epi64((int32_t)63, x, __m256i)); } -static KRML_MUSTINLINE __m256i _vrax1q_u64(__m256i a, __m256i b) { +static __m256i _vrax1q_u64(__m256i a, __m256i b) { __m256i uu____0 = a; return mm256_xor_si256(uu____0, rotate_left_76(b)); } @@ -64,7 +64,7 @@ static KRML_MUSTINLINE __m256i rotate_left1_and_xor_ef(__m256i a, __m256i b) { return _vrax1q_u64(a, b); } -static KRML_MUSTINLINE __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) { +static __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) { return mm256_xor_si256(a, mm256_andnot_si256(c, b)); } @@ -76,7 +76,7 @@ static KRML_MUSTINLINE __m256i and_not_xor_ef(__m256i a, __m256i b, __m256i c) { return _vbcaxq_u64(a, b, c); } -static KRML_MUSTINLINE __m256i _veorq_n_u64(__m256i a, uint64_t c) { +static __m256i _veorq_n_u64(__m256i a, uint64_t c) { __m256i c0 = mm256_set1_epi64x( (int64_t) /* Casting here is required, doesn't change the value. */ c); return mm256_xor_si256(a, c0); @@ -90,16 +90,18 @@ static KRML_MUSTINLINE __m256i xor_constant_ef(__m256i a, uint64_t c) { return _veorq_n_u64(a, c); } +static __m256i xor0(__m256i a, __m256i b) { return mm256_xor_si256(a, b); } + /** This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: usize> for core::core_arch::x86::__m256i)} */ static KRML_MUSTINLINE __m256i xor_ef(__m256i a, __m256i b) { - return mm256_xor_si256(a, b); + return xor0(a, b); } -static KRML_MUSTINLINE void slice_4(Eurydice_slice a[4U], size_t start, - size_t len, Eurydice_slice ret[4U]) { +static void slice_4(Eurydice_slice a[4U], size_t start, size_t len, + Eurydice_slice ret[4U]) { ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); @@ -120,8 +122,8 @@ static KRML_MUSTINLINE void slice_n_ef(Eurydice_slice a[4U], size_t start, memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice)); } -static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2 -split_at_mut_4(Eurydice_slice out[4U], size_t mid) { +static Eurydice_slice_uint8_t_4size_t__x2 split_at_mut_4(Eurydice_slice out[4U], + size_t mid) { Eurydice_slice out0 = out[0U]; Eurydice_slice out1 = out[1U]; Eurydice_slice out2 = out[2U]; @@ -212,8 +214,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block with const generics - RATE= 136 */ -static KRML_MUSTINLINE void load_block_5b(__m256i (*s)[5U], - Eurydice_slice blocks[4U]) { +static void load_block_5b(__m256i (*s)[5U], Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; __m256i v00 = mm256_loadu_si256_u8( @@ -347,7 +348,7 @@ with const generics - LEFT= 36 - RIGHT= 28 */ -static KRML_MUSTINLINE __m256i rotate_left_02(__m256i x) { +static __m256i rotate_left_02(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)36, x, __m256i), mm256_srli_epi64((int32_t)28, x, __m256i)); } @@ -358,7 +359,7 @@ with const generics - LEFT= 36 - RIGHT= 28 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_02(__m256i a, __m256i b) { +static __m256i _vxarq_u64_02(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_02(ab); } @@ -383,7 +384,7 @@ with const generics - LEFT= 3 - RIGHT= 61 */ -static KRML_MUSTINLINE __m256i rotate_left_ac(__m256i x) { +static __m256i rotate_left_ac(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)3, x, __m256i), mm256_srli_epi64((int32_t)61, x, __m256i)); } @@ -394,7 +395,7 @@ with const generics - LEFT= 3 - RIGHT= 61 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_ac(__m256i a, __m256i b) { +static __m256i _vxarq_u64_ac(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_ac(ab); } @@ -419,7 +420,7 @@ with const generics - LEFT= 41 - RIGHT= 23 */ -static KRML_MUSTINLINE __m256i rotate_left_020(__m256i x) { +static __m256i rotate_left_020(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)41, x, __m256i), mm256_srli_epi64((int32_t)23, x, __m256i)); } @@ -430,7 +431,7 @@ with const generics - LEFT= 41 - RIGHT= 23 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_020(__m256i a, __m256i b) { +static __m256i _vxarq_u64_020(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_020(ab); } @@ -455,7 +456,7 @@ with const generics - LEFT= 18 - RIGHT= 46 */ -static KRML_MUSTINLINE __m256i rotate_left_a9(__m256i x) { +static __m256i rotate_left_a9(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)18, x, __m256i), mm256_srli_epi64((int32_t)46, x, __m256i)); } @@ -466,7 +467,7 @@ with const generics - LEFT= 18 - RIGHT= 46 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_a9(__m256i a, __m256i b) { +static __m256i _vxarq_u64_a9(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_a9(ab); } @@ -491,7 +492,7 @@ with const generics - LEFT= 1 - RIGHT= 63 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_76(__m256i a, __m256i b) { +static __m256i _vxarq_u64_76(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_76(ab); } @@ -516,7 +517,7 @@ with const generics - LEFT= 44 - RIGHT= 20 */ -static KRML_MUSTINLINE __m256i rotate_left_58(__m256i x) { +static __m256i rotate_left_58(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)44, x, __m256i), mm256_srli_epi64((int32_t)20, x, __m256i)); } @@ -527,7 +528,7 @@ with const generics - LEFT= 44 - RIGHT= 20 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_58(__m256i a, __m256i b) { +static __m256i _vxarq_u64_58(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_58(ab); } @@ -552,7 +553,7 @@ with const generics - LEFT= 10 - RIGHT= 54 */ -static KRML_MUSTINLINE __m256i rotate_left_e0(__m256i x) { +static __m256i rotate_left_e0(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)10, x, __m256i), mm256_srli_epi64((int32_t)54, x, __m256i)); } @@ -563,7 +564,7 @@ with const generics - LEFT= 10 - RIGHT= 54 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_e0(__m256i a, __m256i b) { +static __m256i _vxarq_u64_e0(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_e0(ab); } @@ -588,7 +589,7 @@ with const generics - LEFT= 45 - RIGHT= 19 */ -static KRML_MUSTINLINE __m256i rotate_left_63(__m256i x) { +static __m256i rotate_left_63(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)45, x, __m256i), mm256_srli_epi64((int32_t)19, x, __m256i)); } @@ -599,7 +600,7 @@ with const generics - LEFT= 45 - RIGHT= 19 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_63(__m256i a, __m256i b) { +static __m256i _vxarq_u64_63(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_63(ab); } @@ -624,7 +625,7 @@ with const generics - LEFT= 2 - RIGHT= 62 */ -static KRML_MUSTINLINE __m256i rotate_left_6a(__m256i x) { +static __m256i rotate_left_6a(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)2, x, __m256i), mm256_srli_epi64((int32_t)62, x, __m256i)); } @@ -635,7 +636,7 @@ with const generics - LEFT= 2 - RIGHT= 62 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_6a(__m256i a, __m256i b) { +static __m256i _vxarq_u64_6a(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_6a(ab); } @@ -660,7 +661,7 @@ with const generics - LEFT= 62 - RIGHT= 2 */ -static KRML_MUSTINLINE __m256i rotate_left_ab(__m256i x) { +static __m256i rotate_left_ab(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)62, x, __m256i), mm256_srli_epi64((int32_t)2, x, __m256i)); } @@ -671,7 +672,7 @@ with const generics - LEFT= 62 - RIGHT= 2 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_ab(__m256i a, __m256i b) { +static __m256i _vxarq_u64_ab(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_ab(ab); } @@ -696,7 +697,7 @@ with const generics - LEFT= 6 - RIGHT= 58 */ -static KRML_MUSTINLINE __m256i rotate_left_5b(__m256i x) { +static __m256i rotate_left_5b(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)6, x, __m256i), mm256_srli_epi64((int32_t)58, x, __m256i)); } @@ -707,7 +708,7 @@ with const generics - LEFT= 6 - RIGHT= 58 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_5b(__m256i a, __m256i b) { +static __m256i _vxarq_u64_5b(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_5b(ab); } @@ -732,7 +733,7 @@ with const generics - LEFT= 43 - RIGHT= 21 */ -static KRML_MUSTINLINE __m256i rotate_left_6f(__m256i x) { +static __m256i rotate_left_6f(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)43, x, __m256i), mm256_srli_epi64((int32_t)21, x, __m256i)); } @@ -743,7 +744,7 @@ with const generics - LEFT= 43 - RIGHT= 21 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_6f(__m256i a, __m256i b) { +static __m256i _vxarq_u64_6f(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_6f(ab); } @@ -768,7 +769,7 @@ with const generics - LEFT= 15 - RIGHT= 49 */ -static KRML_MUSTINLINE __m256i rotate_left_62(__m256i x) { +static __m256i rotate_left_62(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)15, x, __m256i), mm256_srli_epi64((int32_t)49, x, __m256i)); } @@ -779,7 +780,7 @@ with const generics - LEFT= 15 - RIGHT= 49 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_62(__m256i a, __m256i b) { +static __m256i _vxarq_u64_62(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_62(ab); } @@ -804,7 +805,7 @@ with const generics - LEFT= 61 - RIGHT= 3 */ -static KRML_MUSTINLINE __m256i rotate_left_23(__m256i x) { +static __m256i rotate_left_23(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)61, x, __m256i), mm256_srli_epi64((int32_t)3, x, __m256i)); } @@ -815,7 +816,7 @@ with const generics - LEFT= 61 - RIGHT= 3 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_23(__m256i a, __m256i b) { +static __m256i _vxarq_u64_23(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_23(ab); } @@ -840,7 +841,7 @@ with const generics - LEFT= 28 - RIGHT= 36 */ -static KRML_MUSTINLINE __m256i rotate_left_37(__m256i x) { +static __m256i rotate_left_37(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)28, x, __m256i), mm256_srli_epi64((int32_t)36, x, __m256i)); } @@ -851,7 +852,7 @@ with const generics - LEFT= 28 - RIGHT= 36 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_37(__m256i a, __m256i b) { +static __m256i _vxarq_u64_37(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_37(ab); } @@ -876,7 +877,7 @@ with const generics - LEFT= 55 - RIGHT= 9 */ -static KRML_MUSTINLINE __m256i rotate_left_bb(__m256i x) { +static __m256i rotate_left_bb(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)55, x, __m256i), mm256_srli_epi64((int32_t)9, x, __m256i)); } @@ -887,7 +888,7 @@ with const generics - LEFT= 55 - RIGHT= 9 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_bb(__m256i a, __m256i b) { +static __m256i _vxarq_u64_bb(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_bb(ab); } @@ -912,7 +913,7 @@ with const generics - LEFT= 25 - RIGHT= 39 */ -static KRML_MUSTINLINE __m256i rotate_left_b9(__m256i x) { +static __m256i rotate_left_b9(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)25, x, __m256i), mm256_srli_epi64((int32_t)39, x, __m256i)); } @@ -923,7 +924,7 @@ with const generics - LEFT= 25 - RIGHT= 39 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_b9(__m256i a, __m256i b) { +static __m256i _vxarq_u64_b9(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_b9(ab); } @@ -948,7 +949,7 @@ with const generics - LEFT= 21 - RIGHT= 43 */ -static KRML_MUSTINLINE __m256i rotate_left_54(__m256i x) { +static __m256i rotate_left_54(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)21, x, __m256i), mm256_srli_epi64((int32_t)43, x, __m256i)); } @@ -959,7 +960,7 @@ with const generics - LEFT= 21 - RIGHT= 43 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_54(__m256i a, __m256i b) { +static __m256i _vxarq_u64_54(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_54(ab); } @@ -984,7 +985,7 @@ with const generics - LEFT= 56 - RIGHT= 8 */ -static KRML_MUSTINLINE __m256i rotate_left_4c(__m256i x) { +static __m256i rotate_left_4c(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)56, x, __m256i), mm256_srli_epi64((int32_t)8, x, __m256i)); } @@ -995,7 +996,7 @@ with const generics - LEFT= 56 - RIGHT= 8 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_4c(__m256i a, __m256i b) { +static __m256i _vxarq_u64_4c(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_4c(ab); } @@ -1020,7 +1021,7 @@ with const generics - LEFT= 27 - RIGHT= 37 */ -static KRML_MUSTINLINE __m256i rotate_left_ce(__m256i x) { +static __m256i rotate_left_ce(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)27, x, __m256i), mm256_srli_epi64((int32_t)37, x, __m256i)); } @@ -1031,7 +1032,7 @@ with const generics - LEFT= 27 - RIGHT= 37 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_ce(__m256i a, __m256i b) { +static __m256i _vxarq_u64_ce(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_ce(ab); } @@ -1056,7 +1057,7 @@ with const generics - LEFT= 20 - RIGHT= 44 */ -static KRML_MUSTINLINE __m256i rotate_left_77(__m256i x) { +static __m256i rotate_left_77(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)20, x, __m256i), mm256_srli_epi64((int32_t)44, x, __m256i)); } @@ -1067,7 +1068,7 @@ with const generics - LEFT= 20 - RIGHT= 44 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_77(__m256i a, __m256i b) { +static __m256i _vxarq_u64_77(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_77(ab); } @@ -1092,7 +1093,7 @@ with const generics - LEFT= 39 - RIGHT= 25 */ -static KRML_MUSTINLINE __m256i rotate_left_25(__m256i x) { +static __m256i rotate_left_25(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)39, x, __m256i), mm256_srli_epi64((int32_t)25, x, __m256i)); } @@ -1103,7 +1104,7 @@ with const generics - LEFT= 39 - RIGHT= 25 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_25(__m256i a, __m256i b) { +static __m256i _vxarq_u64_25(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_25(ab); } @@ -1128,7 +1129,7 @@ with const generics - LEFT= 8 - RIGHT= 56 */ -static KRML_MUSTINLINE __m256i rotate_left_af(__m256i x) { +static __m256i rotate_left_af(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)8, x, __m256i), mm256_srli_epi64((int32_t)56, x, __m256i)); } @@ -1139,7 +1140,7 @@ with const generics - LEFT= 8 - RIGHT= 56 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_af(__m256i a, __m256i b) { +static __m256i _vxarq_u64_af(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_af(ab); } @@ -1164,7 +1165,7 @@ with const generics - LEFT= 14 - RIGHT= 50 */ -static KRML_MUSTINLINE __m256i rotate_left_fd(__m256i x) { +static __m256i rotate_left_fd(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)14, x, __m256i), mm256_srli_epi64((int32_t)50, x, __m256i)); } @@ -1175,7 +1176,7 @@ with const generics - LEFT= 14 - RIGHT= 50 */ -static KRML_MUSTINLINE __m256i _vxarq_u64_fd(__m256i a, __m256i b) { +static __m256i _vxarq_u64_fd(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_fd(ab); } @@ -1421,8 +1422,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block with const generics - RATE= 136 */ -static KRML_MUSTINLINE void store_block_5b(__m256i (*s)[5U], - Eurydice_slice out[4U]) { +static void store_block_5b(__m256i (*s)[5U], Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; __m256i v0l = mm256_permute2x128_si256( @@ -1775,8 +1775,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block with const generics - RATE= 168 */ -static KRML_MUSTINLINE void load_block_3a(__m256i (*s)[5U], - Eurydice_slice blocks[4U]) { +static void load_block_3a(__m256i (*s)[5U], Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; __m256i v00 = mm256_loadu_si256_u8( @@ -1962,8 +1961,7 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block with const generics - RATE= 168 */ -static KRML_MUSTINLINE void store_block_3a(__m256i (*s)[5U], - Eurydice_slice out[4U]) { +static void store_block_3a(__m256i (*s)[5U], Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; __m256i v0l = mm256_permute2x128_si256( @@ -2207,8 +2205,7 @@ static KRML_MUSTINLINE void squeeze_first_five_blocks_97( /** Squeeze five blocks */ -KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( +void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; @@ -2218,7 +2215,7 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( /** Absorb */ -KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( +void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { Eurydice_slice buf[4U] = {data0, data1, data2, data3}; @@ -2228,8 +2225,7 @@ KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( /** Squeeze block */ -KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( +void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; @@ -2239,8 +2235,7 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( /** Squeeze next block */ -KRML_MUSTINLINE void -libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( +void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index 6b3a024e4..b13fc4697 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 073cd070e..44ee7755b 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index f9027dd69..527fa850b 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #include "libcrux_sha3_neon.h" @@ -16,8 +16,7 @@ /** A portable SHA3 224 implementation. */ -KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, - Eurydice_slice data) { +void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -26,8 +25,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, /** A portable SHA3 256 implementation. */ -KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, - Eurydice_slice data) { +void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -36,8 +34,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, /** A portable SHA3 384 implementation. */ -KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, - Eurydice_slice data) { +void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -46,8 +43,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, /** A portable SHA3 512 implementation. */ -KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, - Eurydice_slice data) { +void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -58,10 +54,8 @@ KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, Writes the two results into `out0` and `out1` */ -KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, - Eurydice_slice input1, - Eurydice_slice out0, - Eurydice_slice out1) { +void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, + Eurydice_slice out0, Eurydice_slice out1) { /* TODO: make argument ordering consistent */ KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -71,7 +65,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, /** Initialise the `KeccakState2`. */ -KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState +libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_init(void) { /* XXX: These functions could alternatively implement the same with the * portable implementation { let s0 = KeccakState::new(); let s1 = @@ -84,7 +78,7 @@ libcrux_sha3_neon_x2_incremental_init(void) { /** Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( +void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -100,8 +94,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( Squeeze 2 times the first three blocks in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( +void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { /* XXX: These functions could alternatively implement the same with the @@ -117,8 +110,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( Squeeze 2 times the next block in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( +void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { /* XXX: These functions could alternatively implement the same with the @@ -133,8 +125,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( /** Squeeze five blocks */ -KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( +void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -145,7 +136,7 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( /** Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( +void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -160,8 +151,7 @@ KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( /** Squeeze block */ -KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( +void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -172,8 +162,7 @@ libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( /** Squeeze next block */ -KRML_MUSTINLINE void -libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( +void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index a98e1e65c..0fda1a76f 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -8,7 +8,7 @@ * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: 99b4e0ae6147eb731652e0ee355fc77d2c160664 + * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 */ #ifndef __libcrux_sha3_neon_H From 61f72fd4fb1d40b783d88235bfea91b6aaf6733b Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Mon, 4 Nov 2024 15:11:34 +0100 Subject: [PATCH 50/74] Fix paths --- libcrux-ml-dsa/src/hash_functions.rs | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index ba8f9e952..028b1906c 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -464,18 +464,18 @@ pub(crate) mod simd256 { /// AVX2 SHAKE 256 state pub(crate) struct Shake256 { - state: portable::KeccakState, + state: libcrux_sha3::portable::KeccakState, } impl shake256::Xof for Shake256 { #[inline(always)] fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - portable::shake256(out, input); + libcrux_sha3::portable::shake256(out, input); } #[inline(always)] fn init_absorb(input: &[u8]) -> Self { - let mut state = portable::incremental::shake256_init(); - portable::incremental::shake256_absorb_final(&mut state, input); + let mut state = libcrux_sha3::portable::incremental::shake256_init(); + libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input); Self { state } } @@ -483,14 +483,20 @@ pub(crate) mod simd256 { #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); + libcrux_sha3::portable::incremental::shake256_squeeze_first_block( + &mut self.state, + &mut out, + ); out } #[inline(always)] fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); + libcrux_sha3::portable::incremental::shake256_squeeze_next_block( + &mut self.state, + &mut out, + ); out } } From 3cf3915d39343d26b4184ef26c1142ae869318c9 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 4 Nov 2024 18:48:27 +0000 Subject: [PATCH 51/74] really don't run on windows --- .github/workflows/c.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index 7bc42fa39..5345cad14 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -162,4 +162,4 @@ jobs: - name: 🏃🏻‍♀️ Test run: ./build/ml_kem_test - if: ${{ matrix.os == 'windows-latest' }} + if: ${{ matrix.os != 'windows-latest' }} From 84a01adeae352be7a8fe3efa618e87ec39ad240b Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Mon, 4 Nov 2024 19:08:01 +0000 Subject: [PATCH 52/74] format cg/eurydice_glue --- libcrux-ml-kem/cg/eurydice_glue.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-kem/cg/eurydice_glue.h b/libcrux-ml-kem/cg/eurydice_glue.h index 0c910a68a..3f9b35cc2 100644 --- a/libcrux-ml-kem/cg/eurydice_glue.h +++ b/libcrux-ml-kem/cg/eurydice_glue.h @@ -17,8 +17,8 @@ extern "C" { #include #include -#include "karamel/target.h" #include "karamel/endianness.h" +#include "karamel/target.h" // SLICES, ARRAYS, ETC. From 7297c0b3b7ee0ab8b9d13e5aace5297f5dcb061f Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 5 Nov 2024 10:32:30 +0100 Subject: [PATCH 53/74] added issue-comment for samplex4 edits --- libcrux-ml-dsa/src/samplex4.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 389da763d..918deb8ce 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -10,6 +10,10 @@ fn generate_domain_separator(row: u8, column: u8) -> u16 { (column as u16) | ((row as u16) << 8) } +// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F* +// https://github.com/hacspec/hax/issues/1098 +// So we are instead using a matrix abstraction with a custom update function here. + type Matrix = [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; From dac387a03e4a2c5b0ededf90412c48eb175f0730 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 5 Nov 2024 10:46:32 +0100 Subject: [PATCH 54/74] renamed inputs --- libcrux-ml-dsa/src/hash_functions.rs | 100 +++++++++++++-------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 2d4864f3f..a30cfe4d8 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -77,7 +77,7 @@ pub(crate) mod shake128 { /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`]. pub(crate) mod portable { use libcrux_sha3::portable::incremental; - + use libcrux_sha3::portable::KeccakState; use super::{shake128, shake256}; /// Portable SHAKE 128 x4 state. @@ -85,10 +85,10 @@ pub(crate) mod portable { /// We're using a portable implementation so this is actually sequential. #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128X4 { - state0: libcrux_sha3::portable::KeccakState, - state1: libcrux_sha3::portable::KeccakState, - state2: libcrux_sha3::portable::KeccakState, - state3: libcrux_sha3::portable::KeccakState, + state0: KeccakState, + state1: KeccakState, + state2: KeccakState, + state3: KeccakState, } fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128X4 { @@ -113,20 +113,20 @@ pub(crate) mod portable { } fn squeeze_first_five_blocks( - x: &mut Shake128X4, + state: &mut Shake128X4, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - incremental::shake128_squeeze_first_five_blocks(&mut x.state0, out0); - incremental::shake128_squeeze_first_five_blocks(&mut x.state1, out1); - incremental::shake128_squeeze_first_five_blocks(&mut x.state2, out2); - incremental::shake128_squeeze_first_five_blocks(&mut x.state3, out3); + incremental::shake128_squeeze_first_five_blocks(&mut state.state0, out0); + incremental::shake128_squeeze_first_five_blocks(&mut state.state1, out1); + incremental::shake128_squeeze_first_five_blocks(&mut state.state2, out2); + incremental::shake128_squeeze_first_five_blocks(&mut state.state3, out3); } fn squeeze_next_block( - x: &mut Shake128X4, + state: &mut Shake128X4, ) -> ( [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], @@ -134,13 +134,13 @@ pub(crate) mod portable { [u8; shake128::BLOCK_SIZE], ) { let mut out0 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut x.state0, &mut out0); + incremental::shake128_squeeze_next_block(&mut state.state0, &mut out0); let mut out1 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut x.state1, &mut out1); + incremental::shake128_squeeze_next_block(&mut state.state1, &mut out1); let mut out2 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut x.state2, &mut out2); + incremental::shake128_squeeze_next_block(&mut state.state2, &mut out2); let mut out3 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut x.state3, &mut out3); + incremental::shake128_squeeze_next_block(&mut state.state3, &mut out3); (out0, out1, out2, out3) } @@ -187,7 +187,7 @@ pub(crate) mod portable { /// Portable SHAKE 256 state #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256 { - state: libcrux_sha3::portable::KeccakState, + state: KeccakState, } fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { @@ -200,15 +200,15 @@ pub(crate) mod portable { Shake256 { state } } - fn squeeze_first_block_shake256(x: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut x.state, &mut out); + incremental::shake256_squeeze_first_block(&mut state.state, &mut out); out } - fn squeeze_next_block_shake256(x: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + fn squeeze_next_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut x.state, &mut out); + incremental::shake256_squeeze_next_block(&mut state.state, &mut out); out } @@ -262,7 +262,7 @@ pub(crate) mod portable { } fn squeeze_first_block_x4( - x: &mut Shake256X4, + state: &mut Shake256X4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], @@ -270,19 +270,19 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], ) { let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut x.state0, &mut out0); + incremental::shake256_squeeze_first_block(&mut state.state0, &mut out0); let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut x.state1, &mut out1); + incremental::shake256_squeeze_first_block(&mut state.state1, &mut out1); let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut x.state2, &mut out2); + incremental::shake256_squeeze_first_block(&mut state.state2, &mut out2); let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut x.state3, &mut out3); + incremental::shake256_squeeze_first_block(&mut state.state3, &mut out3); (out0, out1, out2, out3) } fn squeeze_next_block_x4( - x: &mut Shake256X4, + state: &mut Shake256X4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], @@ -290,13 +290,13 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], ) { let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut x.state0, &mut out0); + incremental::shake256_squeeze_next_block(&mut state.state0, &mut out0); let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut x.state1, &mut out1); + incremental::shake256_squeeze_next_block(&mut state.state1, &mut out1); let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut x.state2, &mut out2); + incremental::shake256_squeeze_next_block(&mut state.state2, &mut out2); let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut x.state3, &mut out3); + incremental::shake256_squeeze_next_block(&mut state.state3, &mut out3); (out0, out1, out2, out3) } @@ -399,17 +399,17 @@ pub(crate) mod simd256 { } fn squeeze_first_five_blocks( - x: &mut Shake128x4, + state: &mut Shake128x4, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x4::incremental::shake128_squeeze_first_five_blocks(&mut x.state, out0, out1, out2, out3); + x4::incremental::shake128_squeeze_first_five_blocks(&mut state.state, out0, out1, out2, out3); } fn squeeze_next_block( - x: &mut Shake128x4, + state: &mut Shake128x4, ) -> ( [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], @@ -421,7 +421,7 @@ pub(crate) mod simd256 { let mut out2 = [0u8; shake128::BLOCK_SIZE]; let mut out3 = [0u8; shake128::BLOCK_SIZE]; x4::incremental::shake128_squeeze_next_block( - &mut x.state, + &mut state.state, &mut out0, &mut out1, &mut out2, @@ -475,7 +475,7 @@ pub(crate) mod simd256 { } fn squeeze_first_block_x4( - x: &mut Shake256x4, + state: &mut Shake256x4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], @@ -487,7 +487,7 @@ pub(crate) mod simd256 { let mut out2 = [0u8; shake256::BLOCK_SIZE]; let mut out3 = [0u8; shake256::BLOCK_SIZE]; x4::incremental::shake256_squeeze_first_block( - &mut x.state, + &mut state.state, &mut out0, &mut out1, &mut out2, @@ -498,7 +498,7 @@ pub(crate) mod simd256 { } fn squeeze_next_block_x4( - x: &mut Shake256x4, + state: &mut Shake256x4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], @@ -510,7 +510,7 @@ pub(crate) mod simd256 { let mut out2 = [0u8; shake256::BLOCK_SIZE]; let mut out3 = [0u8; shake256::BLOCK_SIZE]; x4::incremental::shake256_squeeze_next_block( - &mut x.state, + &mut state.state, &mut out0, &mut out1, &mut out2, @@ -598,18 +598,18 @@ pub(crate) mod neon { } fn squeeze_first_five_blocks( - x: &mut Shake128x4, + state: &mut Shake128x4, out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x2::incremental::shake128_squeeze_first_five_blocks(&mut x.state[0], out0, out1); - x2::incremental::shake128_squeeze_first_five_blocks(&mut x.state[1], out2, out3); + x2::incremental::shake128_squeeze_first_five_blocks(&mut state.state[0], out0, out1); + x2::incremental::shake128_squeeze_first_five_blocks(&mut state.state[1], out2, out3); } fn squeeze_next_block( - x: &mut Shake128x4, + state: &mut Shake128x4, ) -> ( [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], @@ -620,8 +620,8 @@ pub(crate) mod neon { let mut out1 = [0u8; shake128::BLOCK_SIZE]; let mut out2 = [0u8; shake128::BLOCK_SIZE]; let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block(&mut x.state[0], &mut out0, &mut out1); - x2::incremental::shake128_squeeze_next_block(&mut x.state[1], &mut out2, &mut out3); + x2::incremental::shake128_squeeze_next_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake128_squeeze_next_block(&mut state.state[1], &mut out2, &mut out3); (out0, out1, out2, out3) } @@ -668,7 +668,7 @@ pub(crate) mod neon { } fn squeeze_first_block_x4( - x: &mut Shake256x4, + state: &mut Shake256x4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], @@ -679,14 +679,14 @@ pub(crate) mod neon { let mut out1 = [0u8; shake256::BLOCK_SIZE]; let mut out2 = [0u8; shake256::BLOCK_SIZE]; let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_first_block(&mut x.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_first_block(&mut x.state[1], &mut out2, &mut out3); + x2::incremental::shake256_squeeze_first_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_first_block(&mut state.state[1], &mut out2, &mut out3); (out0, out1, out2, out3) } fn squeeze_next_block_x4( - x: &mut Shake256x4, + state: &mut Shake256x4, ) -> ( [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], @@ -697,8 +697,8 @@ pub(crate) mod neon { let mut out1 = [0u8; shake256::BLOCK_SIZE]; let mut out2 = [0u8; shake256::BLOCK_SIZE]; let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_next_block(&mut x.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_next_block(&mut x.state[1], &mut out2, &mut out3); + x2::incremental::shake256_squeeze_next_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_next_block(&mut state.state[1], &mut out2, &mut out3); (out0, out1, out2, out3) } From e542ac3eb2d93c4584414cd6f0282483efbb1444 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Tue, 5 Nov 2024 11:18:45 +0100 Subject: [PATCH 55/74] fmt --- .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 8 ++++---- .../Libcrux_ml_dsa.Hash_functions.Portable.fsti | 15 +++++++++------ .../Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 8 ++++---- libcrux-ml-dsa/src/hash_functions.rs | 10 ++++++++-- 4 files changed, 25 insertions(+), 16 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti index 6805e0d00..9ad6829f1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -24,19 +24,19 @@ val shake256_x4 Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_block_x4 (x: t_Shake256x4) +val squeeze_first_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_five_blocks (x: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) : Prims.Pure (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_next_block (x: t_Shake128x4) +val squeeze_next_block (state: t_Shake128x4) : Prims.Pure (t_Shake128x4 & (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) @@ -140,7 +140,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -val squeeze_next_block_x4 (x: t_Shake256x4) +val squeeze_next_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 2d75db5dd..19bf6bae1 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -21,6 +21,9 @@ val t_Shake256Absorb:Type0 val t_Shake256Squeeze:Type0 +val init_absorb__init_absorb (input: t_Slice u8) + : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) + val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) @@ -69,22 +72,22 @@ val shake256_init: Prims.unit -> Prims.Pure t_Shake256Absorb Prims.l_True (fun _ val shake256_squeeze (st: t_Shake256Squeeze) (out: t_Slice u8) : Prims.Pure (t_Shake256Squeeze & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_block_shake256 (x: t_Shake256) +val squeeze_first_block_shake256 (state: t_Shake256) : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_block_x4 (x: t_Shake256X4) +val squeeze_first_block_x4 (state: t_Shake256X4) : Prims.Pure (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_five_blocks (x: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) +val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) : Prims.Pure (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_next_block (x: t_Shake128X4) +val squeeze_next_block (state: t_Shake128X4) : Prims.Pure (t_Shake128X4 & (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) @@ -188,7 +191,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -val squeeze_next_block_shake256 (x: t_Shake256) +val squeeze_next_block_shake256 (state: t_Shake256) : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] @@ -238,7 +241,7 @@ let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) } -val squeeze_next_block_x4 (x: t_Shake256X4) +val squeeze_next_block_x4 (state: t_Shake256X4) : Prims.Pure (t_Shake256X4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index 3ff04ac43..a9b24b26a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -27,19 +27,19 @@ val shake256_x4 Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_block_x4 (x: t_Shake256x4) +val squeeze_first_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_first_five_blocks (x: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) : Prims.Pure (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) -val squeeze_next_block (x: t_Shake128x4) +val squeeze_next_block (state: t_Shake128x4) : Prims.Pure (t_Shake128x4 & (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) @@ -143,7 +143,7 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } -val squeeze_next_block_x4 (x: t_Shake256x4) +val squeeze_next_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index a30cfe4d8..92da681d7 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -76,9 +76,9 @@ pub(crate) mod shake128 { /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`]. pub(crate) mod portable { + use super::{shake128, shake256}; use libcrux_sha3::portable::incremental; use libcrux_sha3::portable::KeccakState; - use super::{shake128, shake256}; /// Portable SHAKE 128 x4 state. /// @@ -405,7 +405,13 @@ pub(crate) mod simd256 { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x4::incremental::shake128_squeeze_first_five_blocks(&mut state.state, out0, out1, out2, out3); + x4::incremental::shake128_squeeze_first_five_blocks( + &mut state.state, + out0, + out1, + out2, + out3, + ); } fn squeeze_next_block( From 654d83639e9633f6750a8fce3cb7240d993f10a2 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 5 Nov 2024 14:28:13 +0100 Subject: [PATCH 56/74] Missing `opaque_type`s in `hash_functions` --- libcrux-ml-dsa/src/hash_functions.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 11b2461c1..7bb00e532 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -172,6 +172,7 @@ pub(crate) mod portable { } /// Portable SHAKE 128 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128 {} fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { @@ -469,6 +470,7 @@ pub(crate) mod simd256 { } /// AVX2 SHAKE 256 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256 { state: libcrux_sha3::portable::KeccakState, } From a19752d20d575244b1c88aacf92bb0a8ee02b1ad Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 5 Nov 2024 14:57:10 +0100 Subject: [PATCH 57/74] Make trait impl functions into wrappers --- libcrux-ml-dsa/src/hash_functions.rs | 55 +++++++++++++++++++--------- 1 file changed, 38 insertions(+), 17 deletions(-) diff --git a/libcrux-ml-dsa/src/hash_functions.rs b/libcrux-ml-dsa/src/hash_functions.rs index 7bb00e532..ff22b6e78 100644 --- a/libcrux-ml-dsa/src/hash_functions.rs +++ b/libcrux-ml-dsa/src/hash_functions.rs @@ -474,38 +474,59 @@ pub(crate) mod simd256 { pub(crate) struct Shake256 { state: libcrux_sha3::portable::KeccakState, } + + #[inline(always)] + fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake256(out, input); + } + + #[inline(always)] + fn init_absorb_shake256(input: &[u8]) -> Shake256 { + let mut state = libcrux_sha3::portable::incremental::shake256_init(); + libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input); + + Shake256 { state } + } + + #[inline(always)] + fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + libcrux_sha3::portable::incremental::shake256_squeeze_first_block( + &mut state.state, + &mut out, + ); + out + } + + #[inline(always)] + fn squeeze_next_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + libcrux_sha3::portable::incremental::shake256_squeeze_next_block( + &mut state.state, + &mut out, + ); + out + } + impl shake256::Xof for Shake256 { #[inline(always)] fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - libcrux_sha3::portable::shake256(out, input); + shake256(input, out) } #[inline(always)] fn init_absorb(input: &[u8]) -> Self { - let mut state = libcrux_sha3::portable::incremental::shake256_init(); - libcrux_sha3::portable::incremental::shake256_absorb_final(&mut state, input); - - Self { state } + init_absorb_shake256(input) } #[inline(always)] fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - libcrux_sha3::portable::incremental::shake256_squeeze_first_block( - &mut self.state, - &mut out, - ); - out + squeeze_first_block_shake256(self) } #[inline(always)] fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - libcrux_sha3::portable::incremental::shake256_squeeze_next_block( - &mut self.state, - &mut out, - ); - out + squeeze_next_block_shake256(self) } } From 837d70fb2e5bb26f5853d737533ea1d3d5015e78 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 5 Nov 2024 15:32:36 +0100 Subject: [PATCH 58/74] Don't use trait methods --- libcrux-ml-dsa/src/simd/portable/ntt.rs | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 3f4e7f12a..11bfab4d2 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,11 +1,8 @@ -use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; -use crate::simd::{ - portable::PortableSIMDUnit, - traits::{ - montgomery_multiply_by_fer, FieldElementTimesMontgomeryR, COEFFICIENTS_IN_SIMD_UNIT, - SIMD_UNITS_IN_RING_ELEMENT, - }, +use super::arithmetic::{ + self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer, MontgomeryFieldElement, }; +use super::vector_type::PortableSIMDUnit; +use crate::simd::traits::{COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; #[inline(always)] pub fn simd_unit_ntt_at_layer_0( @@ -280,15 +277,11 @@ fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { } #[inline(always)] -fn outer_3_plus< - const OFFSET: usize, - const STEP_BY: usize, - const ZETA: FieldElementTimesMontgomeryR, ->( +fn outer_3_plus( re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], ) { for j in OFFSET..OFFSET + STEP_BY { - let t = montgomery_multiply_by_fer(re[j + STEP_BY], ZETA); + let t = montgomery_multiply_by_constant(re[j + STEP_BY], ZETA); re[j + STEP_BY] = arithmetic::subtract(&re[j], &t); re[j] = arithmetic::add(&re[j], &t); From 873ccf899d96801ea433ee2022526ba1b6c727f1 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Tue, 5 Nov 2024 15:33:38 +0100 Subject: [PATCH 59/74] Update F* --- ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 5 +- ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 66 +- ...neric.Instantiations.Avx2.Avx2_feature.fst | 97 + ...eric.Instantiations.Avx2.Avx2_feature.fsti | 78 + ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 52 +- ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 12 - .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 24 +- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 2294 +++++++++++-- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 119 +- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 2983 ++++++++++++++++- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 46 +- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 1545 +++++++-- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 76 +- .../Libcrux_ml_dsa.Simd.Traits.fsti | 40 - .../extraction/Libcrux_platform.X86.fsti | 2 +- 15 files changed, 6555 insertions(+), 884 deletions(-) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti index 19bf6bae1..c1b251529 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -4,7 +4,7 @@ open Core open FStar.Mul /// Portable SHAKE 128 state -type t_Shake128 = | Shake128 : t_Shake128 +val t_Shake128:Type0 /// Portable SHAKE 128 x4 state. /// We\'re using a portable implementation so this is actually sequential. @@ -21,9 +21,6 @@ val t_Shake256Absorb:Type0 val t_Shake256Squeeze:Type0 -val init_absorb__init_absorb (input: t_Slice u8) - : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) - val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti index a9b24b26a..97db532b4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -11,13 +11,22 @@ val t_Shake128x4:Type0 /// AVX2 SHAKE 256 x4 state. val t_Shake256x4:Type0 +/// AVX2 SHAKE 256 state +val t_Shake256:Type0 + /// Init the state and absorb 4 blocks in parallel. val init_absorb (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) +val init_absorb_shake256 (input: t_Slice u8) + : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) + val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + val shake256_x4 (v_OUT_LEN: usize) (input0 input1 input2 input3: t_Slice u8) @@ -27,6 +36,9 @@ val shake256_x4 Prims.l_True (fun _ -> Prims.l_True) +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + val squeeze_first_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & @@ -143,6 +155,58 @@ let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) } +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let hax_temp_output, out:(Prims.unit & t_Array u8 v_OUTPUT_LENGTH) = + (), shake256 v_OUTPUT_LENGTH input out <: (Prims.unit & t_Array u8 v_OUTPUT_LENGTH) + in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + val squeeze_next_block_x4 (state: t_Shake256x4) : Prims.Pure (t_Shake256x4 & @@ -151,7 +215,7 @@ val squeeze_next_block_x4 (state: t_Shake256x4) (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = { f_init_absorb_x4_pre = diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst new file mode 100644 index 000000000..db410963c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fst @@ -0,0 +1,97 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti new file mode 100644 index 000000000..f5492bbb9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.fsti @@ -0,0 +1,78 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst index 7aab62832..42e4c6671 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -3,28 +3,18 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - let generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: usize) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness let sign (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) @@ -35,11 +25,8 @@ let sign (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA - v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness @@ -53,11 +40,8 @@ let sign_pre_hashed_shake128 (message context: t_Slice u8) (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness @@ -72,11 +56,9 @@ let verify (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE - v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA - v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature let verify_pre_hashed_shake128 @@ -89,10 +71,8 @@ let verify_pre_hashed_shake128 (message context: t_Slice u8) (signature: t_Array u8 v_SIGNATURE_SIZE) = - Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit - #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 - #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH - (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.Avx2_feature.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti index c244ca0d5..3763fcb0a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -3,18 +3,6 @@ module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_dsa.Hash_functions.Portable in - let open Libcrux_ml_dsa.Hash_functions.Shake128 in - let open Libcrux_ml_dsa.Hash_functions.Shake256 in - let open Libcrux_ml_dsa.Hash_functions.Simd256 in - let open Libcrux_ml_dsa.Pre_hash in - let open Libcrux_ml_dsa.Simd.Avx2 in - let open Libcrux_ml_dsa.Simd.Traits in - () - /// Generate key pair. val generate_key_pair (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 878dd2cb5..95d331653 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -543,11 +543,7 @@ let sign <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -608,11 +604,7 @@ let sign_pre_hashed <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -806,11 +798,7 @@ let verify <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError @@ -859,11 +847,7 @@ let verify_pre_hashed <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized | Core.Result.Result_Err err -> - Core.Result.Result_Err - (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError - #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError - #FStar.Tactics.Typeclasses.solve - err) + Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index b36669c58..f0e0c4d22 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -9,6 +9,1889 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 0) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) + 1976782l + (-846154l) + 1400424l + 3937738l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 1) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) + (-1362209l) + (-48306l) + 3919660l + (-554416l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 2) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) + (-3545687l) + 1612842l + (-976891l) + 183443l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 3) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) + (-2286327l) + (-420899l) + (-2235985l) + (-2939036l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 4) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) + (-3833893l) + (-260646l) + (-1104333l) + (-1667432l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 5) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) + 1910376l + (-1803090l) + 1723600l + (-426683l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 6) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) + 472078l + 1717735l + (-975884l) + 2213111l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 7) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) + 269760l + 3866901l + 3523897l + (-3038916l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 8) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) + (-1799107l) + (-3694233l) + 1652634l + 810149l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 9) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) + 3014001l + 1616392l + 162844l + (-3183426l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 10) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) + (-1207385l) + 185531l + 3369112l + 1957272l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 11) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) + (-164721l) + 2454455l + 2432395l + (-2013608l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 12) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) + (-3776993l) + 594136l + (-3724270l) + (-2584293l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 13) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) + (-1846953l) + (-1671176l) + (-2831860l) + (-542412l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 14) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) + 3406031l + 2235880l + 777191l + 1500165l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 15) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) + (-1374803l) + (-2546312l) + 1917081l + (-1279661l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 16) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) + (-1962642l) + 3306115l + 1312455l + (-451100l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 17) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) + (-1430225l) + (-3318210l) + 1237275l + (-1333058l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 18) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) + (-1050970l) + 1903435l + 1869119l + (-2994039l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 19) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) + (-3548272l) + 2635921l + 1250494l + (-3767016l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 20) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) + 1595974l + 2486353l + 1247620l + 4055324l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 21) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) + 1265009l + (-2590150l) + 2691481l + 2842341l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 22) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) + 203044l + 1735879l + (-3342277l) + 3437287l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 23) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) + 4108315l + (-2437823l) + 286988l + 342297l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 24) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) + (-3595838l) + (-768622l) + (-525098l) + (-3556995l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 25) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) + 3207046l + 2031748l + (-3122442l) + (-655327l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 26) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) + (-522500l) + (-43260l) + (-1613174l) + 495491l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 27) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) + 819034l + 909542l + 1859098l + 900702l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 28) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) + (-3193378l) + (-1197226l) + (-3759364l) + (-3520352l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 29) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) + 3513181l + (-1235728l) + 2434439l + 266997l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 30) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) + (-3562462l) + (-2446433l) + 2244091l + (-3342478l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 31) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) + 3817976l + 2316500l + 3407706l + 2091667l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 0) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) + 3839961l + (-3628969l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 1) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) + (-3881060l) + (-3019102l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 2) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) + (-1439742l) + (-812732l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 3) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) + (-1584928l) + 1285669l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 4) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) + 1341330l + 1315589l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 5) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) + (-177440l) + (-2409325l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 6) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) + (-1851402l) + 3159746l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 7) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) + (-3553272l) + 189548l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 8) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) + (-1316856l) + 759969l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 9) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) + (-210977l) + 2389356l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 10) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) + (-3249728l) + 1653064l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 11) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) + (-8578l) + (-3724342l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 12) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) + 3958618l + 904516l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 13) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) + (-1100098l) + 44288l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 14) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) + 3097992l + 508951l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 15) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) + 264944l + (-3343383l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 16) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) + (-1430430l) + 1852771l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 17) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) + 1349076l + (-381987l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 18) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) + (-1308169l) + (-22981l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 19) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) + (-1228525l) + (-671102l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 20) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) + (-2477047l) + (-411027l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 21) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) + (-3693493l) + (-2967645l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 22) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) + 2715295l + 2147896l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 23) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) + (-983419l) + 3412210l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 24) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) + 126922l + (-3632928l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 25) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) + (-3157330l) + (-3190144l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 26) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) + (-1000202l) + (-4083598l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 27) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) + 1939314l + (-1257611l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 28) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) + (-1585221l) + 2176455l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 29) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) + 3475950l + (-1452451l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 30) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) + (-3041255l) + (-3677745l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 31) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) + (-1528703l) + (-3930395l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + +let invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 0) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) + (-2797779l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 1) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) + 2071892l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 2) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) + (-2556880l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 3) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) + 3900724l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 4) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) + 3881043l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 5) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) + 954230l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 6) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) + 531354l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 7) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) + 811944l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 8) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) + 3699596l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 9) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) + (-1600420l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 10) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) + (-2140649l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 11) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) + 3507263l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 12) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) + (-3821735l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 13) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) + 3505694l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 14) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) + (-1643818l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 15) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) + (-1699267l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 16) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) + (-539299l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 17) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) + 2348700l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 18) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) + (-300467l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 19) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) + 3539968l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 20) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) + (-2867647l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 21) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) + 3574422l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 22) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) + (-3043716l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 23) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) + (-3861115l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 24) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) + 3915439l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 25) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) + (-2537516l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 26) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) + (-3592148l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 27) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) + (-1661693l) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 28) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) + 3530437l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 29) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) + 3077325l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 30) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) + 95776l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (sz 31) + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) + 2706023l + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re + let ntt (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -26,30 +1909,32 @@ let ntt <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit -let invert_ntt_at_layer_1_ +let outer_3_plus (#v_SIMDUnit: Type0) + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = zeta_i -! sz 1 in - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range v_OFFSET + (v_OFFSET +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ + re + (fun re j -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let j:usize = j in + let a_minus_b:v_SIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) in - let round:usize = round in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { re with @@ -57,48 +1942,19 @@ let invert_ntt_at_layer_1_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + j + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! v_STEP_BY <: usize ] + <: + v_SIMDUnit) <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in - let zeta_i:usize = zeta_i -! sz 2 in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - in - let zeta_i:usize = zeta_i +! sz 1 in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - -let invert_ntt_at_layer_2_ - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i -! sz 1 in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { re with @@ -106,169 +1962,156 @@ let invert_ntt_at_layer_2_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit a_minus_b v_ZETA <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + re) in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + re -let invert_ntt_at_layer_3_plus +let invert_ntt_at_layer_3_ (#v_SIMDUnit: Type0) - (v_LAYER: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let step:usize = sz 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i -! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in - let j:usize = j in - let a_minus_b:v_SIMDUnit = - Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] - <: - v_SIMDUnit) - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - j - (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] - <: - v_SIMDUnit) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit - a_minus_b - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - re) - in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 1) 280005l re in - let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 2) (sz 1) 4010497l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 4) (sz 1) (-19422l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 6) (sz 1) 1757237l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 1) (-3277672l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 10) (sz 1) (-1399561l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 12) (sz 1) (-3859737l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 14) (sz 1) (-2118186l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 1) (-2108549l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 18) (sz 1) 2619752l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 20) (sz 1) (-1119584l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 22) (sz 1) (-549488l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 1) 3585928l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 26) (sz 1) (-1079900l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 28) (sz 1) 1024112l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 30) (sz 1) 2725464l re + in + re -let invert_ntt_at_layer_0_ +let invert_ntt_at_layer_4_ (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = zeta_i -! sz 1 in - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #v_SIMDUnit - (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) - (fun temp_0_ round -> - let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = - temp_0_ - in - let round:usize = round in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - round - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize ] <: i32) - (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize ] <: i32) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let zeta_i:usize = zeta_i -! sz 4 in - re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 2) 2680103l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 4) (sz 2) 3111497l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 2) (-2884855l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 12) (sz 2) 3119733l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 2) (-2091905l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 20) (sz 2) (-359251l) re in - let zeta_i:usize = zeta_i +! sz 1 in - zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 2) 2353451l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 28) (sz 2) 1826347l re + in + re + +let invert_ntt_at_layer_5_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 4) 466468l re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 8) (sz 4) (-876248l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 4) (-777960l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 24) (sz 4) 237124l re + in + re + +let invert_ntt_at_layer_6_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 8) (-518909l) re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 16) (sz 8) (-2608894l) re + in + re + +let invert_ntt_at_layer_7_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + outer_3_plus #v_SIMDUnit (sz 0) (sz 16) 25847l re + in + re let invert_ntt_montgomery (#v_SIMDUnit: Type0) @@ -277,55 +2120,30 @@ let invert_ntt_montgomery Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - let zeta_i:usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_0_ #v_SIMDUnit zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_1_ #v_SIMDUnit zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_2_ #v_SIMDUnit zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = - invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in - let _:Prims.unit = () in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_2_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_3_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_4_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_5_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_6_ #v_SIMDUnit re + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_7_ #v_SIMDUnit re + in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_SIMDUnit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti index d15c500f9..ed4cbfb4e 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -9,47 +9,27 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = - let list = - [ - 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; - 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; - 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); - (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; - 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); - (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); - (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; - 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); - (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); - (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); - 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); - (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; - (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; - (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); - 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; - 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); - 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); - (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); - (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); - (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); - 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; - 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; - 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; - (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; - (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); - (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); - 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; - 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; - 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); - 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); - (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; - (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); - Rust_primitives.Hax.array_of_list 256 list +let invert_ntt_at_layer_3___STEP: usize = sz 8 -val ntt +let invert_ntt_at_layer_3___STEP_BY: usize = sz 1 + +let invert_ntt_at_layer_4___STEP: usize = sz 16 + +let invert_ntt_at_layer_4___STEP_BY: usize = sz 2 + +let invert_ntt_at_layer_5___STEP: usize = sz 32 + +let invert_ntt_at_layer_5___STEP_BY: usize = sz 4 + +let invert_ntt_at_layer_6___STEP: usize = sz 64 + +let invert_ntt_at_layer_6___STEP_BY: usize = sz 8 + +let invert_ntt_at_layer_7___STEP: usize = sz 128 + +let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 + +val invert_ntt_at_layer_0_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) @@ -60,37 +40,74 @@ val ntt val invert_ntt_at_layer_1_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_3_plus +val outer_3_plus (#v_SIMDUnit: Type0) - (v_LAYER: usize) + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) -val invert_ntt_at_layer_0_ +val invert_ntt_at_layer_3_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_4_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_5_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_6_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} - (zeta_i: usize) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_7_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index 0e6daf656..fb55f5f13 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -121,225 +121,2854 @@ let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) = let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products -let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) = - let step:usize = sz 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in +let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) = + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2091667l 3407706l 2316500l + 3817976l (-3342478l) 2244091l (-2446433l) (-3562462l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 266997l 2434439l + (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) (-3193378l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) 900702l 1859098l 909542l + 819034l 495491l (-1613174l) (-43260l) (-522500l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-655327l) (-3122442l) + 2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) 342297l 286988l + (-2437823l) 4108315l 3437287l (-3342277l) 1735879l 203044l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 2842341l 2691481l + (-2590150l) 1265009l 4055324l 1247620l 2486353l 1595974l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) (-3767016l) 1250494l + 2635921l (-3548272l) (-2994039l) 1869119l 1903435l (-1050970l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) (-1333058l) 1237275l + (-3318210l) (-1430225l) (-451100l) 1312455l 3306115l (-1962642l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1279661l) 1917081l + (-2546312l) (-1374803l) 1500165l 777191l 2235880l 3406031l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) (-542412l) (-2831860l) + (-1671176l) (-1846953l) (-2584293l) (-3724270l) 594136l (-3776993l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) (-2013608l) 2432395l + 2454455l (-164721l) 1957272l 3369112l 185531l (-1207385l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-3183426l) 162844l + 1616392l 3014001l 810149l 1652634l (-3694233l) (-1799107l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) (-3038916l) 3523897l + 3866901l 269760l 2213111l (-975884l) 1717735l 472078l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) (-426683l) 1723600l + (-1803090l) 1910376l (-1667432l) (-1104333l) (-260646l) (-3833893l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) (-2939036l) (-2235985l) + (-420899l) (-2286327l) 183443l (-976891l) 1612842l (-3545687l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) (-554416l) 3919660l + (-48306l) (-1362209l) 3937738l 1400424l (-846154l) 1976782l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + in + re + +let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) = + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 0 ] <: u8) + (re.[ sz 0 +! sz 1 <: usize ] <: u8) + (-3930395l) + (-1528703l) + (-3677745l) + (-3041255l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 2 ] <: u8) + (re.[ sz 2 +! sz 1 <: usize ] <: u8) + (-1452451l) + 3475950l + 2176455l + (-1585221l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 4 ] <: u8) + (re.[ sz 4 +! sz 1 <: usize ] <: u8) + (-1257611l) + 1939314l + (-4083598l) + (-1000202l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 6 ] <: u8) + (re.[ sz 6 +! sz 1 <: usize ] <: u8) + (-3190144l) + (-3157330l) + (-3632928l) + 126922l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 8 ] <: u8) + (re.[ sz 8 +! sz 1 <: usize ] <: u8) + 3412210l + (-983419l) + 2147896l + 2715295l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 10 ] <: u8) + (re.[ sz 10 +! sz 1 <: usize ] <: u8) + (-2967645l) + (-3693493l) + (-411027l) + (-2477047l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 12 ] <: u8) + (re.[ sz 12 +! sz 1 <: usize ] <: u8) + (-671102l) + (-1228525l) + (-22981l) + (-1308169l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 14 ] <: u8) + (re.[ sz 14 +! sz 1 <: usize ] <: u8) + (-381987l) + 1349076l + 1852771l + (-1430430l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 16 ] <: u8) + (re.[ sz 16 +! sz 1 <: usize ] <: u8) + (-3343383l) + 264944l + 508951l + 3097992l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 18 ] <: u8) + (re.[ sz 18 +! sz 1 <: usize ] <: u8) + 44288l + (-1100098l) + 904516l + 3958618l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 20 ] <: u8) + (re.[ sz 20 +! sz 1 <: usize ] <: u8) + (-3724342l) + (-8578l) + 1653064l + (-3249728l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 22 ] <: u8) + (re.[ sz 22 +! sz 1 <: usize ] <: u8) + 2389356l + (-210977l) + 759969l + (-1316856l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 24 ] <: u8) + (re.[ sz 24 +! sz 1 <: usize ] <: u8) + 189548l + (-3553272l) + 3159746l + (-1851402l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 26 ] <: u8) + (re.[ sz 26 +! sz 1 <: usize ] <: u8) + (-2409325l) + (-177440l) + 1315589l + 1341330l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 28 ] <: u8) + (re.[ sz 28 +! sz 1 <: usize ] <: u8) + 1285669l + (-1584928l) + (-812732l) + (-1439742l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ sz 30 ] <: u8) + (re.[ sz 30 +! sz 1 <: usize ] <: u8) + (-3019102l) + (-3881060l) + (-3628969l) + 3839961l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + in + re + +let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) = + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2706023l 95776l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 3077325l 3530437l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) (-1661693l) (-3592148l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-2537516l) 3915439l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) (-3861115l) (-3043716l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 3574422l (-2867647l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) 3539968l (-300467l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) 2348700l (-539299l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1699267l) (-1643818l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) 3505694l (-3821735l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) 3507263l (-2140649l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-1600420l) 3699596l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) 811944l 531354l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) 954230l 3881043l + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) 3900724l (-2556880l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) 2071892l (-2797779l) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + in + re + +let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) = + let field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let inverse_of_modulus_mod_montgomery_r:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) + in + let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in + let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in + let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_7_ + <: + usize ] + <: + u8) + zeta7 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta60 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 1 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! sz 1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 2 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! sz 2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8) + in + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 3 <: usize) +! + ntt_at_layer_7_and_6___STEP_BY_6_ + <: + usize ] + <: + u8) + zeta61 + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ (sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + ((sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20 +! sz 3 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8) + in + let _:Prims.unit = () in + re + +let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 237124l in + let offset:usize = + ((sz 0 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-777960l) in + let offset:usize = + ((sz 1 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-876248l) in + let offset:usize = + ((sz 2 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 466468l in + let offset:usize = + ((sz 3 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let _:Prims.unit = () in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1826347l in + let offset:usize = + ((sz 0 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2353451l in + let offset:usize = + ((sz 1 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +! - step_by - <: - usize ] - <: - u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) in - let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & t_Array u8 (sz 32)) - -let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array u8 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) - (sz 2) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-359251l) in + let offset:usize = + ((sz 2 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2091905l) in + let offset:usize = + ((sz 3 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ round ] <: u8) (re.[ round +! sz 1 <: usize ] <: u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3119733l in + let offset:usize = + ((sz 4 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2884855l) in + let offset:usize = + ((sz 5 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 4 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3111497l in + let offset:usize = + ((sz 6 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 5 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2680103l in + let offset:usize = + ((sz 7 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_1 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 6 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let _:Prims.unit = () in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2725464l in + let offset:usize = + ((sz 0 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 7 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1024112l in + let offset:usize = + ((sz 1 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) + u8) + rhs in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! sz 1 <: usize) - b + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in - let zeta_i:usize = zeta_i +! sz 8 in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re) in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re <: (usize & t_Array u8 (sz 32)) - -let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array u8 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) - (sz 2) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1079900l) in + let offset:usize = + ((sz 2 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ round ] <: u8) - (re.[ round +! sz 1 <: usize ] <: u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3585928l in + let offset:usize = + ((sz 3 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-549488l) in + let offset:usize = + ((sz 4 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) + u8) + rhs in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! sz 1 <: usize) - b + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in - let zeta_i:usize = zeta_i +! sz 4 in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re) in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re <: (usize & t_Array u8 (sz 32)) - -let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = - let re, zeta_i:(t_Array u8 (sz 32) & usize) = - Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) - (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) - (sz 2) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1119584l) in + let offset:usize = + ((sz 5 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2619752l in + let offset:usize = + ((sz 6 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2108549l) in + let offset:usize = + ((sz 7 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2118186l) in + let offset:usize = + ((sz 8 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3859737l) in + let offset:usize = + ((sz 9 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1399561l) in + let offset:usize = + ((sz 10 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3277672l) in + let offset:usize = + ((sz 11 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1757237l in + let offset:usize = + ((sz 12 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-19422l) in + let offset:usize = + ((sz 13 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 4010497l in + let offset:usize = + ((sz 14 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] + <: + u8) + rhs + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 280005l in + let offset:usize = + ((sz 15 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i <: (t_Array u8 (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ round ] <: u8) - (re.[ round +! sz 1 <: usize ] <: u8) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! + ntt_at_layer_5_to_3___STEP_BY_2 + <: + usize ] <: - i32) + u8) + rhs in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (round +! sz 1 <: usize) - b + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) in - let zeta_i:usize = zeta_i +! sz 1 in - re, zeta_i <: (t_Array u8 (sz 32) & usize)) + re) in + let _:Prims.unit = () in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re <: (usize & t_Array u8 (sz 32)) + re let ntt (re: t_Array u8 (sz 32)) = - let zeta_i:usize = sz 0 in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 7) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 6) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 5) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 4) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 3) zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_2_ zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_1_ zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_0_ zeta_i re in - let zeta_i:usize = tmp0 in - let re:t_Array u8 (sz 32) = tmp1 in - let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = ntt_at_layer_7_and_6_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_2_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_1_ re in + let re:t_Array u8 (sz 32) = ntt_at_layer_0_ re in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index 2b4b65ff5..afa539b9a 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -5,6 +5,27 @@ open FStar.Mul let butterfly_2___SHUFFLE: i32 = 216l +let ntt_at_layer_5_to_3___STEP: usize = sz 1 < Prims.l_True) @@ -23,17 +44,26 @@ val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_0_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_2_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) - : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +/// This is equivalent to the pqclean 0 and 1 +/// This does 32 Montgomery multiplications (192 multiplications). +/// This is the same as in pqclean. The only difference is locality of registers. +val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Layer 5, 4, 3 +/// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total +/// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) +val ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val ntt (re: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index 47babb998..8cb54365c 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -591,6 +591,427 @@ let simd_unit_ntt_at_layer_0_ in simd_unit +let ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (simd_unit_ntt_at_layer_0_ (re.[ sz 0 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2091667l + 3407706l + 2316500l + 3817976l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 1) + (simd_unit_ntt_at_layer_0_ (re.[ sz 1 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3342478l) + 2244091l + (-2446433l) + (-3562462l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 2) + (simd_unit_ntt_at_layer_0_ (re.[ sz 2 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 266997l + 2434439l + (-1235728l) + 3513181l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 3) + (simd_unit_ntt_at_layer_0_ (re.[ sz 3 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3520352l) + (-3759364l) + (-1197226l) + (-3193378l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (simd_unit_ntt_at_layer_0_ (re.[ sz 4 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 900702l + 1859098l + 909542l + 819034l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 5) + (simd_unit_ntt_at_layer_0_ (re.[ sz 5 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 495491l + (-1613174l) + (-43260l) + (-522500l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 6) + (simd_unit_ntt_at_layer_0_ (re.[ sz 6 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-655327l) + (-3122442l) + 2031748l + 3207046l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 7) + (simd_unit_ntt_at_layer_0_ (re.[ sz 7 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3556995l) + (-525098l) + (-768622l) + (-3595838l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (simd_unit_ntt_at_layer_0_ (re.[ sz 8 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 342297l + 286988l + (-2437823l) + 4108315l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 9) + (simd_unit_ntt_at_layer_0_ (re.[ sz 9 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3437287l + (-3342277l) + 1735879l + 203044l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 10) + (simd_unit_ntt_at_layer_0_ (re.[ sz 10 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2842341l + 2691481l + (-2590150l) + 1265009l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 11) + (simd_unit_ntt_at_layer_0_ (re.[ sz 11 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 4055324l + 1247620l + 2486353l + 1595974l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (simd_unit_ntt_at_layer_0_ (re.[ sz 12 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3767016l) + 1250494l + 2635921l + (-3548272l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 13) + (simd_unit_ntt_at_layer_0_ (re.[ sz 13 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2994039l) + 1869119l + 1903435l + (-1050970l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 14) + (simd_unit_ntt_at_layer_0_ (re.[ sz 14 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1333058l) + 1237275l + (-3318210l) + (-1430225l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 15) + (simd_unit_ntt_at_layer_0_ (re.[ sz 15 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-451100l) + 1312455l + 3306115l + (-1962642l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (simd_unit_ntt_at_layer_0_ (re.[ sz 16 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1279661l) + 1917081l + (-2546312l) + (-1374803l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 17) + (simd_unit_ntt_at_layer_0_ (re.[ sz 17 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1500165l + 777191l + 2235880l + 3406031l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 18) + (simd_unit_ntt_at_layer_0_ (re.[ sz 18 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-542412l) + (-2831860l) + (-1671176l) + (-1846953l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 19) + (simd_unit_ntt_at_layer_0_ (re.[ sz 19 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2584293l) + (-3724270l) + 594136l + (-3776993l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (simd_unit_ntt_at_layer_0_ (re.[ sz 20 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2013608l) + 2432395l + 2454455l + (-164721l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 21) + (simd_unit_ntt_at_layer_0_ (re.[ sz 21 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1957272l + 3369112l + 185531l + (-1207385l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 22) + (simd_unit_ntt_at_layer_0_ (re.[ sz 22 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3183426l) + 162844l + 1616392l + 3014001l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 23) + (simd_unit_ntt_at_layer_0_ (re.[ sz 23 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 810149l + 1652634l + (-3694233l) + (-1799107l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 24) + (simd_unit_ntt_at_layer_0_ (re.[ sz 24 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3038916l) + 3523897l + 3866901l + 269760l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 25) + (simd_unit_ntt_at_layer_0_ (re.[ sz 25 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2213111l + (-975884l) + 1717735l + 472078l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 26) + (simd_unit_ntt_at_layer_0_ (re.[ sz 26 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-426683l) + 1723600l + (-1803090l) + 1910376l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 27) + (simd_unit_ntt_at_layer_0_ (re.[ sz 27 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1667432l) + (-1104333l) + (-260646l) + (-3833893l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 28) + (simd_unit_ntt_at_layer_0_ (re.[ sz 28 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2939036l) + (-2235985l) + (-420899l) + (-2286327l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 29) + (simd_unit_ntt_at_layer_0_ (re.[ sz 29 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 183443l + (-976891l) + 1612842l + (-3545687l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 30) + (simd_unit_ntt_at_layer_0_ (re.[ sz 30 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-554416l) + 3919660l + (-48306l) + (-1362209l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 31) + (simd_unit_ntt_at_layer_0_ (re.[ sz 31 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3937738l + 1400424l + (-846154l) + 1976782l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + let simd_unit_ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta1 zeta2: i32) @@ -745,6 +1166,363 @@ let simd_unit_ntt_at_layer_1_ in simd_unit +let ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (simd_unit_ntt_at_layer_1_ (re.[ sz 0 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3930395l) + (-1528703l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 1) + (simd_unit_ntt_at_layer_1_ (re.[ sz 1 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3677745l) + (-3041255l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 2) + (simd_unit_ntt_at_layer_1_ (re.[ sz 2 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1452451l) + 3475950l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 3) + (simd_unit_ntt_at_layer_1_ (re.[ sz 3 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2176455l + (-1585221l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (simd_unit_ntt_at_layer_1_ (re.[ sz 4 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1257611l) + 1939314l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 5) + (simd_unit_ntt_at_layer_1_ (re.[ sz 5 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-4083598l) + (-1000202l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 6) + (simd_unit_ntt_at_layer_1_ (re.[ sz 6 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3190144l) + (-3157330l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 7) + (simd_unit_ntt_at_layer_1_ (re.[ sz 7 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3632928l) + 126922l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (simd_unit_ntt_at_layer_1_ (re.[ sz 8 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3412210l + (-983419l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 9) + (simd_unit_ntt_at_layer_1_ (re.[ sz 9 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2147896l + 2715295l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 10) + (simd_unit_ntt_at_layer_1_ (re.[ sz 10 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2967645l) + (-3693493l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 11) + (simd_unit_ntt_at_layer_1_ (re.[ sz 11 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-411027l) + (-2477047l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (simd_unit_ntt_at_layer_1_ (re.[ sz 12 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-671102l) + (-1228525l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 13) + (simd_unit_ntt_at_layer_1_ (re.[ sz 13 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-22981l) + (-1308169l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 14) + (simd_unit_ntt_at_layer_1_ (re.[ sz 14 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-381987l) + 1349076l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 15) + (simd_unit_ntt_at_layer_1_ (re.[ sz 15 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1852771l + (-1430430l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (simd_unit_ntt_at_layer_1_ (re.[ sz 16 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3343383l) + 264944l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 17) + (simd_unit_ntt_at_layer_1_ (re.[ sz 17 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 508951l + 3097992l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 18) + (simd_unit_ntt_at_layer_1_ (re.[ sz 18 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 44288l + (-1100098l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 19) + (simd_unit_ntt_at_layer_1_ (re.[ sz 19 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 904516l + 3958618l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (simd_unit_ntt_at_layer_1_ (re.[ sz 20 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3724342l) + (-8578l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 21) + (simd_unit_ntt_at_layer_1_ (re.[ sz 21 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1653064l + (-3249728l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 22) + (simd_unit_ntt_at_layer_1_ (re.[ sz 22 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2389356l + (-210977l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 23) + (simd_unit_ntt_at_layer_1_ (re.[ sz 23 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 759969l + (-1316856l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 24) + (simd_unit_ntt_at_layer_1_ (re.[ sz 24 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 189548l + (-3553272l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 25) + (simd_unit_ntt_at_layer_1_ (re.[ sz 25 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3159746l + (-1851402l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 26) + (simd_unit_ntt_at_layer_1_ (re.[ sz 26 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2409325l) + (-177440l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 27) + (simd_unit_ntt_at_layer_1_ (re.[ sz 27 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1315589l + 1341330l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 28) + (simd_unit_ntt_at_layer_1_ (re.[ sz 28 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 1285669l + (-1584928l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 29) + (simd_unit_ntt_at_layer_1_ (re.[ sz 29 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-812732l) + (-1439742l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 30) + (simd_unit_ntt_at_layer_1_ (re.[ sz 30 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3019102l) + (-3881060l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 31) + (simd_unit_ntt_at_layer_1_ (re.[ sz 31 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3628969l) + 3839961l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re + let simd_unit_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) @@ -899,315 +1677,522 @@ let simd_unit_ntt_at_layer_2_ in simd_unit -let ntt_at_layer_0_ - (zeta_i: usize) +let ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_0_ (re.[ round ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] - <: - i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] - <: - i32) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let zeta_i:usize = zeta_i +! sz 4 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 0) + (simd_unit_ntt_at_layer_2_ (re.[ sz 0 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2706023l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 1) + (simd_unit_ntt_at_layer_2_ (re.[ sz 1 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 95776l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 2) + (simd_unit_ntt_at_layer_2_ (re.[ sz 2 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3077325l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 3) + (simd_unit_ntt_at_layer_2_ (re.[ sz 3 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3530437l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 4) + (simd_unit_ntt_at_layer_2_ (re.[ sz 4 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1661693l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 5) + (simd_unit_ntt_at_layer_2_ (re.[ sz 5 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3592148l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 6) + (simd_unit_ntt_at_layer_2_ (re.[ sz 6 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2537516l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 7) + (simd_unit_ntt_at_layer_2_ (re.[ sz 7 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3915439l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 8) + (simd_unit_ntt_at_layer_2_ (re.[ sz 8 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3861115l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 9) + (simd_unit_ntt_at_layer_2_ (re.[ sz 9 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3043716l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 10) + (simd_unit_ntt_at_layer_2_ (re.[ sz 10 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3574422l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 11) + (simd_unit_ntt_at_layer_2_ (re.[ sz 11 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2867647l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 12) + (simd_unit_ntt_at_layer_2_ (re.[ sz 12 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3539968l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 13) + (simd_unit_ntt_at_layer_2_ (re.[ sz 13 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-300467l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 14) + (simd_unit_ntt_at_layer_2_ (re.[ sz 14 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2348700l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 15) + (simd_unit_ntt_at_layer_2_ (re.[ sz 15 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-539299l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 16) + (simd_unit_ntt_at_layer_2_ (re.[ sz 16 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1699267l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 17) + (simd_unit_ntt_at_layer_2_ (re.[ sz 17 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1643818l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 18) + (simd_unit_ntt_at_layer_2_ (re.[ sz 18 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3505694l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 19) + (simd_unit_ntt_at_layer_2_ (re.[ sz 19 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-3821735l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 20) + (simd_unit_ntt_at_layer_2_ (re.[ sz 20 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3507263l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 21) + (simd_unit_ntt_at_layer_2_ (re.[ sz 21 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2140649l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 22) + (simd_unit_ntt_at_layer_2_ (re.[ sz 22 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-1600420l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 23) + (simd_unit_ntt_at_layer_2_ (re.[ sz 23 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3699596l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 24) + (simd_unit_ntt_at_layer_2_ (re.[ sz 24 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 811944l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 25) + (simd_unit_ntt_at_layer_2_ (re.[ sz 25 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 531354l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 26) + (simd_unit_ntt_at_layer_2_ (re.[ sz 26 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 954230l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 27) + (simd_unit_ntt_at_layer_2_ (re.[ sz 27 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3881043l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 28) + (simd_unit_ntt_at_layer_2_ (re.[ sz 28 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 3900724l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 29) + (simd_unit_ntt_at_layer_2_ (re.[ sz 29 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2556880l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 30) + (simd_unit_ntt_at_layer_2_ (re.[ sz 30 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + 2071892l + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (sz 31) + (simd_unit_ntt_at_layer_2_ (re.[ sz 31 ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (-2797779l) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + re -let ntt_at_layer_1_ - (zeta_i: usize) +let outer_3_plus + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let zeta_i:usize = zeta_i +! sz 1 in - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Folds.fold_range v_OFFSET + (v_OFFSET +! v_STEP_BY <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in let _:usize = temp_1_ in true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ + re + (fun re j -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = re in + let j:usize = j in + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + v_STEP_BY + <: + usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + v_ZETA in - let round:usize = round in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_1_ (re.[ round ] + (j +! v_STEP_BY <: usize) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] - <: - i32) + t <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - let zeta_i:usize = zeta_i +! sz 2 in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - in - let zeta_i:usize = zeta_i -! sz 1 in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - -let ntt_at_layer_2_ - (zeta_i: usize) - (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - = - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & - usize) = - Rust_primitives.Hax.Folds.fold_range (sz 0) - (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - <: - usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - round - (simd_unit_ntt_at_layer_2_ (re.[ round ] + j + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + t <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + re) in let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + re -let ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) +let ntt_at_layer_3_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let step:usize = sz 1 <>! v_LAYER <: usize) - (fun temp_0_ temp_1_ -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let _:usize = temp_1_ in - true) - (re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) - (fun temp_0_ round -> - let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit - (sz 32) & - usize) = - temp_0_ - in - let round:usize = round in - let zeta_i:usize = zeta_i +! sz 1 in - let offset:usize = - ((round *! step <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! step_by <: usize) - (fun re temp_1_ -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - re - in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - re - in - let j:usize = j in - let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = - Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! - step_by - <: - usize ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! step_by <: usize) - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - t - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - in - re) - in - re, zeta_i - <: - (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 1) 2725464l re in - let hax_temp_output:Prims.unit = () <: Prims.unit in - zeta_i, re - <: - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 2) (sz 1) 1024112l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 4) (sz 1) (-1079900l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 6) (sz 1) 3585928l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 1) (-549488l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 10) (sz 1) (-1119584l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 12) (sz 1) 2619752l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 14) (sz 1) (-2108549l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 1) (-2118186l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 18) (sz 1) (-3859737l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 20) (sz 1) (-1399561l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 22) (sz 1) (-3277672l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 1) 1757237l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 26) (sz 1) (-19422l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 28) (sz 1) 4010497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 30) (sz 1) 280005l re + in + re + +let ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 2) 1826347l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 4) (sz 2) 2353451l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 2) (-359251l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 12) (sz 2) (-2091905l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 2) 3119733l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 20) (sz 2) (-2884855l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 2) 3111497l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 28) (sz 2) 2680103l re + in + re + +let ntt_at_layer_5_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 4) 237124l re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 8) (sz 4) (-777960l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 4) (-876248l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 24) (sz 4) 466468l re + in + re + +let ntt_at_layer_6_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 8) (-2608894l) re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 16) (sz 8) (-518909l) re + in + re + +let ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + outer_3_plus (sz 0) (sz 16) 25847l re + in + re let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - let zeta_i:usize = sz 0 in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 7) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 6) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 5) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 4) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_3_plus (sz 3) zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_2_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_1_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in - let tmp0, tmp1:(usize & - t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = - ntt_at_layer_0_ zeta_i re - in - let zeta_i:usize = tmp0 in - let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in - let _:Prims.unit = () in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_7_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_6_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_5_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_4_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_3_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1_ re + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0_ re + in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index abb1d13d4..61fd4f830 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -3,6 +3,26 @@ module Libcrux_ml_dsa.Simd.Portable.Ntt open Core open FStar.Mul +let ntt_at_layer_3___STEP: usize = sz 8 + +let ntt_at_layer_3___STEP_BY: usize = sz 1 + +let ntt_at_layer_4___STEP: usize = sz 16 + +let ntt_at_layer_4___STEP_BY: usize = sz 2 + +let ntt_at_layer_5___STEP: usize = sz 32 + +let ntt_at_layer_5___STEP_BY: usize = sz 4 + +let ntt_at_layer_6___STEP: usize = sz 64 + +let ntt_at_layer_6___STEP_BY: usize = sz 8 + +let ntt_at_layer_7___STEP: usize = sz 128 + +let ntt_at_layer_7___STEP_BY: usize = sz 16 + val invert_ntt_at_layer_0_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta0 zeta1 zeta2 zeta3: i32) @@ -31,6 +51,12 @@ val simd_unit_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val simd_unit_ntt_at_layer_1_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta1 zeta2: i32) @@ -38,6 +64,12 @@ val simd_unit_ntt_at_layer_1_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val simd_unit_ntt_at_layer_2_ (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) @@ -45,35 +77,47 @@ val simd_unit_ntt_at_layer_2_ Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_0_ - (zeta_i: usize) +val ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_1_ - (zeta_i: usize) +val outer_3_plus + (v_OFFSET v_STEP_BY: usize) + (v_ZETA: i32) (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_2_ - (zeta_i: usize) +val ntt_at_layer_3_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_4_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_5_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) -val ntt_at_layer_3_plus - (v_LAYER zeta_i: usize) +val ntt_at_layer_6_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) - : Prims.Pure - (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_7_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti index 1ef0cb0e8..543e2b390 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -181,45 +181,5 @@ let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL let v_SIMD_UNITS_IN_RING_ELEMENT: usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT -let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = - let list = - [ - 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; - 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; - 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); - (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; - 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); - (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); - (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; - 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); - (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); - (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); - 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); - (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; - (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; - (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); - 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; - 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); - 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); - (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); - (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); - (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); - 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; - 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; - 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; - (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; - (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); - (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); - 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; - 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; - 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); - 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); - (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; - (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); - Rust_primitives.Hax.array_of_list 256 list - val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32) : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True) diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index 0b77def1e..968a5585c 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" open Core open FStar.Mul From b1ad8bbfa00359592f24d10b1c33827c741e44ed Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Wed, 6 Nov 2024 13:11:27 +0100 Subject: [PATCH 60/74] Guard `target_feature` to `cfg(not(hax))` --- .../src/ml_dsa_generic/instantiations/avx2.rs | 14 +++++------ libcrux-ml-dsa/src/simd/avx2/ntt.rs | 18 +++++++------- .../src/ind_cca/instantiations/avx2.rs | 24 +++++++++---------- libcrux-sha3/src/simd/avx2.rs | 22 ++++++++--------- 4 files changed, 39 insertions(+), 39 deletions(-) diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs index 40111939b..6f3a754a2 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations/avx2.rs @@ -9,7 +9,7 @@ mod avx2_feature { use super::*; /// Generate key pair. - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn generate_key_pair< const ROWS_IN_A: usize, @@ -36,7 +36,7 @@ mod avx2_feature { } /// Sign. - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn sign< const ROWS_IN_A: usize, @@ -83,7 +83,7 @@ mod avx2_feature { /// Sign (internal API) #[cfg(feature = "acvp")] - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn sign_internal< const ROWS_IN_A: usize, @@ -128,7 +128,7 @@ mod avx2_feature { } /// Sign (pre-hashed). - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn sign_pre_hashed_shake128< const ROWS_IN_A: usize, @@ -176,7 +176,7 @@ mod avx2_feature { } /// Verify. - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn verify< const ROWS_IN_A: usize, @@ -220,7 +220,7 @@ mod avx2_feature { /// Verify (internal API). #[cfg(feature = "acvp")] - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn verify_internal< const ROWS_IN_A: usize, @@ -262,7 +262,7 @@ mod avx2_feature { } /// Verify (pre-hashed with SHAKE-128). - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn verify_pre_hashed_shake128< const ROWS_IN_A: usize, diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index b764e6178..732d6ba55 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -100,7 +100,7 @@ fn butterfly_8(a: Vec256, b: Vec256, zeta0: i32, zeta1: i32) -> (Vec256, Vec256) (a_out, b_out) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn invert_ntt_at_layer_0( simd_unit: Vec256, @@ -122,7 +122,7 @@ pub(super) unsafe fn invert_ntt_at_layer_0( mm256_blend_epi32::<0b1_0_1_0_1_0_1_0>(sums, products) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { @@ -162,7 +162,7 @@ unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782); } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: i32) -> Vec256 { let zetas = mm256_set_epi32(zeta1, zeta1, 0, 0, zeta0, zeta0, 0, 0); @@ -178,7 +178,7 @@ pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: mm256_blend_epi32::<0b1_1_0_0_1_1_0_0>(sums, products) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { @@ -207,7 +207,7 @@ unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { round!(30, -3019102, -3881060, -3628969, 3839961); } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec256 { let zetas = mm256_set_epi32(zeta, zeta, zeta, zeta, 0, 0, 0, 0); @@ -223,7 +223,7 @@ pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec2 mm256_blend_epi32::<0b1_1_1_1_0_0_0_0>(sums, products) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { @@ -256,7 +256,7 @@ unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { /// /// This does 32 Montgomery multiplications (192 multiplications). /// This is the same as in pqclean. The only difference is locality of registers. -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let field_modulus = mm256_set1_epi32(crate::simd::traits::FIELD_MODULUS); @@ -317,7 +317,7 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { /// /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { macro_rules! round { @@ -398,7 +398,7 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { () } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] pub(crate) unsafe fn ntt( mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], diff --git a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs index afaa606be..9dff8843a 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations/avx2.rs @@ -5,7 +5,7 @@ use crate::{ #[allow(unsafe_code)] /// Portable generate key pair. -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn generate_keypair_avx2< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -58,7 +58,7 @@ pub(crate) fn generate_keypair< #[allow(unsafe_code)] #[cfg(feature = "kyber")] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_generate_keypair_avx2< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -111,7 +111,7 @@ pub(crate) fn kyber_generate_keypair< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn validate_public_key_avx2< const K: usize, const RANKED_BYTES_PER_RING_ELEMENT: usize, @@ -141,7 +141,7 @@ pub(crate) fn validate_public_key< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn validate_private_key_avx2< const K: usize, const SECRET_KEY_SIZE: usize, @@ -174,7 +174,7 @@ pub(crate) fn validate_private_key< #[allow(unsafe_code)] #[cfg(feature = "kyber")] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_encapsulate_avx2< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -253,7 +253,7 @@ pub(crate) fn kyber_encapsulate< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn encapsulate_avx2< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -332,7 +332,7 @@ pub(crate) fn encapsulate< #[allow(unsafe_code)] #[cfg(feature = "kyber")] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn kyber_decapsulate_avx2< const K: usize, const SECRET_KEY_SIZE: usize, @@ -423,7 +423,7 @@ pub fn kyber_decapsulate< } #[allow(unsafe_code)] -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn decapsulate_avx2< const K: usize, const SECRET_KEY_SIZE: usize, @@ -522,7 +522,7 @@ pub(crate) mod unpacked { crate::ind_cca::unpacked::MlKemPublicKeyUnpacked; /// Get the unpacked public key. - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn unpack_public_key_avx2< const K: usize, @@ -565,7 +565,7 @@ pub(crate) mod unpacked { } #[allow(unsafe_code)] - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn generate_keypair_avx2< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, @@ -620,7 +620,7 @@ pub(crate) mod unpacked { } #[allow(unsafe_code)] - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] unsafe fn encapsulate_avx2< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -697,7 +697,7 @@ pub(crate) mod unpacked { } } - #[target_feature(enable = "avx2")] + #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn decapsulate_avx2< const K: usize, diff --git a/libcrux-sha3/src/simd/avx2.rs b/libcrux-sha3/src/simd/avx2.rs index f957fe115..5ccfc10ef 100644 --- a/libcrux-sha3/src/simd/avx2.rs +++ b/libcrux-sha3/src/simd/avx2.rs @@ -1,7 +1,7 @@ use crate::traits::internal::*; use libcrux_intrinsics::avx2::*; -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn rotate_left(x: Vec256) -> Vec256 { debug_assert!(LEFT + RIGHT == 64); @@ -9,7 +9,7 @@ unsafe fn rotate_left(x: Vec256) -> Vec256 { mm256_xor_si256(mm256_slli_epi64::(x), mm256_srli_epi64::(x)) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 { let ab = mm256_xor_si256(a, b); @@ -18,26 +18,26 @@ unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> mm256_xor_si256(abcd, e) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 { mm256_xor_si256(a, rotate_left::<1, 63>(b)) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn _vxarq_u64(a: Vec256, b: Vec256) -> Vec256 { let ab = mm256_xor_si256(a, b); rotate_left::(ab) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 { mm256_xor_si256(a, mm256_andnot_si256(c, b)) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 { // Casting here is required, doesn't change the value. @@ -45,13 +45,13 @@ unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 { mm256_xor_si256(a, c) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn xor(a: Vec256, b: Vec256) -> Vec256 { mm256_xor_si256(a, b) } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) { debug_assert!(RATE <= blocks[0].len() && RATE % 8 == 0 && (RATE % 32 == 8 || RATE % 32 == 16)); @@ -120,7 +120,7 @@ pub(crate) fn load_block_full(s: &mut [[Vec256; 5]; 5], block }; } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) { for i in 0..RATE / 32 { @@ -186,7 +186,7 @@ pub(crate) fn store_block_full(s: &[[Vec256; 5]; 5]) -> [[u8; [out0, out1, out2, out3] } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { [ @@ -197,7 +197,7 @@ unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { ] } -#[target_feature(enable = "avx2")] +#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { let [out0, out1, out2, out3] = out; From 0dccff59c1c60cd71fb0bad292effda9681aa730 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Wed, 6 Nov 2024 13:12:54 +0100 Subject: [PATCH 61/74] Update F* --- .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst index 95d331653..878dd2cb5 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -543,7 +543,11 @@ let sign <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -604,7 +608,11 @@ let sign_pre_hashed <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) Libcrux_ml_dsa.Types.t_SigningError @@ -798,7 +806,11 @@ let verify <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError @@ -847,7 +859,11 @@ let verify_pre_hashed <: Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized | Core.Result.Result_Err err -> - Core.Result.Result_Err (Core.Convert.f_from #FStar.Tactics.Typeclasses.solve err) + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) <: Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError From 4a3c2072efc6af74284f44e4e4c60e1f449c5e0e Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 6 Nov 2024 12:15:25 +0000 Subject: [PATCH 62/74] add fuzzer to ci --- .github/workflows/mlkem.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index aa1767182..e5fe8d025 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -168,3 +168,35 @@ jobs: run: | cargo clean cargo hack test --each-feature $EXCLUDE_FEATURES --verbose $RUST_TARGET_FLAG + + fuzz: + strategy: + fail-fast: false + matrix: + os: + - macos-latest # macos-14 m1 + - ubuntu-latest + + runs-on: ${{ matrix.os }} + defaults: + run: + shell: bash + working-directory: libcrux-ml-kem + + steps: + - uses: actions/checkout@v4 + + - name: 🛠️ Setup Rust Nightly + run: rustup toolchain install nightly + + - name: Update dependencies + run: cargo update + + - run: 🏃🏻‍♀️ Decaps + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run decaps -- -runs=100000 + + - run: 🏃🏻‍♀️ Encaps + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run encaps -- -runs=100000 + + - run: 🏃🏻‍♀️ KeyGen + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run keygen -- -runs=1000000 From c9f86702682adddfa40801355d462a204560c3a6 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 6 Nov 2024 13:47:33 +0100 Subject: [PATCH 63/74] Update .github/workflows/mlkem.yml Co-authored-by: Jonas Schneider-Bensch <124457079+jschneider-bensch@users.noreply.github.com> --- .github/workflows/mlkem.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index e5fe8d025..756ac8dcf 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -192,7 +192,7 @@ jobs: - name: Update dependencies run: cargo update - - run: 🏃🏻‍♀️ Decaps + - name: 🏃🏻‍♀️ Decaps run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run decaps -- -runs=100000 - run: 🏃🏻‍♀️ Encaps From 3df061e76ba91e94bf280e08e175afc77d7ea79e Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 6 Nov 2024 12:48:05 +0000 Subject: [PATCH 64/74] fixup fuzz ci --- .github/workflows/mlkem.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index e5fe8d025..039a850f4 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -187,16 +187,18 @@ jobs: - uses: actions/checkout@v4 - name: 🛠️ Setup Rust Nightly - run: rustup toolchain install nightly + run: | + rustup toolchain install nightly + cargo install cargo-fuzz - - name: Update dependencies + - name: 🛠️ Update dependencies run: cargo update - - run: 🏃🏻‍♀️ Decaps + - name: 🏃🏻‍♀️ Decaps run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run decaps -- -runs=100000 - - run: 🏃🏻‍♀️ Encaps + - name: 🏃🏻‍♀️ Encaps run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run encaps -- -runs=100000 - - run: 🏃🏻‍♀️ KeyGen + - name: 🏃🏻‍♀️ KeyGen run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run keygen -- -runs=1000000 From d5632a5355be8d7d0665f2efcbc237001b70c284 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Wed, 6 Nov 2024 13:21:06 +0000 Subject: [PATCH 65/74] cargo fmt --- libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs index 9ead66c04..84342631c 100644 --- a/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs +++ b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs @@ -8,7 +8,7 @@ fuzz_target!(|data: &[u8]| { // Not enough entropy return; } - + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); From 11b5102a597fe52128ee3f1db18869141a4a5cc2 Mon Sep 17 00:00:00 2001 From: Jonas Schneider-Bensch Date: Wed, 6 Nov 2024 14:29:56 +0100 Subject: [PATCH 66/74] Use local functions in favor of macros to help F* --- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 1971 ++--------- .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 30 + .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 3067 +++-------------- .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 30 + .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 1023 +----- .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 24 + libcrux-ml-dsa/src/ntt.rs | 249 +- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 374 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 225 +- 9 files changed, 1382 insertions(+), 5611 deletions(-) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst index f0e0c4d22..25a5d7d91 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -9,12 +9,14 @@ let _ = let open Libcrux_ml_dsa.Simd.Traits in () -let invert_ntt_at_layer_0_ +let invert_ntt_at_layer_0___round (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { @@ -23,314 +25,184 @@ let invert_ntt_at_layer_0_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 0) + index (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) - 1976782l - (-846154l) - 1400424l - 3937738l + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit) + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in + re + +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 1) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) - (-1362209l) - (-48306l) - 3919660l - (-554416l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 0) 1976782l (-846154l) 1400424l 3937738l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 2) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) - (-3545687l) - 1612842l - (-976891l) - 183443l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 1) (-1362209l) (-48306l) 3919660l (-554416l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 3) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) - (-2286327l) - (-420899l) - (-2235985l) - (-2939036l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 2) (-3545687l) 1612842l (-976891l) 183443l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 4) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) - (-3833893l) - (-260646l) - (-1104333l) - (-1667432l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 3) + (-2286327l) + (-420899l) + (-2235985l) + (-2939036l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 5) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) - 1910376l - (-1803090l) - 1723600l - (-426683l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 4) + (-3833893l) + (-260646l) + (-1104333l) + (-1667432l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 6) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) - 472078l - 1717735l - (-975884l) - 2213111l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 5) 1910376l (-1803090l) 1723600l (-426683l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 7) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) - 269760l - 3866901l - 3523897l - (-3038916l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 6) 472078l 1717735l (-975884l) 2213111l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 8) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) - (-1799107l) - (-3694233l) - 1652634l - 810149l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 7) 269760l 3866901l 3523897l (-3038916l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 9) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) - 3014001l - 1616392l - 162844l - (-3183426l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 8) (-1799107l) (-3694233l) 1652634l 810149l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 10) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) - (-1207385l) - 185531l - 3369112l - 1957272l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 9) 3014001l 1616392l 162844l (-3183426l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 11) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) - (-164721l) - 2454455l - 2432395l - (-2013608l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 10) (-1207385l) 185531l 3369112l 1957272l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 12) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) - (-3776993l) - 594136l - (-3724270l) - (-2584293l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 11) (-164721l) 2454455l 2432395l (-2013608l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 13) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) - (-1846953l) - (-1671176l) - (-2831860l) - (-542412l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 12) (-3776993l) 594136l (-3724270l) (-2584293l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 14) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) - 3406031l - 2235880l - 777191l - 1500165l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 13) + (-1846953l) + (-1671176l) + (-2831860l) + (-542412l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 14) 3406031l 2235880l 777191l 1500165l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 15) + (-1374803l) + (-2546312l) + 1917081l + (-1279661l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 16) (-1962642l) 3306115l 1312455l (-451100l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 17) + (-1430225l) + (-3318210l) + 1237275l + (-1333058l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 18) (-1050970l) 1903435l 1869119l (-2994039l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 19) (-3548272l) 2635921l 1250494l (-3767016l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 20) 1595974l 2486353l 1247620l 4055324l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 21) 1265009l (-2590150l) 2691481l 2842341l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 22) 203044l 1735879l (-3342277l) 3437287l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 23) 4108315l (-2437823l) 286988l 342297l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 24) + (-3595838l) + (-768622l) + (-525098l) + (-3556995l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 25) 3207046l 2031748l (-3122442l) (-655327l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 26) (-522500l) (-43260l) (-1613174l) 495491l in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 27) 819034l 909542l 1859098l 900702l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 28) + (-3193378l) + (-1197226l) + (-3759364l) + (-3520352l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 29) 3513181l (-1235728l) 2434439l 266997l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit + re + (sz 30) + (-3562462l) + (-2446433l) + 2244091l + (-3342478l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_0___round #v_SIMDUnit re (sz 31) 3817976l 2316500l 3407706l 2091667l + in + re + +let invert_ntt_at_layer_1___round + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_: i32) + = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { re with @@ -338,364 +210,133 @@ let invert_ntt_at_layer_0_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 15) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + index + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) - (-1374803l) - (-2546312l) - 1917081l - (-1279661l) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit) + zeta_0_ + zeta_1_ <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in + re + +let invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 16) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) - (-1962642l) - 3306115l - 1312455l - (-451100l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 0) 3839961l (-3628969l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 17) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) - (-1430225l) - (-3318210l) - 1237275l - (-1333058l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 1) (-3881060l) (-3019102l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 18) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) - (-1050970l) - 1903435l - 1869119l - (-2994039l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 2) (-1439742l) (-812732l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 19) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) - (-3548272l) - 2635921l - 1250494l - (-3767016l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 3) (-1584928l) 1285669l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 20) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) - 1595974l - 2486353l - 1247620l - 4055324l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 4) 1341330l 1315589l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 21) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) - 1265009l - (-2590150l) - 2691481l - 2842341l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 5) (-177440l) (-2409325l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 22) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) - 203044l - 1735879l - (-3342277l) - 3437287l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 6) (-1851402l) 3159746l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 23) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) - 4108315l - (-2437823l) - 286988l - 342297l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 7) (-3553272l) 189548l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 24) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) - (-3595838l) - (-768622l) - (-525098l) - (-3556995l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 8) (-1316856l) 759969l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 25) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) - 3207046l - 2031748l - (-3122442l) - (-655327l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 9) (-210977l) 2389356l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 26) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) - (-522500l) - (-43260l) - (-1613174l) - 495491l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 10) (-3249728l) 1653064l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 27) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) - 819034l - 909542l - 1859098l - 900702l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 11) (-8578l) (-3724342l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 28) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) - (-3193378l) - (-1197226l) - (-3759364l) - (-3520352l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 12) 3958618l 904516l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 29) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) - 3513181l - (-1235728l) - 2434439l - 266997l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 13) (-1100098l) 44288l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 30) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) - (-3562462l) - (-2446433l) - 2244091l - (-3342478l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 14) 3097992l 508951l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 31) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) - 3817976l - 2316500l - 3407706l - 2091667l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 15) 264944l (-3343383l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 16) (-1430430l) 1852771l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 17) 1349076l (-381987l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 18) (-1308169l) (-22981l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 19) (-1228525l) (-671102l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 20) (-2477047l) (-411027l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 21) (-3693493l) (-2967645l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 22) 2715295l 2147896l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 23) (-983419l) 3412210l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 24) 126922l (-3632928l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 25) (-3157330l) (-3190144l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 26) (-1000202l) (-4083598l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 27) 1939314l (-1257611l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 28) (-1585221l) 2176455l + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 29) 3475950l (-1452451l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 30) (-3041255l) (-3677745l) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + invert_ntt_at_layer_1___round #v_SIMDUnit re (sz 31) (-1528703l) (-3930395l) in re -let invert_ntt_at_layer_1_ +let invert_ntt_at_layer_2___round (#v_SIMDUnit: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta: i32) = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = { @@ -704,1191 +345,121 @@ let invert_ntt_at_layer_1_ = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 0) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + index + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) - 3839961l - (-3628969l) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ index ] <: v_SIMDUnit) + zeta <: v_SIMDUnit) } <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit in + re + +let invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 1) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) - (-3881060l) - (-3019102l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 0) (-2797779l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 2) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) - (-1439742l) - (-812732l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 1) 2071892l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 3) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) - (-1584928l) - 1285669l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 2) (-2556880l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 4) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) - 1341330l - 1315589l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 3) 3900724l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 5) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) - (-177440l) - (-2409325l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 4) 3881043l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 6) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) - (-1851402l) - 3159746l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 5) 954230l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 7) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) - (-3553272l) - 189548l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 6) 531354l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 8) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) - (-1316856l) - 759969l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 7) 811944l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 9) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) - (-210977l) - 2389356l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 8) 3699596l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 10) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) - (-3249728l) - 1653064l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 9) (-1600420l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 11) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) - (-8578l) - (-3724342l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 10) (-2140649l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 12) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) - 3958618l - 904516l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 11) 3507263l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 13) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) - (-1100098l) - 44288l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 12) (-3821735l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 14) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) - 3097992l - 508951l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 13) 3505694l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 15) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) - 264944l - (-3343383l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 14) (-1643818l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 16) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) - (-1430430l) - 1852771l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 15) (-1699267l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 17) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) - 1349076l - (-381987l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 16) (-539299l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 18) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) - (-1308169l) - (-22981l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 17) 2348700l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 19) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) - (-1228525l) - (-671102l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 18) (-300467l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 20) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) - (-2477047l) - (-411027l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 19) 3539968l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 21) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) - (-3693493l) - (-2967645l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 22) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) - 2715295l - 2147896l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 23) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) - (-983419l) - 3412210l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 24) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) - 126922l - (-3632928l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 25) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) - (-3157330l) - (-3190144l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 26) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) - (-1000202l) - (-4083598l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 27) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) - 1939314l - (-1257611l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 28) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) - (-1585221l) - 2176455l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 29) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) - 3475950l - (-1452451l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 30) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) - (-3041255l) - (-3677745l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 31) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) - (-1528703l) - (-3930395l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - re - -let invert_ntt_at_layer_2_ - (#v_SIMDUnit: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) - (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) - = - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 0) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 0 ] <: v_SIMDUnit) - (-2797779l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 1) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 1 ] <: v_SIMDUnit) - 2071892l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 2) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 2 ] <: v_SIMDUnit) - (-2556880l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 3) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 3 ] <: v_SIMDUnit) - 3900724l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 4) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 4 ] <: v_SIMDUnit) - 3881043l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 5) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 5 ] <: v_SIMDUnit) - 954230l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 6) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 6 ] <: v_SIMDUnit) - 531354l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 7) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 7 ] <: v_SIMDUnit) - 811944l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 8) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 8 ] <: v_SIMDUnit) - 3699596l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 9) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 9 ] <: v_SIMDUnit) - (-1600420l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 10) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 10 ] <: v_SIMDUnit) - (-2140649l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 11) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 11 ] <: v_SIMDUnit) - 3507263l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 12) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 12 ] <: v_SIMDUnit) - (-3821735l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 13) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 13 ] <: v_SIMDUnit) - 3505694l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 14) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 14 ] <: v_SIMDUnit) - (-1643818l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 15) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 15 ] <: v_SIMDUnit) - (-1699267l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 16) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 16 ] <: v_SIMDUnit) - (-539299l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 17) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 17 ] <: v_SIMDUnit) - 2348700l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 18) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 18 ] <: v_SIMDUnit) - (-300467l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 19) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 19 ] <: v_SIMDUnit) - 3539968l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit - in - let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 20) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 20 ] <: v_SIMDUnit) - (-2867647l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 20) (-2867647l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 21) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 21 ] <: v_SIMDUnit) - 3574422l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 21) 3574422l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 22) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 22 ] <: v_SIMDUnit) - (-3043716l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 22) (-3043716l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 23) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 23 ] <: v_SIMDUnit) - (-3861115l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 23) (-3861115l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 24) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 24 ] <: v_SIMDUnit) - 3915439l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 24) 3915439l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 25) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 25 ] <: v_SIMDUnit) - (-2537516l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 25) (-2537516l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 26) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 26 ] <: v_SIMDUnit) - (-3592148l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 26) (-3592148l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 27) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 27 ] <: v_SIMDUnit) - (-1661693l) - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 27) (-1661693l) in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 28) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 28 ] <: v_SIMDUnit) - 3530437l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 28) 3530437l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 29) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 29 ] <: v_SIMDUnit) - 3077325l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 29) 3077325l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 30) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 30 ] <: v_SIMDUnit) - 95776l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 30) 95776l in let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = - { - re with - Libcrux_ml_dsa.Polynomial.f_simd_units - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_dsa.Polynomial.f_simd_units - (sz 31) - (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit - #FStar.Tactics.Typeclasses.solve - (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ sz 31 ] <: v_SIMDUnit) - 2706023l - <: - v_SIMDUnit) - } - <: - Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + invert_ntt_at_layer_2___round #v_SIMDUnit re (sz 31) 2706023l in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti index ed4cbfb4e..15b336a66 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -29,6 +29,16 @@ let invert_ntt_at_layer_7___STEP: usize = sz 128 let invert_ntt_at_layer_7___STEP_BY: usize = sz 16 +val invert_ntt_at_layer_0___round + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + val invert_ntt_at_layer_0_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -37,6 +47,16 @@ val invert_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_at_layer_1___round + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta_0_ zeta_1_: i32) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + val invert_ntt_at_layer_1_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} @@ -45,6 +65,16 @@ val invert_ntt_at_layer_1_ Prims.l_True (fun _ -> Prims.l_True) +val invert_ntt_at_layer_2___round + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (index: usize) + (zeta: i32) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + val invert_ntt_at_layer_2_ (#v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst index fb55f5f13..72db9fe4d 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -3,6 +3,48 @@ module Libcrux_ml_dsa.Simd.Avx2.Ntt open Core open FStar.Mul +let ntt_at_layer_7_and_6___mul + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta: u8) + (step_by: usize) + (field_modulus inverse_of_modulus_mod_montgomery_r: u8) + = + let prod02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ index +! step_by <: usize ] <: u8) zeta + in + let prod13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 + 245l + (re.[ index +! step_by <: usize ] <: u8) + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta <: u8) + in + let k02:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r + in + let k13:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r + in + let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in + let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in + let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in + let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in + let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (index +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ index ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + index + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ index ] <: u8) t <: u8) + in + re + let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in @@ -121,2743 +163,487 @@ let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) = let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products -let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) = - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2091667l 3407706l 2316500l - 3817976l (-3342478l) 2244091l (-2446433l) (-3562462l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 266997l 2434439l - (-1235728l) 3513181l (-3520352l) (-3759364l) (-1197226l) (-3193378l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) 900702l 1859098l 909542l - 819034l 495491l (-1613174l) (-43260l) (-522500l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-655327l) (-3122442l) - 2031748l 3207046l (-3556995l) (-525098l) (-768622l) (-3595838l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) 342297l 286988l - (-2437823l) 4108315l 3437287l (-3342277l) 1735879l 203044l - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 2842341l 2691481l - (-2590150l) 1265009l 4055324l 1247620l 2486353l 1595974l - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b - in +let ntt_at_layer_0___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32) + = let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) (-3767016l) 1250494l - 2635921l (-3548272l) (-2994039l) 1869119l 1903435l (-1050970l) + butterfly_2_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_ zeta_2_ + zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_ in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) (-1333058l) 1237275l - (-3318210l) (-1430225l) (-451100l) 1312455l 3306115l (-1962642l) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b in + re + +let ntt_at_layer_0_ (re: t_Array u8 (sz 32)) = let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l (-3342478l) 2244091l + (-2446433l) (-3562462l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1279661l) 1917081l - (-2546312l) (-1374803l) 1500165l 777191l 2235880l 3406031l + ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l (-3520352l) (-3759364l) + (-1197226l) (-3193378l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l 495491l (-1613174l) (-43260l) + (-522500l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) (-542412l) (-2831860l) - (-1671176l) (-1846953l) (-2584293l) (-3724270l) 594136l (-3776993l) + ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l (-3556995l) (-525098l) + (-768622l) (-3595838l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l 3437287l (-3342277l) + 1735879l 203044l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) (-2013608l) 2432395l - 2454455l (-164721l) 1957272l 3369112l 185531l (-1207385l) + ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l 4055324l 1247620l + 2486353l 1595974l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) (-2994039l) 1869119l + 1903435l (-1050970l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-3183426l) 162844l - 1616392l 3014001l 810149l 1652634l (-3694233l) (-1799107l) + ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) (-451100l) + 1312455l 3306115l (-1962642l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) 1500165l 777191l + 2235880l 3406031l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) (-3038916l) 3523897l - 3866901l 269760l 2213111l (-975884l) 1717735l 472078l + ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) (-2584293l) + (-3724270l) 594136l (-3776993l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) 1957272l 3369112l + 185531l (-1207385l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) (-426683l) 1723600l - (-1803090l) 1910376l (-1667432l) (-1104333l) (-260646l) (-3833893l) + ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l 810149l 1652634l + (-3694233l) (-1799107l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l 2213111l (-975884l) + 1717735l 472078l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) (-2939036l) (-2235985l) - (-420899l) (-2286327l) 183443l (-976891l) 1612842l (-3545687l) + ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l (-1667432l) + (-1104333l) (-260646l) (-3833893l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) 183443l + (-976891l) 1612842l (-3545687l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b + ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) 3937738l 1400424l + (-846154l) 1976782l in + re + +let ntt_at_layer_1___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + = let a, b:(u8 & u8) = - butterfly_2_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) (-554416l) 3919660l - (-48306l) (-1362209l) 3937738l 1400424l (-846154l) 1976782l + butterfly_4_ (re.[ index ] <: u8) + (re.[ index +! sz 1 <: usize ] <: u8) + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b in re let ntt_at_layer_1_ (re: t_Array u8 (sz 32)) = - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 0 ] <: u8) - (re.[ sz 0 +! sz 1 <: usize ] <: u8) - (-3930395l) - (-1528703l) - (-3677745l) - (-3041255l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 2 ] <: u8) - (re.[ sz 2 +! sz 1 <: usize ] <: u8) - (-1452451l) - 3475950l - 2176455l - (-1585221l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a - in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 4 ] <: u8) - (re.[ sz 4 +! sz 1 <: usize ] <: u8) - (-1257611l) - 1939314l - (-4083598l) - (-1000202l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 6 ] <: u8) - (re.[ sz 6 +! sz 1 <: usize ] <: u8) - (-3190144l) - (-3157330l) - (-3632928l) - 126922l + ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) (-3677745l) (-3041255l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l 2176455l (-1585221l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 8 ] <: u8) - (re.[ sz 8 +! sz 1 <: usize ] <: u8) - 3412210l - (-983419l) - 2147896l - 2715295l - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l (-4083598l) (-1000202l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 10 ] <: u8) - (re.[ sz 10 +! sz 1 <: usize ] <: u8) - (-2967645l) - (-3693493l) - (-411027l) - (-2477047l) + ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) (-3632928l) 126922l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) 2147896l 2715295l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 12 ] <: u8) - (re.[ sz 12 +! sz 1 <: usize ] <: u8) - (-671102l) - (-1228525l) - (-22981l) - (-1308169l) + ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) (-411027l) (-2477047l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) (-22981l) (-1308169l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 14 ] <: u8) - (re.[ sz 14 +! sz 1 <: usize ] <: u8) - (-381987l) - 1349076l - 1852771l - (-1430430l) + ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l 1852771l (-1430430l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l 508951l 3097992l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 16 ] <: u8) - (re.[ sz 16 +! sz 1 <: usize ] <: u8) - (-3343383l) - 264944l - 508951l - 3097992l + ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) 904516l 3958618l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) 1653064l (-3249728l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 18 ] <: u8) - (re.[ sz 18 +! sz 1 <: usize ] <: u8) - 44288l - (-1100098l) - 904516l - 3958618l + ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) 759969l (-1316856l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) 3159746l (-1851402l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 20 ] <: u8) - (re.[ sz 20 +! sz 1 <: usize ] <: u8) - (-3724342l) - (-8578l) - 1653064l - (-3249728l) + ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) 1315589l 1341330l in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) (-812732l) (-1439742l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b + ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) (-3628969l) 3839961l in + re + +let ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) = let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 22 ] <: u8) - (re.[ sz 22 +! sz 1 <: usize ] <: u8) - 2389356l - (-210977l) - 759969l - (-1316856l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + butterfly_8_ (re.[ index ] <: u8) (re.[ index +! sz 1 <: usize ] <: u8) zeta_0_ zeta_1_ in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 24 ] <: u8) - (re.[ sz 24 +! sz 1 <: usize ] <: u8) - 189548l - (-3553272l) - 3159746l - (-1851402l) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re index a in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (index +! sz 1 <: usize) b in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + re + +let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 0) 2706023l 95776l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 2) 3077325l 3530437l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 4) (-1661693l) (-3592148l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 6) (-2537516l) 3915439l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 8) (-3861115l) (-3043716l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 10) 3574422l (-2867647l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 12) 3539968l (-300467l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 14) 2348700l (-539299l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 16) (-1699267l) (-1643818l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 18) 3505694l (-3821735l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 20) 3507263l (-2140649l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 22) (-1600420l) 3699596l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 24) 811944l 531354l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 26) 954230l 3881043l in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 28) 3900724l (-2556880l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_2___round re (sz 30) 2071892l (-2797779l) in + re + +let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) = + let field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 26 ] <: u8) - (re.[ sz 26 +! sz 1 <: usize ] <: u8) - (-2409325l) - (-177440l) - 1315589l - 1341330l + let inverse_of_modulus_mod_montgomery_r:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + <: + u64) + <: + i32) in + let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in + let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in + let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a + ntt_at_layer_7_and_6___mul re + (sz 0) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 28 ] <: u8) - (re.[ sz 28 +! sz 1 <: usize ] <: u8) - 1285669l - (-1584928l) - (-812732l) - (-1439742l) + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_4_ (re.[ sz 30 ] <: u8) - (re.[ sz 30 +! sz 1 <: usize ] <: u8) - (-3019102l) - (-3881060l) - (-3628969l) - 3839961l + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a + ntt_at_layer_7_and_6___mul re + (sz 8) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b - in - re - -let ntt_at_layer_2_ (re: t_Array u8 (sz 32)) = - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 0 ] <: u8) (re.[ sz 0 +! sz 1 <: usize ] <: u8) 2706023l 95776l + ntt_at_layer_7_and_6___mul re + (sz 8 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0) a + ntt_at_layer_7_and_6___mul re + (sz 8 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 0 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 2 ] <: u8) (re.[ sz 2 +! sz 1 <: usize ] <: u8) 3077325l 3530437l + ntt_at_layer_7_and_6___mul re + (sz 8 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2) a + ntt_at_layer_7_and_6___mul re + (sz 0) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 2 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 4 ] <: u8) (re.[ sz 4 +! sz 1 <: usize ] <: u8) (-1661693l) (-3592148l) + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 1 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4) a + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 2 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 4 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 6 ] <: u8) (re.[ sz 6 +! sz 1 <: usize ] <: u8) (-2537516l) 3915439l + ntt_at_layer_7_and_6___mul re + (sz 0 +! sz 3 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6) a + ntt_at_layer_7_and_6___mul re + (sz 16) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 6 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 8 ] <: u8) (re.[ sz 8 +! sz 1 <: usize ] <: u8) (-3861115l) (-3043716l) + ntt_at_layer_7_and_6___mul re + (sz 16 +! sz 1 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8) a + ntt_at_layer_7_and_6___mul re + (sz 16 +! sz 2 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 8 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 10 ] <: u8) (re.[ sz 10 +! sz 1 <: usize ] <: u8) 3574422l (-2867647l) + ntt_at_layer_7_and_6___mul re + (sz 16 +! sz 3 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10) a + ntt_at_layer_7_and_6___mul re + (sz 4) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 10 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 12 ] <: u8) (re.[ sz 12 +! sz 1 <: usize ] <: u8) 3539968l (-300467l) + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12) a + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 12 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 14 ] <: u8) (re.[ sz 14 +! sz 1 <: usize ] <: u8) 2348700l (-539299l) + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14) a + ntt_at_layer_7_and_6___mul re + (sz 12) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 14 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 16 ] <: u8) (re.[ sz 16 +! sz 1 <: usize ] <: u8) (-1699267l) (-1643818l) + ntt_at_layer_7_and_6___mul re + (sz 12 +! sz 1 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16) a + ntt_at_layer_7_and_6___mul re + (sz 12 +! sz 2 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 16 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 18 ] <: u8) (re.[ sz 18 +! sz 1 <: usize ] <: u8) 3505694l (-3821735l) + ntt_at_layer_7_and_6___mul re + (sz 12 +! sz 3 <: usize) + zeta7 + ntt_at_layer_7_and_6___STEP_BY_7_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18) a + ntt_at_layer_7_and_6___mul re + (sz 4) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 18 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 20 ] <: u8) (re.[ sz 20 +! sz 1 <: usize ] <: u8) 3507263l (-2140649l) + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 1 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20) a + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 2 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 20 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 22 ] <: u8) (re.[ sz 22 +! sz 1 <: usize ] <: u8) (-1600420l) 3699596l + ntt_at_layer_7_and_6___mul re + (sz 4 +! sz 3 <: usize) + zeta60 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in + let _:Prims.unit = () in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22) a + ntt_at_layer_7_and_6___mul re + (sz 20) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 22 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 24 ] <: u8) (re.[ sz 24 +! sz 1 <: usize ] <: u8) 811944l 531354l + ntt_at_layer_7_and_6___mul re + (sz 20 +! sz 1 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24) a + ntt_at_layer_7_and_6___mul re + (sz 20 +! sz 2 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 24 +! sz 1 <: usize) b + ntt_at_layer_7_and_6___mul re + (sz 20 +! sz 3 <: usize) + zeta61 + ntt_at_layer_7_and_6___STEP_BY_6_ + field_modulus + inverse_of_modulus_mod_montgomery_r in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 26 ] <: u8) (re.[ sz 26 +! sz 1 <: usize ] <: u8) 954230l 3881043l - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 26 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 28 ] <: u8) (re.[ sz 28 +! sz 1 <: usize ] <: u8) 3900724l (-2556880l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 28 +! sz 1 <: usize) b - in - let a, b:(u8 & u8) = - butterfly_8_ (re.[ sz 30 ] <: u8) (re.[ sz 30 +! sz 1 <: usize ] <: u8) 2071892l (-2797779l) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30) a - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re (sz 30 +! sz 1 <: usize) b - in - re - -let ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) = - let field_modulus:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS - in - let inverse_of_modulus_mod_montgomery_r:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R - <: - u64) - <: - i32) - in - let zeta7:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 25847l in - let zeta60:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2608894l) in - let zeta61:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-518909l) in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 8 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 8 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 8 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 8 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 8 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 0 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 0 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 0 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 0 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 0 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 16 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 16 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 16 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 16 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 16 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12 +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 12 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 12 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 12 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_7_ - <: - usize ] - <: - u8) - zeta7 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta7 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 12 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_7_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 12 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 4 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 4 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 4 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta60 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta60 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 4 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 4 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20 +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 1 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 20 +! sz 1 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20 +! sz 1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 1 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 2 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 20 +! sz 2 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20 +! sz 2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 2 <: usize ] <: u8) t <: u8) - in - let prod02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (re.[ (sz 20 +! sz 3 <: usize) +! - ntt_at_layer_7_and_6___STEP_BY_6_ - <: - usize ] - <: - u8) - zeta61 - in - let prod13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 - 245l - (re.[ (sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize ] <: u8) - <: - u8) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l zeta61 <: u8) - in - let k02:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod02 inverse_of_modulus_mod_montgomery_r - in - let k13:u8 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 prod13 inverse_of_modulus_mod_montgomery_r - in - let c02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k02 field_modulus in - let c13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epi32 k13 field_modulus in - let res02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod02 c02 in - let res13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 prod13 c13 in - let res02_shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l res02 in - let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l res02_shifted res13 in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - ((sz 20 +! sz 3 <: usize) +! ntt_at_layer_7_and_6___STEP_BY_6_ <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20 +! sz 3 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ sz 20 +! sz 3 <: usize ] <: u8) t <: u8) - in - let _:Prims.unit = () in - re - -let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 237124l in - let offset:usize = - ((sz 0 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-777960l) in - let offset:usize = - ((sz 1 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-876248l) in - let offset:usize = - ((sz 2 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 466468l in - let offset:usize = - ((sz 3 *! ntt_at_layer_5_to_3___STEP <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let _:Prims.unit = () in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1826347l in - let offset:usize = - ((sz 0 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2353451l in - let offset:usize = - ((sz 1 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-359251l) in - let offset:usize = - ((sz 2 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2091905l) in - let offset:usize = - ((sz 3 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3119733l in - let offset:usize = - ((sz 4 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2884855l) in - let offset:usize = - ((sz 5 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3111497l in - let offset:usize = - ((sz 6 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2680103l in - let offset:usize = - ((sz 7 *! ntt_at_layer_5_to_3___STEP_1 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_1 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_1 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let _:Prims.unit = () in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2725464l in - let offset:usize = - ((sz 0 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1024112l in - let offset:usize = - ((sz 1 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1079900l) in - let offset:usize = - ((sz 2 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 3585928l in - let offset:usize = - ((sz 3 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-549488l) in - let offset:usize = - ((sz 4 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1119584l) in - let offset:usize = - ((sz 5 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 2619752l in - let offset:usize = - ((sz 6 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2108549l) in - let offset:usize = - ((sz 7 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-2118186l) in - let offset:usize = - ((sz 8 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3859737l) in - let offset:usize = - ((sz 9 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-1399561l) in - let offset:usize = - ((sz 10 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-3277672l) in - let offset:usize = - ((sz 11 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1757237l in - let offset:usize = - ((sz 12 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (-19422l) in - let offset:usize = - ((sz 13 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + let _:Prims.unit = () in + re + +let ntt_at_layer_5_to_3___round + (v_STEP v_STEP_BY: usize) + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta: i32) + = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 zeta in + let offset:usize = + ((index *! v_STEP <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (offset +! v_STEP_BY <: usize) (fun re temp_1_ -> let re:t_Array u8 (sz 32) = re in let _:usize = temp_1_ in @@ -2867,91 +653,14 @@ let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = let re:t_Array u8 (sz 32) = re in let j:usize = j in let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! v_STEP_BY <: usize ] <: u8) rhs in let re:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 4010497l in - let offset:usize = - ((sz 14 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - j - (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) - in - re) - in - let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 280005l in - let offset:usize = - ((sz 15 *! ntt_at_layer_5_to_3___STEP_2 <: usize) *! sz 2 <: usize) /! - Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Folds.fold_range offset - (offset +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) - (fun re temp_1_ -> - let re:t_Array u8 (sz 32) = re in - let _:usize = temp_1_ in - true) - re - (fun re j -> - let re:t_Array u8 (sz 32) = re in - let j:usize = j in - let t:u8 = - Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply (re.[ j +! - ntt_at_layer_5_to_3___STEP_BY_2 - <: - usize ] - <: - u8) - rhs - in - let re:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (j +! ntt_at_layer_5_to_3___STEP_BY_2 <: usize) + (j +! v_STEP_BY <: usize) (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) in let re:t_Array u8 (sz 32) = @@ -2961,6 +670,40 @@ let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = in re) in + let hax_temp_output:Prims.unit = () <: Prims.unit in + re + +let ntt_at_layer_5_to_3_ (re: t_Array u8 (sz 32)) = + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 0) 237124l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 1) (-777960l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 2) (-876248l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 32) (sz 4) re (sz 3) 466468l in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 0) 1826347l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 1) 2353451l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 2) (-359251l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 3) (-2091905l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 4) 3119733l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 5) (-2884855l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 6) 3111497l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 16) (sz 2) re (sz 7) 2680103l in + let _:Prims.unit = () in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 0) 2725464l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 1) 1024112l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 2) (-1079900l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 3) 3585928l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 4) (-549488l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 5) (-1119584l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 6) 2619752l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 7) (-2108549l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 8) (-2118186l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 9) (-3859737l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 10) (-1399561l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 11) (-3277672l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 12) 1757237l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 13) (-19422l) in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 14) 4010497l in + let re:t_Array u8 (sz 32) = ntt_at_layer_5_to_3___round (sz 8) (sz 1) re (sz 15) 280005l in let _:Prims.unit = () in let hax_temp_output:Prims.unit = () <: Prims.unit in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti index afa539b9a..b0253f5ed 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -11,6 +11,14 @@ let ntt_at_layer_5_to_3___STEP_1: usize = sz 1 < Prims.l_True) + let ntt_at_layer_5_to_3___STEP_BY: usize = ntt_at_layer_5_to_3___STEP /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT @@ -44,12 +52,27 @@ val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_0___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_ zeta_4_ zeta_5_ zeta_6_ zeta_7_: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + val ntt_at_layer_0_ (re: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1___round + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + val ntt_at_layer_1_ (re: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_2___round (re: t_Array u8 (sz 32)) (index: usize) (zeta_0_ zeta_1_: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + val ntt_at_layer_2_ (re: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) @@ -59,6 +82,13 @@ val ntt_at_layer_2_ (re: t_Array u8 (sz 32)) val ntt_at_layer_7_and_6_ (re: t_Array u8 (sz 32)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_5_to_3___round + (v_STEP v_STEP_BY: usize) + (re: t_Array u8 (sz 32)) + (index: usize) + (zeta: i32) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + /// Layer 5, 4, 3 /// Each layer does 16 Montgomery multiplications -> 3*16 = 48 total /// pqclean does 4 * 4 on each layer -> 48 total | plus 4 * 4 shuffles every time (48) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst index 8cb54365c..5cddf2bbf 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -591,424 +591,124 @@ let simd_unit_ntt_at_layer_0_ in simd_unit -let ntt_at_layer_0_ +let ntt_at_layer_0___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) = let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0) - (simd_unit_ntt_at_layer_0_ (re.[ sz 0 ] + index + (simd_unit_ntt_at_layer_0_ (re.[ index ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2091667l - 3407706l - 2316500l - 3817976l + zeta_0_ + zeta_1_ + zeta_2_ + zeta_3_ <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in + re + +let ntt_at_layer_0_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 1) - (simd_unit_ntt_at_layer_0_ (re.[ sz 1 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3342478l) - 2244091l - (-2446433l) - (-3562462l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 0) 2091667l 3407706l 2316500l 3817976l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 2) - (simd_unit_ntt_at_layer_0_ (re.[ sz 2 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 266997l - 2434439l - (-1235728l) - 3513181l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 1) (-3342478l) 2244091l (-2446433l) (-3562462l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 3) - (simd_unit_ntt_at_layer_0_ (re.[ sz 3 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3520352l) - (-3759364l) - (-1197226l) - (-3193378l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 2) 266997l 2434439l (-1235728l) 3513181l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4) - (simd_unit_ntt_at_layer_0_ (re.[ sz 4 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 900702l - 1859098l - 909542l - 819034l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 3) (-3520352l) (-3759364l) (-1197226l) (-3193378l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 5) - (simd_unit_ntt_at_layer_0_ (re.[ sz 5 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 495491l - (-1613174l) - (-43260l) - (-522500l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 4) 900702l 1859098l 909542l 819034l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 6) - (simd_unit_ntt_at_layer_0_ (re.[ sz 6 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-655327l) - (-3122442l) - 2031748l - 3207046l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 5) 495491l (-1613174l) (-43260l) (-522500l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 7) - (simd_unit_ntt_at_layer_0_ (re.[ sz 7 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3556995l) - (-525098l) - (-768622l) - (-3595838l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 6) (-655327l) (-3122442l) 2031748l 3207046l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8) - (simd_unit_ntt_at_layer_0_ (re.[ sz 8 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 342297l - 286988l - (-2437823l) - 4108315l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 7) (-3556995l) (-525098l) (-768622l) (-3595838l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 9) - (simd_unit_ntt_at_layer_0_ (re.[ sz 9 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3437287l - (-3342277l) - 1735879l - 203044l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 8) 342297l 286988l (-2437823l) 4108315l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 10) - (simd_unit_ntt_at_layer_0_ (re.[ sz 10 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2842341l - 2691481l - (-2590150l) - 1265009l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 9) 3437287l (-3342277l) 1735879l 203044l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 11) - (simd_unit_ntt_at_layer_0_ (re.[ sz 11 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 4055324l - 1247620l - 2486353l - 1595974l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 10) 2842341l 2691481l (-2590150l) 1265009l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12) - (simd_unit_ntt_at_layer_0_ (re.[ sz 12 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3767016l) - 1250494l - 2635921l - (-3548272l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 11) 4055324l 1247620l 2486353l 1595974l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 13) - (simd_unit_ntt_at_layer_0_ (re.[ sz 13 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2994039l) - 1869119l - 1903435l - (-1050970l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 12) (-3767016l) 1250494l 2635921l (-3548272l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 14) - (simd_unit_ntt_at_layer_0_ (re.[ sz 14 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1333058l) - 1237275l - (-3318210l) - (-1430225l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 13) (-2994039l) 1869119l 1903435l (-1050970l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 15) - (simd_unit_ntt_at_layer_0_ (re.[ sz 15 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-451100l) - 1312455l - 3306115l - (-1962642l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 14) (-1333058l) 1237275l (-3318210l) (-1430225l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16) - (simd_unit_ntt_at_layer_0_ (re.[ sz 16 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1279661l) - 1917081l - (-2546312l) - (-1374803l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 15) (-451100l) 1312455l 3306115l (-1962642l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 17) - (simd_unit_ntt_at_layer_0_ (re.[ sz 17 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 1500165l - 777191l - 2235880l - 3406031l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 16) (-1279661l) 1917081l (-2546312l) (-1374803l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 18) - (simd_unit_ntt_at_layer_0_ (re.[ sz 18 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-542412l) - (-2831860l) - (-1671176l) - (-1846953l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 17) 1500165l 777191l 2235880l 3406031l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 19) - (simd_unit_ntt_at_layer_0_ (re.[ sz 19 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2584293l) - (-3724270l) - 594136l - (-3776993l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 18) (-542412l) (-2831860l) (-1671176l) (-1846953l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20) - (simd_unit_ntt_at_layer_0_ (re.[ sz 20 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2013608l) - 2432395l - 2454455l - (-164721l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 19) (-2584293l) (-3724270l) 594136l (-3776993l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 21) - (simd_unit_ntt_at_layer_0_ (re.[ sz 21 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 1957272l - 3369112l - 185531l - (-1207385l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 20) (-2013608l) 2432395l 2454455l (-164721l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 22) - (simd_unit_ntt_at_layer_0_ (re.[ sz 22 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3183426l) - 162844l - 1616392l - 3014001l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 21) 1957272l 3369112l 185531l (-1207385l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 23) - (simd_unit_ntt_at_layer_0_ (re.[ sz 23 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 810149l - 1652634l - (-3694233l) - (-1799107l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 22) (-3183426l) 162844l 1616392l 3014001l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 24) - (simd_unit_ntt_at_layer_0_ (re.[ sz 24 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3038916l) - 3523897l - 3866901l - 269760l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 23) 810149l 1652634l (-3694233l) (-1799107l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 25) - (simd_unit_ntt_at_layer_0_ (re.[ sz 25 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2213111l - (-975884l) - 1717735l - 472078l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 24) (-3038916l) 3523897l 3866901l 269760l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 26) - (simd_unit_ntt_at_layer_0_ (re.[ sz 26 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-426683l) - 1723600l - (-1803090l) - 1910376l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 25) 2213111l (-975884l) 1717735l 472078l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 27) - (simd_unit_ntt_at_layer_0_ (re.[ sz 27 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1667432l) - (-1104333l) - (-260646l) - (-3833893l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 26) (-426683l) 1723600l (-1803090l) 1910376l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 28) - (simd_unit_ntt_at_layer_0_ (re.[ sz 28 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2939036l) - (-2235985l) - (-420899l) - (-2286327l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 27) (-1667432l) (-1104333l) (-260646l) (-3833893l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 29) - (simd_unit_ntt_at_layer_0_ (re.[ sz 29 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 183443l - (-976891l) - 1612842l - (-3545687l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 28) (-2939036l) (-2235985l) (-420899l) (-2286327l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 30) - (simd_unit_ntt_at_layer_0_ (re.[ sz 30 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-554416l) - 3919660l - (-48306l) - (-1362209l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 29) 183443l (-976891l) 1612842l (-3545687l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 31) - (simd_unit_ntt_at_layer_0_ (re.[ sz 31 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3937738l - 1400424l - (-846154l) - 1976782l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_0___round re (sz 30) (-554416l) 3919660l (-48306l) (-1362209l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_0___round re (sz 31) 3937738l 1400424l (-846154l) 1976782l in re @@ -1166,360 +866,122 @@ let simd_unit_ntt_at_layer_1_ in simd_unit -let ntt_at_layer_1_ +let ntt_at_layer_1___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_: i32) = let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0) - (simd_unit_ntt_at_layer_1_ (re.[ sz 0 ] + index + (simd_unit_ntt_at_layer_1_ (re.[ index ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3930395l) - (-1528703l) + zeta_0_ + zeta_1_ <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in + re + +let ntt_at_layer_1_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 1) - (simd_unit_ntt_at_layer_1_ (re.[ sz 1 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3677745l) - (-3041255l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 0) (-3930395l) (-1528703l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 2) - (simd_unit_ntt_at_layer_1_ (re.[ sz 2 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1452451l) - 3475950l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 1) (-3677745l) (-3041255l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 3) - (simd_unit_ntt_at_layer_1_ (re.[ sz 3 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2176455l - (-1585221l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 2) (-1452451l) 3475950l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4) - (simd_unit_ntt_at_layer_1_ (re.[ sz 4 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1257611l) - 1939314l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 3) 2176455l (-1585221l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 5) - (simd_unit_ntt_at_layer_1_ (re.[ sz 5 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-4083598l) - (-1000202l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 4) (-1257611l) 1939314l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 6) - (simd_unit_ntt_at_layer_1_ (re.[ sz 6 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3190144l) - (-3157330l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 5) (-4083598l) (-1000202l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 7) - (simd_unit_ntt_at_layer_1_ (re.[ sz 7 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3632928l) - 126922l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 6) (-3190144l) (-3157330l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8) - (simd_unit_ntt_at_layer_1_ (re.[ sz 8 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3412210l - (-983419l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 7) (-3632928l) 126922l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 9) - (simd_unit_ntt_at_layer_1_ (re.[ sz 9 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2147896l - 2715295l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 8) 3412210l (-983419l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 10) - (simd_unit_ntt_at_layer_1_ (re.[ sz 10 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2967645l) - (-3693493l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 9) 2147896l 2715295l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 11) - (simd_unit_ntt_at_layer_1_ (re.[ sz 11 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-411027l) - (-2477047l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 10) (-2967645l) (-3693493l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12) - (simd_unit_ntt_at_layer_1_ (re.[ sz 12 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-671102l) - (-1228525l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 11) (-411027l) (-2477047l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 13) - (simd_unit_ntt_at_layer_1_ (re.[ sz 13 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-22981l) - (-1308169l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 12) (-671102l) (-1228525l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 14) - (simd_unit_ntt_at_layer_1_ (re.[ sz 14 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-381987l) - 1349076l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 13) (-22981l) (-1308169l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 15) - (simd_unit_ntt_at_layer_1_ (re.[ sz 15 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 1852771l - (-1430430l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 14) (-381987l) 1349076l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16) - (simd_unit_ntt_at_layer_1_ (re.[ sz 16 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3343383l) - 264944l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 15) 1852771l (-1430430l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 17) - (simd_unit_ntt_at_layer_1_ (re.[ sz 17 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 508951l - 3097992l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 16) (-3343383l) 264944l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 18) - (simd_unit_ntt_at_layer_1_ (re.[ sz 18 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 44288l - (-1100098l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 17) 508951l 3097992l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 19) - (simd_unit_ntt_at_layer_1_ (re.[ sz 19 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 904516l - 3958618l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 18) 44288l (-1100098l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20) - (simd_unit_ntt_at_layer_1_ (re.[ sz 20 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3724342l) - (-8578l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 19) 904516l 3958618l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 21) - (simd_unit_ntt_at_layer_1_ (re.[ sz 21 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 1653064l - (-3249728l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 20) (-3724342l) (-8578l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 22) - (simd_unit_ntt_at_layer_1_ (re.[ sz 22 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2389356l - (-210977l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 21) 1653064l (-3249728l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 23) - (simd_unit_ntt_at_layer_1_ (re.[ sz 23 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 759969l - (-1316856l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 22) 2389356l (-210977l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 24) - (simd_unit_ntt_at_layer_1_ (re.[ sz 24 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 189548l - (-3553272l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 23) 759969l (-1316856l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 25) - (simd_unit_ntt_at_layer_1_ (re.[ sz 25 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3159746l - (-1851402l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 24) 189548l (-3553272l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 26) - (simd_unit_ntt_at_layer_1_ (re.[ sz 26 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2409325l) - (-177440l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 25) 3159746l (-1851402l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 27) - (simd_unit_ntt_at_layer_1_ (re.[ sz 27 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 1315589l - 1341330l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 26) (-2409325l) (-177440l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 28) - (simd_unit_ntt_at_layer_1_ (re.[ sz 28 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 1285669l - (-1584928l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 27) 1315589l 1341330l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 29) - (simd_unit_ntt_at_layer_1_ (re.[ sz 29 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-812732l) - (-1439742l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 28) 1285669l (-1584928l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 30) - (simd_unit_ntt_at_layer_1_ (re.[ sz 30 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3019102l) - (-3881060l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 29) (-812732l) (-1439742l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 31) - (simd_unit_ntt_at_layer_1_ (re.[ sz 31 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3628969l) - 3839961l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_1___round re (sz 30) (-3019102l) (-3881060l) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_1___round re (sz 31) (-3628969l) 3839961l in re @@ -1677,328 +1139,121 @@ let simd_unit_ntt_at_layer_2_ in simd_unit -let ntt_at_layer_2_ +let ntt_at_layer_2___round (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta: i32) = let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 0) - (simd_unit_ntt_at_layer_2_ (re.[ sz 0 ] + index + (simd_unit_ntt_at_layer_2_ (re.[ index ] <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2706023l + zeta <: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) in + re + +let ntt_at_layer_2_ + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 1) - (simd_unit_ntt_at_layer_2_ (re.[ sz 1 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 95776l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 0) 2706023l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 2) - (simd_unit_ntt_at_layer_2_ (re.[ sz 2 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3077325l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 1) 95776l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 3) - (simd_unit_ntt_at_layer_2_ (re.[ sz 3 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3530437l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 2) 3077325l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 4) - (simd_unit_ntt_at_layer_2_ (re.[ sz 4 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1661693l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 3) 3530437l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 5) - (simd_unit_ntt_at_layer_2_ (re.[ sz 5 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3592148l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 4) (-1661693l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 6) - (simd_unit_ntt_at_layer_2_ (re.[ sz 6 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2537516l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 5) (-3592148l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 7) - (simd_unit_ntt_at_layer_2_ (re.[ sz 7 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3915439l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 6) (-2537516l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 8) - (simd_unit_ntt_at_layer_2_ (re.[ sz 8 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3861115l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 7) 3915439l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 9) - (simd_unit_ntt_at_layer_2_ (re.[ sz 9 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3043716l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 8) (-3861115l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 10) - (simd_unit_ntt_at_layer_2_ (re.[ sz 10 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3574422l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 9) (-3043716l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 11) - (simd_unit_ntt_at_layer_2_ (re.[ sz 11 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2867647l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 10) 3574422l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 12) - (simd_unit_ntt_at_layer_2_ (re.[ sz 12 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3539968l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 11) (-2867647l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 13) - (simd_unit_ntt_at_layer_2_ (re.[ sz 13 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-300467l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 12) 3539968l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 14) - (simd_unit_ntt_at_layer_2_ (re.[ sz 14 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2348700l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 13) (-300467l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 15) - (simd_unit_ntt_at_layer_2_ (re.[ sz 15 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-539299l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 14) 2348700l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 16) - (simd_unit_ntt_at_layer_2_ (re.[ sz 16 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1699267l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 15) (-539299l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 17) - (simd_unit_ntt_at_layer_2_ (re.[ sz 17 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1643818l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 16) (-1699267l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 18) - (simd_unit_ntt_at_layer_2_ (re.[ sz 18 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3505694l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 17) (-1643818l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 19) - (simd_unit_ntt_at_layer_2_ (re.[ sz 19 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-3821735l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 18) 3505694l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 20) - (simd_unit_ntt_at_layer_2_ (re.[ sz 20 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3507263l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 19) (-3821735l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 21) - (simd_unit_ntt_at_layer_2_ (re.[ sz 21 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2140649l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 20) 3507263l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 22) - (simd_unit_ntt_at_layer_2_ (re.[ sz 22 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-1600420l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 21) (-2140649l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 23) - (simd_unit_ntt_at_layer_2_ (re.[ sz 23 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3699596l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 22) (-1600420l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 24) - (simd_unit_ntt_at_layer_2_ (re.[ sz 24 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 811944l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 23) 3699596l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 25) - (simd_unit_ntt_at_layer_2_ (re.[ sz 25 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 531354l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 24) 811944l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 26) - (simd_unit_ntt_at_layer_2_ (re.[ sz 26 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 954230l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 25) 531354l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 27) - (simd_unit_ntt_at_layer_2_ (re.[ sz 27 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3881043l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 26) 954230l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 28) - (simd_unit_ntt_at_layer_2_ (re.[ sz 28 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 3900724l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 27) 3881043l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 29) - (simd_unit_ntt_at_layer_2_ (re.[ sz 29 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2556880l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 28) 3900724l in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 30) - (simd_unit_ntt_at_layer_2_ (re.[ sz 30 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - 2071892l - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 29) (-2556880l) in let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - (sz 31) - (simd_unit_ntt_at_layer_2_ (re.[ sz 31 ] - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) - (-2797779l) - <: - Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + ntt_at_layer_2___round re (sz 30) 2071892l + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + ntt_at_layer_2___round re (sz 31) (-2797779l) in re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti index 61fd4f830..ae1f422e4 100644 --- a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -51,6 +51,14 @@ val simd_unit_ntt_at_layer_0_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_0___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_ zeta_2_ zeta_3_: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_at_layer_0_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) @@ -64,6 +72,14 @@ val simd_unit_ntt_at_layer_1_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_1___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta_0_ zeta_1_: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_at_layer_1_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) @@ -77,6 +93,14 @@ val simd_unit_ntt_at_layer_2_ Prims.l_True (fun _ -> Prims.l_True) +val ntt_at_layer_2___round + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (index: usize) + (zeta: i32) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + val ntt_at_layer_2_ (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index df925fae8..eb8f2424d 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -15,135 +15,154 @@ pub(crate) fn ntt( #[inline(always)] fn invert_ntt_at_layer_0(re: &mut PolynomialRingElement) { - macro_rules! round { - ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { - re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0( - re.simd_units[$i], - $zeta_0, - $zeta_1, - $zeta_2, - $zeta_3, - ); - }; + #[inline(always)] + fn round( + re: &mut PolynomialRingElement, + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + ) { + re.simd_units[index] = + SIMDUnit::invert_ntt_at_layer_0(re.simd_units[index], zeta_0, zeta_1, zeta_2, zeta_3); } - round!(0, 1976782, -846154, 1400424, 3937738); - round!(1, -1362209, -48306, 3919660, -554416); - round!(2, -3545687, 1612842, -976891, 183443); - round!(3, -2286327, -420899, -2235985, -2939036); - round!(4, -3833893, -260646, -1104333, -1667432); - round!(5, 1910376, -1803090, 1723600, -426683); - round!(6, 472078, 1717735, -975884, 2213111); - round!(7, 269760, 3866901, 3523897, -3038916); - round!(8, -1799107, -3694233, 1652634, 810149); - round!(9, 3014001, 1616392, 162844, -3183426); - round!(10, -1207385, 185531, 3369112, 1957272); - round!(11, -164721, 2454455, 2432395, -2013608); - round!(12, -3776993, 594136, -3724270, -2584293); - round!(13, -1846953, -1671176, -2831860, -542412); - round!(14, 3406031, 2235880, 777191, 1500165); - round!(15, -1374803, -2546312, 1917081, -1279661); - round!(16, -1962642, 3306115, 1312455, -451100); - round!(17, -1430225, -3318210, 1237275, -1333058); - round!(18, -1050970, 1903435, 1869119, -2994039); - round!(19, -3548272, 2635921, 1250494, -3767016); - round!(20, 1595974, 2486353, 1247620, 4055324); - round!(21, 1265009, -2590150, 2691481, 2842341); - round!(22, 203044, 1735879, -3342277, 3437287); - round!(23, 4108315, -2437823, 286988, 342297); - round!(24, -3595838, -768622, -525098, -3556995); - round!(25, 3207046, 2031748, -3122442, -655327); - round!(26, -522500, -43260, -1613174, 495491); - round!(27, 819034, 909542, 1859098, 900702); - round!(28, -3193378, -1197226, -3759364, -3520352); - round!(29, 3513181, -1235728, 2434439, 266997); - round!(30, -3562462, -2446433, 2244091, -3342478); - round!(31, 3817976, 2316500, 3407706, 2091667); + // macro_rules! round { + // ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { + // re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_0( + // re.simd_units[$i], + // $zeta_0, + // $zeta_1, + // $zeta_2, + // $zeta_3, + // ); + // }; + // } + + round(re, 0, 1976782, -846154, 1400424, 3937738); + round(re, 1, -1362209, -48306, 3919660, -554416); + round(re, 2, -3545687, 1612842, -976891, 183443); + round(re, 3, -2286327, -420899, -2235985, -2939036); + round(re, 4, -3833893, -260646, -1104333, -1667432); + round(re, 5, 1910376, -1803090, 1723600, -426683); + round(re, 6, 472078, 1717735, -975884, 2213111); + round(re, 7, 269760, 3866901, 3523897, -3038916); + round(re, 8, -1799107, -3694233, 1652634, 810149); + round(re, 9, 3014001, 1616392, 162844, -3183426); + round(re, 10, -1207385, 185531, 3369112, 1957272); + round(re, 11, -164721, 2454455, 2432395, -2013608); + round(re, 12, -3776993, 594136, -3724270, -2584293); + round(re, 13, -1846953, -1671176, -2831860, -542412); + round(re, 14, 3406031, 2235880, 777191, 1500165); + round(re, 15, -1374803, -2546312, 1917081, -1279661); + round(re, 16, -1962642, 3306115, 1312455, -451100); + round(re, 17, -1430225, -3318210, 1237275, -1333058); + round(re, 18, -1050970, 1903435, 1869119, -2994039); + round(re, 19, -3548272, 2635921, 1250494, -3767016); + round(re, 20, 1595974, 2486353, 1247620, 4055324); + round(re, 21, 1265009, -2590150, 2691481, 2842341); + round(re, 22, 203044, 1735879, -3342277, 3437287); + round(re, 23, 4108315, -2437823, 286988, 342297); + round(re, 24, -3595838, -768622, -525098, -3556995); + round(re, 25, 3207046, 2031748, -3122442, -655327); + round(re, 26, -522500, -43260, -1613174, 495491); + round(re, 27, 819034, 909542, 1859098, 900702); + round(re, 28, -3193378, -1197226, -3759364, -3520352); + round(re, 29, 3513181, -1235728, 2434439, 266997); + round(re, 30, -3562462, -2446433, 2244091, -3342478); + round(re, 31, 3817976, 2316500, 3407706, 2091667); } #[inline(always)] fn invert_ntt_at_layer_1(re: &mut PolynomialRingElement) { - macro_rules! round { - ($i:literal, $zeta_0:literal, $zeta_1:literal) => { - re.simd_units[$i] = - SIMDUnit::invert_ntt_at_layer_1(re.simd_units[$i], $zeta_0, $zeta_1); - }; + #[inline(always)] + fn round( + re: &mut PolynomialRingElement, + index: usize, + zeta_0: i32, + zeta_1: i32, + ) { + re.simd_units[index] = + SIMDUnit::invert_ntt_at_layer_1(re.simd_units[index], zeta_0, zeta_1); } - round!(0, 3839961, -3628969); - round!(1, -3881060, -3019102); - round!(2, -1439742, -812732); - round!(3, -1584928, 1285669); - round!(4, 1341330, 1315589); - round!(5, -177440, -2409325); - round!(6, -1851402, 3159746); - round!(7, -3553272, 189548); - round!(8, -1316856, 759969); - round!(9, -210977, 2389356); - round!(10, -3249728, 1653064); - round!(11, -8578, -3724342); - round!(12, 3958618, 904516); - round!(13, -1100098, 44288); - round!(14, 3097992, 508951); - round!(15, 264944, -3343383); - round!(16, -1430430, 1852771); - round!(17, 1349076, -381987); - round!(18, -1308169, -22981); - round!(19, -1228525, -671102); - round!(20, -2477047, -411027); - round!(21, -3693493, -2967645); - round!(22, 2715295, 2147896); - round!(23, -983419, 3412210); - round!(24, 126922, -3632928); - round!(25, -3157330, -3190144); - round!(26, -1000202, -4083598); - round!(27, 1939314, -1257611); - round!(28, -1585221, 2176455); - round!(29, 3475950, -1452451); - round!(30, -3041255, -3677745); - round!(31, -1528703, -3930395); + round(re, 0, 3839961, -3628969); + round(re, 1, -3881060, -3019102); + round(re, 2, -1439742, -812732); + round(re, 3, -1584928, 1285669); + round(re, 4, 1341330, 1315589); + round(re, 5, -177440, -2409325); + round(re, 6, -1851402, 3159746); + round(re, 7, -3553272, 189548); + round(re, 8, -1316856, 759969); + round(re, 9, -210977, 2389356); + round(re, 10, -3249728, 1653064); + round(re, 11, -8578, -3724342); + round(re, 12, 3958618, 904516); + round(re, 13, -1100098, 44288); + round(re, 14, 3097992, 508951); + round(re, 15, 264944, -3343383); + round(re, 16, -1430430, 1852771); + round(re, 17, 1349076, -381987); + round(re, 18, -1308169, -22981); + round(re, 19, -1228525, -671102); + round(re, 20, -2477047, -411027); + round(re, 21, -3693493, -2967645); + round(re, 22, 2715295, 2147896); + round(re, 23, -983419, 3412210); + round(re, 24, 126922, -3632928); + round(re, 25, -3157330, -3190144); + round(re, 26, -1000202, -4083598); + round(re, 27, 1939314, -1257611); + round(re, 28, -1585221, 2176455); + round(re, 29, 3475950, -1452451); + round(re, 30, -3041255, -3677745); + round(re, 31, -1528703, -3930395); } #[inline(always)] fn invert_ntt_at_layer_2(re: &mut PolynomialRingElement) { - macro_rules! round { - ($i:literal, $zeta:literal) => { - re.simd_units[$i] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[$i], $zeta); - }; + fn round( + re: &mut PolynomialRingElement, + index: usize, + zeta: i32, + ) { + re.simd_units[index] = SIMDUnit::invert_ntt_at_layer_2(re.simd_units[index], zeta); } - round!(0, -2797779); - round!(1, 2071892); - round!(2, -2556880); - round!(3, 3900724); - round!(4, 3881043); - round!(5, 954230); - round!(6, 531354); - round!(7, 811944); - round!(8, 3699596); - round!(9, -1600420); - round!(10, -2140649); - round!(11, 3507263); - round!(12, -3821735); - round!(13, 3505694); - round!(14, -1643818); - round!(15, -1699267); - round!(16, -539299); - round!(17, 2348700); - round!(18, -300467); - round!(19, 3539968); - round!(20, -2867647); - round!(21, 3574422); - round!(22, -3043716); - round!(23, -3861115); - round!(24, 3915439); - round!(25, -2537516); - round!(26, -3592148); - round!(27, -1661693); - round!(28, 3530437); - round!(29, 3077325); - round!(30, 95776); - round!(31, 2706023); + round(re, 0, -2797779); + round(re, 1, 2071892); + round(re, 2, -2556880); + round(re, 3, 3900724); + round(re, 4, 3881043); + round(re, 5, 954230); + round(re, 6, 531354); + round(re, 7, 811944); + round(re, 8, 3699596); + round(re, 9, -1600420); + round(re, 10, -2140649); + round(re, 11, 3507263); + round(re, 12, -3821735); + round(re, 13, 3505694); + round(re, 14, -1643818); + round(re, 15, -1699267); + round(re, 16, -539299); + round(re, 17, 2348700); + round(re, 18, -300467); + round(re, 19, 3539968); + round(re, 20, -2867647); + round(re, 21, 3574422); + round(re, 22, -3043716); + round(re, 23, -3861115); + round(re, 24, 3915439); + round(re, 25, -2537516); + round(re, 26, -3592148); + round(re, 27, -1661693); + round(re, 28, 3530437); + round(re, 29, 3077325); + round(re, 30, 95776); + round(re, 31, 2706023); } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 732d6ba55..8ae3c9d68 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -125,41 +125,83 @@ pub(super) unsafe fn invert_ntt_at_layer_0( #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_0(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal, $zeta_4:literal, $zeta_5:literal, $zeta_6:literal, $zeta_7:literal) => { - let (a, b) = butterfly_2( - re[$i], - re[$i + 1], - $zeta_0, - $zeta_1, - $zeta_2, - $zeta_3, - $zeta_4, - $zeta_5, - $zeta_6, - $zeta_7, - ); - re[$i] = a; - re[$i + 1] = b; - }; + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + zeta_4: i32, + zeta_5: i32, + zeta_6: i32, + zeta_7: i32, + ) { + let (a, b) = butterfly_2( + re[index], + re[index + 1], + zeta_0, + zeta_1, + zeta_2, + zeta_3, + zeta_4, + zeta_5, + zeta_6, + zeta_7, + ); + re[index] = a; + re[index + 1] = b; } - round!(0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462); - round!(2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378); - round!(4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500); - round!(6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838); - round!(8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044); - round!(10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974); - round!(12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970); - round!(14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642); - round!(16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031); - round!(18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993); - round!(20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385); - round!(22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107); - round!(24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078); - round!(26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893); - round!(28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687); - round!(30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782); + round( + re, 0, 2091667, 3407706, 2316500, 3817976, -3342478, 2244091, -2446433, -3562462, + ); + round( + re, 2, 266997, 2434439, -1235728, 3513181, -3520352, -3759364, -1197226, -3193378, + ); + round( + re, 4, 900702, 1859098, 909542, 819034, 495491, -1613174, -43260, -522500, + ); + round( + re, 6, -655327, -3122442, 2031748, 3207046, -3556995, -525098, -768622, -3595838, + ); + round( + re, 8, 342297, 286988, -2437823, 4108315, 3437287, -3342277, 1735879, 203044, + ); + round( + re, 10, 2842341, 2691481, -2590150, 1265009, 4055324, 1247620, 2486353, 1595974, + ); + round( + re, 12, -3767016, 1250494, 2635921, -3548272, -2994039, 1869119, 1903435, -1050970, + ); + round( + re, 14, -1333058, 1237275, -3318210, -1430225, -451100, 1312455, 3306115, -1962642, + ); + round( + re, 16, -1279661, 1917081, -2546312, -1374803, 1500165, 777191, 2235880, 3406031, + ); + round( + re, 18, -542412, -2831860, -1671176, -1846953, -2584293, -3724270, 594136, -3776993, + ); + round( + re, 20, -2013608, 2432395, 2454455, -164721, 1957272, 3369112, 185531, -1207385, + ); + round( + re, 22, -3183426, 162844, 1616392, 3014001, 810149, 1652634, -3694233, -1799107, + ); + round( + re, 24, -3038916, 3523897, 3866901, 269760, 2213111, -975884, 1717735, 472078, + ); + round( + re, 26, -426683, 1723600, -1803090, 1910376, -1667432, -1104333, -260646, -3833893, + ); + round( + re, 28, -2939036, -2235985, -420899, -2286327, 183443, -976891, 1612842, -3545687, + ); + round( + re, 30, -554416, 3919660, -48306, -1362209, 3937738, 1400424, -846154, 1976782, + ); } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] @@ -181,30 +223,36 @@ pub(super) unsafe fn invert_ntt_at_layer_1(simd_unit: Vec256, zeta0: i32, zeta1: #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_1(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { - let (a, b) = butterfly_4(re[$i], re[$i + 1], $zeta_0, $zeta_1, $zeta_2, $zeta_3); - re[$i] = a; - re[$i + 1] = b; - }; + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + ) { + let (a, b) = butterfly_4(re[index], re[index + 1], zeta_0, zeta_1, zeta_2, zeta_3); + re[index] = a; + re[index + 1] = b; } - round!(0, -3930395, -1528703, -3677745, -3041255); - round!(2, -1452451, 3475950, 2176455, -1585221); - round!(4, -1257611, 1939314, -4083598, -1000202); - round!(6, -3190144, -3157330, -3632928, 126922); - round!(8, 3412210, -983419, 2147896, 2715295); - round!(10, -2967645, -3693493, -411027, -2477047); - round!(12, -671102, -1228525, -22981, -1308169); - round!(14, -381987, 1349076, 1852771, -1430430); - round!(16, -3343383, 264944, 508951, 3097992); - round!(18, 44288, -1100098, 904516, 3958618); - round!(20, -3724342, -8578, 1653064, -3249728); - round!(22, 2389356, -210977, 759969, -1316856); - round!(24, 189548, -3553272, 3159746, -1851402); - round!(26, -2409325, -177440, 1315589, 1341330); - round!(28, 1285669, -1584928, -812732, -1439742); - round!(30, -3019102, -3881060, -3628969, 3839961); + round(re, 0, -3930395, -1528703, -3677745, -3041255); + round(re, 2, -1452451, 3475950, 2176455, -1585221); + round(re, 4, -1257611, 1939314, -4083598, -1000202); + round(re, 6, -3190144, -3157330, -3632928, 126922); + round(re, 8, 3412210, -983419, 2147896, 2715295); + round(re, 10, -2967645, -3693493, -411027, -2477047); + round(re, 12, -671102, -1228525, -22981, -1308169); + round(re, 14, -381987, 1349076, 1852771, -1430430); + round(re, 16, -3343383, 264944, 508951, 3097992); + round(re, 18, 44288, -1100098, 904516, 3958618); + round(re, 20, -3724342, -8578, 1653064, -3249728); + round(re, 22, 2389356, -210977, 759969, -1316856); + round(re, 24, 189548, -3553272, 3159746, -1851402); + round(re, 26, -2409325, -177440, 1315589, 1341330); + round(re, 28, 1285669, -1584928, -812732, -1439742); + round(re, 30, -3019102, -3881060, -3628969, 3839961); } #[cfg_attr(not(hax), target_feature(enable = "avx2"))] @@ -226,30 +274,34 @@ pub(super) unsafe fn invert_ntt_at_layer_2(simd_unit: Vec256, zeta: i32) -> Vec2 #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_2(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($round:literal, $zeta_0:literal, $zeta_1:literal) => { - let (a, b) = butterfly_8(re[$round], re[$round + 1], $zeta_0, $zeta_1); - re[$round] = a; - re[$round + 1] = b; - }; + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + ) { + let (a, b) = butterfly_8(re[index], re[index + 1], zeta_0, zeta_1); + re[index] = a; + re[index + 1] = b; } - round!(0, 2706023, 95776); - round!(2, 3077325, 3530437); - round!(4, -1661693, -3592148); - round!(6, -2537516, 3915439); - round!(8, -3861115, -3043716); - round!(10, 3574422, -2867647); - round!(12, 3539968, -300467); - round!(14, 2348700, -539299); - round!(16, -1699267, -1643818); - round!(18, 3505694, -3821735); - round!(20, 3507263, -2140649); - round!(22, -1600420, 3699596); - round!(24, 811944, 531354); - round!(26, 954230, 3881043); - round!(28, 3900724, -2556880); - round!(30, 2071892, -2797779); + round(re, 0, 2706023, 95776); + round(re, 2, 3077325, 3530437); + round(re, 4, -1661693, -3592148); + round(re, 6, -2537516, 3915439); + round(re, 8, -3861115, -3043716); + round(re, 10, 3574422, -2867647); + round(re, 12, 3539968, -300467); + round(re, 14, 2348700, -539299); + round(re, 16, -1699267, -1643818); + round(re, 18, 3505694, -3821735); + round(re, 20, 3507263, -2140649); + round(re, 22, -1600420, 3699596); + round(re, 24, 811944, 531354); + round(re, 26, 954230, 3881043); + round(re, 28, 3900724, -2556880); + round(re, 30, 2071892, -2797779); } /// This is equivalent to the pqclean 0 and 1 @@ -263,35 +315,69 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { let inverse_of_modulus_mod_montgomery_r = mm256_set1_epi32(crate::simd::traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); - macro_rules! mul { - ($i:expr, $zeta:expr, $step_by:expr) => { - let prod02 = mm256_mul_epi32(re[$i + $step_by], $zeta); - let prod13 = mm256_mul_epi32( - mm256_shuffle_epi32::<0b11_11_01_01>(re[$i + $step_by]), // 0xF5 - mm256_shuffle_epi32::<0b11_11_01_01>($zeta), // 0xF5 - ); - let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r); - let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r); - - let c02 = mm256_mul_epi32(k02, field_modulus); - let c13 = mm256_mul_epi32(k13, field_modulus); - - let res02 = mm256_sub_epi32(prod02, c02); - let res13 = mm256_sub_epi32(prod13, c13); - let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5 - let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA - - re[$i + $step_by] = arithmetic::subtract(re[$i], t); - re[$i] = arithmetic::add(re[$i], t); - }; + #[inline(always)] + fn mul( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta: Vec256, + step_by: usize, + field_modulus: Vec256, + inverse_of_modulus_mod_montgomery_r: Vec256, + ) { + let prod02 = mm256_mul_epi32(re[index + step_by], zeta); + let prod13 = mm256_mul_epi32( + mm256_shuffle_epi32::<0b11_11_01_01>(re[index + step_by]), // 0xF5 + mm256_shuffle_epi32::<0b11_11_01_01>(zeta), // 0xF5 + ); + let k02 = mm256_mul_epi32(prod02, inverse_of_modulus_mod_montgomery_r); + let k13 = mm256_mul_epi32(prod13, inverse_of_modulus_mod_montgomery_r); + + let c02 = mm256_mul_epi32(k02, field_modulus); + let c13 = mm256_mul_epi32(k13, field_modulus); + + let res02 = mm256_sub_epi32(prod02, c02); + let res13 = mm256_sub_epi32(prod13, c13); + let res02_shifted = mm256_shuffle_epi32::<0b11_11_01_01>(res02); // 0xF5 + let t = mm256_blend_epi32::<0b10101010>(res02_shifted, res13); // 0xAA + + re[index + step_by] = arithmetic::subtract(re[index], t); + re[index] = arithmetic::add(re[index], t); } macro_rules! layer { ($start:literal, $zeta:expr, $step_by:expr) => {{ - mul!($start, $zeta, $step_by); - mul!($start + 1, $zeta, $step_by); - mul!($start + 2, $zeta, $step_by); - mul!($start + 3, $zeta, $step_by); + mul( + re, + $start, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); + mul( + re, + $start + 1, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); + mul( + re, + $start + 2, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); + mul( + re, + $start + 3, + $zeta, + $step_by, + field_modulus, + inverse_of_modulus_mod_montgomery_r, + ); }}; } @@ -320,18 +406,22 @@ unsafe fn ntt_at_layer_7_and_6(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { #[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($i:literal, $zeta: literal) => { - let rhs = mm256_set1_epi32($zeta); - let offset = ($i * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; - - for j in offset..offset + STEP_BY { - let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs); - - re[j + STEP_BY] = arithmetic::subtract(re[j], t); - re[j] = arithmetic::add(re[j], t); - } - }; + #[inline(always)] + fn round( + re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta: i32, + ) { + let rhs = mm256_set1_epi32(zeta); + let offset = (index * STEP * 2) / COEFFICIENTS_IN_SIMD_UNIT; + + for j in offset..offset + STEP_BY { + let t = arithmetic::montgomery_multiply(re[j + STEP_BY], rhs); + + re[j + STEP_BY] = arithmetic::subtract(re[j], t); + re[j] = arithmetic::add(re[j], t); + } + () // Needed because of https://github.com/hacspec/hax/issues/720 } // Layer 5 @@ -343,10 +433,10 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 1 << 5; const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; - round!(0, 237124); - round!(1, -777960); - round!(2, -876248); - round!(3, 466468); + round::(re, 0, 237124); + round::(re, 1, -777960); + round::(re, 2, -876248); + round::(re, 3, 466468); } // Layer 4 @@ -362,14 +452,14 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 1 << 4; const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; - round!(0, 1826347); - round!(1, 2353451); - round!(2, -359251); - round!(3, -2091905); - round!(4, 3119733); - round!(5, -2884855); - round!(6, 3111497); - round!(7, 2680103); + round::(re, 0, 1826347); + round::(re, 1, 2353451); + round::(re, 2, -359251); + round::(re, 3, -2091905); + round::(re, 4, 3119733); + round::(re, 5, -2884855); + round::(re, 6, 3111497); + round::(re, 7, 2680103); } // Layer 3 @@ -378,22 +468,22 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { const STEP: usize = 1 << 3; const STEP_BY: usize = STEP / COEFFICIENTS_IN_SIMD_UNIT; - round!(0, 2725464); - round!(1, 1024112); - round!(2, -1079900); - round!(3, 3585928); - round!(4, -549488); - round!(5, -1119584); - round!(6, 2619752); - round!(7, -2108549); - round!(8, -2118186); - round!(9, -3859737); - round!(10, -1399561); - round!(11, -3277672); - round!(12, 1757237); - round!(13, -19422); - round!(14, 4010497); - round!(15, 280005); + round::(re, 0, 2725464); + round::(re, 1, 1024112); + round::(re, 2, -1079900); + round::(re, 3, 3585928); + round::(re, 4, -549488); + round::(re, 5, -1119584); + round::(re, 6, 2619752); + round::(re, 7, -2108549); + round::(re, 8, -2118186); + round::(re, 9, -3859737); + round::(re, 10, -1399561); + round::(re, 11, -3277672); + round::(re, 12, 1757237); + round::(re, 13, -19422); + round::(re, 14, 4010497); + round::(re, 15, 280005); } () } diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index 11bfab4d2..b074ceffb 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -152,128 +152,137 @@ pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> Port #[inline(always)] fn ntt_at_layer_0(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($i:literal, $zeta_0:literal, $zeta_1:literal, $zeta_2:literal, $zeta_3:literal) => { - re[$i] = simd_unit_ntt_at_layer_0(re[$i], $zeta_0, $zeta_1, $zeta_2, $zeta_3); - }; + #[inline(always)] + fn round( + re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + zeta_2: i32, + zeta_3: i32, + ) { + re[index] = simd_unit_ntt_at_layer_0(re[index], zeta_0, zeta_1, zeta_2, zeta_3); } - round!(0, 2091667, 3407706, 2316500, 3817976); - round!(1, -3342478, 2244091, -2446433, -3562462); - round!(2, 266997, 2434439, -1235728, 3513181); - round!(3, -3520352, -3759364, -1197226, -3193378); - round!(4, 900702, 1859098, 909542, 819034); - round!(5, 495491, -1613174, -43260, -522500); - round!(6, -655327, -3122442, 2031748, 3207046); - round!(7, -3556995, -525098, -768622, -3595838); - round!(8, 342297, 286988, -2437823, 4108315); - round!(9, 3437287, -3342277, 1735879, 203044); - round!(10, 2842341, 2691481, -2590150, 1265009); - round!(11, 4055324, 1247620, 2486353, 1595974); - round!(12, -3767016, 1250494, 2635921, -3548272); - round!(13, -2994039, 1869119, 1903435, -1050970); - round!(14, -1333058, 1237275, -3318210, -1430225); - round!(15, -451100, 1312455, 3306115, -1962642); - round!(16, -1279661, 1917081, -2546312, -1374803); - round!(17, 1500165, 777191, 2235880, 3406031); - round!(18, -542412, -2831860, -1671176, -1846953); - round!(19, -2584293, -3724270, 594136, -3776993); - round!(20, -2013608, 2432395, 2454455, -164721); - round!(21, 1957272, 3369112, 185531, -1207385); - round!(22, -3183426, 162844, 1616392, 3014001); - round!(23, 810149, 1652634, -3694233, -1799107); - round!(24, -3038916, 3523897, 3866901, 269760); - round!(25, 2213111, -975884, 1717735, 472078); - round!(26, -426683, 1723600, -1803090, 1910376); - round!(27, -1667432, -1104333, -260646, -3833893); - round!(28, -2939036, -2235985, -420899, -2286327); - round!(29, 183443, -976891, 1612842, -3545687); - round!(30, -554416, 3919660, -48306, -1362209); - round!(31, 3937738, 1400424, -846154, 1976782); + round(re, 0, 2091667, 3407706, 2316500, 3817976); + round(re, 1, -3342478, 2244091, -2446433, -3562462); + round(re, 2, 266997, 2434439, -1235728, 3513181); + round(re, 3, -3520352, -3759364, -1197226, -3193378); + round(re, 4, 900702, 1859098, 909542, 819034); + round(re, 5, 495491, -1613174, -43260, -522500); + round(re, 6, -655327, -3122442, 2031748, 3207046); + round(re, 7, -3556995, -525098, -768622, -3595838); + round(re, 8, 342297, 286988, -2437823, 4108315); + round(re, 9, 3437287, -3342277, 1735879, 203044); + round(re, 10, 2842341, 2691481, -2590150, 1265009); + round(re, 11, 4055324, 1247620, 2486353, 1595974); + round(re, 12, -3767016, 1250494, 2635921, -3548272); + round(re, 13, -2994039, 1869119, 1903435, -1050970); + round(re, 14, -1333058, 1237275, -3318210, -1430225); + round(re, 15, -451100, 1312455, 3306115, -1962642); + round(re, 16, -1279661, 1917081, -2546312, -1374803); + round(re, 17, 1500165, 777191, 2235880, 3406031); + round(re, 18, -542412, -2831860, -1671176, -1846953); + round(re, 19, -2584293, -3724270, 594136, -3776993); + round(re, 20, -2013608, 2432395, 2454455, -164721); + round(re, 21, 1957272, 3369112, 185531, -1207385); + round(re, 22, -3183426, 162844, 1616392, 3014001); + round(re, 23, 810149, 1652634, -3694233, -1799107); + round(re, 24, -3038916, 3523897, 3866901, 269760); + round(re, 25, 2213111, -975884, 1717735, 472078); + round(re, 26, -426683, 1723600, -1803090, 1910376); + round(re, 27, -1667432, -1104333, -260646, -3833893); + round(re, 28, -2939036, -2235985, -420899, -2286327); + round(re, 29, 183443, -976891, 1612842, -3545687); + round(re, 30, -554416, 3919660, -48306, -1362209); + round(re, 31, 3937738, 1400424, -846154, 1976782); } #[inline(always)] fn ntt_at_layer_1(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($i:literal, $zeta_0:literal, $zeta_1:literal) => { - re[$i] = simd_unit_ntt_at_layer_1(re[$i], $zeta_0, $zeta_1); - }; + #[inline(always)] + fn round( + re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], + index: usize, + zeta_0: i32, + zeta_1: i32, + ) { + re[index] = simd_unit_ntt_at_layer_1(re[index], zeta_0, zeta_1); } - round!(0, -3930395, -1528703); - round!(1, -3677745, -3041255); - round!(2, -1452451, 3475950); - round!(3, 2176455, -1585221); - round!(4, -1257611, 1939314); - round!(5, -4083598, -1000202); - round!(6, -3190144, -3157330); - round!(7, -3632928, 126922); - round!(8, 3412210, -983419); - round!(9, 2147896, 2715295); - round!(10, -2967645, -3693493); - round!(11, -411027, -2477047); - round!(12, -671102, -1228525); - round!(13, -22981, -1308169); - round!(14, -381987, 1349076); - round!(15, 1852771, -1430430); - round!(16, -3343383, 264944); - round!(17, 508951, 3097992); - round!(18, 44288, -1100098); - round!(19, 904516, 3958618); - round!(20, -3724342, -8578); - round!(21, 1653064, -3249728); - round!(22, 2389356, -210977); - round!(23, 759969, -1316856); - round!(24, 189548, -3553272); - round!(25, 3159746, -1851402); - round!(26, -2409325, -177440); - round!(27, 1315589, 1341330); - round!(28, 1285669, -1584928); - round!(29, -812732, -1439742); - round!(30, -3019102, -3881060); - round!(31, -3628969, 3839961); + round(re, 0, -3930395, -1528703); + round(re, 1, -3677745, -3041255); + round(re, 2, -1452451, 3475950); + round(re, 3, 2176455, -1585221); + round(re, 4, -1257611, 1939314); + round(re, 5, -4083598, -1000202); + round(re, 6, -3190144, -3157330); + round(re, 7, -3632928, 126922); + round(re, 8, 3412210, -983419); + round(re, 9, 2147896, 2715295); + round(re, 10, -2967645, -3693493); + round(re, 11, -411027, -2477047); + round(re, 12, -671102, -1228525); + round(re, 13, -22981, -1308169); + round(re, 14, -381987, 1349076); + round(re, 15, 1852771, -1430430); + round(re, 16, -3343383, 264944); + round(re, 17, 508951, 3097992); + round(re, 18, 44288, -1100098); + round(re, 19, 904516, 3958618); + round(re, 20, -3724342, -8578); + round(re, 21, 1653064, -3249728); + round(re, 22, 2389356, -210977); + round(re, 23, 759969, -1316856); + round(re, 24, 189548, -3553272); + round(re, 25, 3159746, -1851402); + round(re, 26, -2409325, -177440); + round(re, 27, 1315589, 1341330); + round(re, 28, 1285669, -1584928); + round(re, 29, -812732, -1439742); + round(re, 30, -3019102, -3881060); + round(re, 31, -3628969, 3839961); } #[inline(always)] fn ntt_at_layer_2(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { - macro_rules! round { - ($i:literal, $zeta:literal) => { - re[$i] = simd_unit_ntt_at_layer_2(re[$i], $zeta); - }; + #[inline(always)] + fn round(re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT], index: usize, zeta: i32) { + re[index] = simd_unit_ntt_at_layer_2(re[index], zeta); } - round!(0, 2706023); - round!(1, 95776); - round!(2, 3077325); - round!(3, 3530437); - round!(4, -1661693); - round!(5, -3592148); - round!(6, -2537516); - round!(7, 3915439); - round!(8, -3861115); - round!(9, -3043716); - round!(10, 3574422); - round!(11, -2867647); - round!(12, 3539968); - round!(13, -300467); - round!(14, 2348700); - round!(15, -539299); - round!(16, -1699267); - round!(17, -1643818); - round!(18, 3505694); - round!(19, -3821735); - round!(20, 3507263); - round!(21, -2140649); - round!(22, -1600420); - round!(23, 3699596); - round!(24, 811944); - round!(25, 531354); - round!(26, 954230); - round!(27, 3881043); - round!(28, 3900724); - round!(29, -2556880); - round!(30, 2071892); - round!(31, -2797779); + round(re, 0, 2706023); + round(re, 1, 95776); + round(re, 2, 3077325); + round(re, 3, 3530437); + round(re, 4, -1661693); + round(re, 5, -3592148); + round(re, 6, -2537516); + round(re, 7, 3915439); + round(re, 8, -3861115); + round(re, 9, -3043716); + round(re, 10, 3574422); + round(re, 11, -2867647); + round(re, 12, 3539968); + round(re, 13, -300467); + round(re, 14, 2348700); + round(re, 15, -539299); + round(re, 16, -1699267); + round(re, 17, -1643818); + round(re, 18, 3505694); + round(re, 19, -3821735); + round(re, 20, 3507263); + round(re, 21, -2140649); + round(re, 22, -1600420); + round(re, 23, 3699596); + round(re, 24, 811944); + round(re, 25, 531354); + round(re, 26, 954230); + round(re, 27, 3881043); + round(re, 28, 3900724); + round(re, 29, -2556880); + round(re, 30, 2071892); + round(re, 31, -2797779); } #[inline(always)] From 8f41090fdc368a2b2b091d7faa3b40ede05dc390 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 8 Nov 2024 07:44:04 +0000 Subject: [PATCH 67/74] Revert "SHA-3 AVX2 target feature" This reverts commit 0703c5ba349bf587e1cfb3f9628fc61693e61119. --- libcrux-ml-dsa/Cargo.toml | 2 +- libcrux-sha3/Cargo.toml | 4 +- libcrux-sha3/src/lib.rs | 55 ++++++++++++++- libcrux-sha3/src/simd/avx2.rs | 122 +++++++++++----------------------- 4 files changed, 97 insertions(+), 86 deletions(-) diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index 0949b4a9c..3358b8678 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -34,7 +34,7 @@ pqcrypto-dilithium = { version = "0.5.0" } #, default-features = false [features] simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"] simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"] -acvp = [] # expose internal API for ACVP testing +acvp = [] # expose internal API for ACVP testing [[bench]] name = "manual44" diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index 23b21b401..85ed0be95 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -23,8 +23,8 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] -simd128 = ["libcrux-intrinsics/simd128"] -simd256 = ["libcrux-intrinsics/simd256"] +simd128 = [] +simd256 = [] [[bench]] name = "sha3" diff --git a/libcrux-sha3/src/lib.rs b/libcrux-sha3/src/lib.rs index d48dea15f..c1395155d 100644 --- a/libcrux-sha3/src/lib.rs +++ b/libcrux-sha3/src/lib.rs @@ -3,7 +3,7 @@ //! A SHA3 implementation with optional simd optimisations. #![no_std] -#![deny(unsafe_code)] +#![forbid(unsafe_code)] #![deny(missing_docs)] pub mod simd; @@ -92,6 +92,7 @@ pub fn hash(algorithm: Algorithm, payload: &[u8]) -> [u8; LEN] pub use hash as sha3; /// SHA3 224 +#[inline(always)] pub fn sha224(data: &[u8]) -> Sha3_224Digest { let mut out = [0u8; 28]; sha224_ema(&mut out, data); @@ -102,6 +103,7 @@ pub fn sha224(data: &[u8]) -> Sha3_224Digest { /// /// Preconditions: /// - `digest.len() == 28` +#[inline(always)] pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 28); @@ -110,6 +112,7 @@ pub fn sha224_ema(digest: &mut [u8], payload: &[u8]) { } /// SHA3 256 +#[inline(always)] pub fn sha256(data: &[u8]) -> Sha3_256Digest { let mut out = [0u8; 32]; sha256_ema(&mut out, data); @@ -117,6 +120,7 @@ pub fn sha256(data: &[u8]) -> Sha3_256Digest { } /// SHA3 256 +#[inline(always)] pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 32); @@ -125,6 +129,7 @@ pub fn sha256_ema(digest: &mut [u8], payload: &[u8]) { } /// SHA3 384 +#[inline(always)] pub fn sha384(data: &[u8]) -> Sha3_384Digest { let mut out = [0u8; 48]; sha384_ema(&mut out, data); @@ -132,6 +137,7 @@ pub fn sha384(data: &[u8]) -> Sha3_384Digest { } /// SHA3 384 +#[inline(always)] pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 48); @@ -140,6 +146,7 @@ pub fn sha384_ema(digest: &mut [u8], payload: &[u8]) { } /// SHA3 512 +#[inline(always)] pub fn sha512(data: &[u8]) -> Sha3_512Digest { let mut out = [0u8; 64]; sha512_ema(&mut out, data); @@ -147,6 +154,7 @@ pub fn sha512(data: &[u8]) -> Sha3_512Digest { } /// SHA3 512 +#[inline(always)] pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) { debug_assert!(payload.len() <= u32::MAX as usize); debug_assert!(digest.len() == 64); @@ -158,6 +166,7 @@ pub fn sha512_ema(digest: &mut [u8], payload: &[u8]) { /// /// Note that the output length `BYTES` must fit into 32 bit. If it is longer, /// the output will only return `u32::MAX` bytes. +#[inline(always)] pub fn shake128(data: &[u8]) -> [u8; BYTES] { let mut out = [0u8; BYTES]; portable::shake128(&mut out, data); @@ -167,6 +176,7 @@ pub fn shake128(data: &[u8]) -> [u8; BYTES] { /// SHAKE 128 /// /// Writes `out.len()` bytes. +#[inline(always)] pub fn shake128_ema(out: &mut [u8], data: &[u8]) { portable::shake128(out, data); } @@ -175,6 +185,7 @@ pub fn shake128_ema(out: &mut [u8], data: &[u8]) { /// /// Note that the output length `BYTES` must fit into 32 bit. If it is longer, /// the output will only return `u32::MAX` bytes. +#[inline(always)] pub fn shake256(data: &[u8]) -> [u8; BYTES] { let mut out = [0u8; BYTES]; portable::shake256(&mut out, data); @@ -184,6 +195,7 @@ pub fn shake256(data: &[u8]) -> [u8; BYTES] { /// SHAKE 256 /// /// Writes `out.len()` bytes. +#[inline(always)] pub fn shake256_ema(out: &mut [u8], data: &[u8]) { portable::shake256(out, data); } @@ -209,31 +221,37 @@ pub mod portable { } /// A portable SHA3 224 implementation. + #[inline(always)] pub fn sha224(digest: &mut [u8], data: &[u8]) { keccakx1::<144, 0x06u8>([data], [digest]); } /// A portable SHA3 256 implementation. + #[inline(always)] pub fn sha256(digest: &mut [u8], data: &[u8]) { keccakx1::<136, 0x06u8>([data], [digest]); } /// A portable SHA3 384 implementation. + #[inline(always)] pub fn sha384(digest: &mut [u8], data: &[u8]) { keccakx1::<104, 0x06u8>([data], [digest]); } /// A portable SHA3 512 implementation. + #[inline(always)] pub fn sha512(digest: &mut [u8], data: &[u8]) { keccakx1::<72, 0x06u8>([data], [digest]); } /// A portable SHAKE128 implementation. + #[inline(always)] pub fn shake128(digest: &mut [u8], data: &[u8]) { keccakx1::<168, 0x1fu8>([data], [digest]); } /// A portable SHAKE256 implementation. + #[inline(always)] pub fn shake256(digest: &mut [u8], data: &[u8]) { keccakx1::<136, 0x1fu8>([data], [digest]); } @@ -348,6 +366,7 @@ pub mod portable { } /// Create a new SHAKE-128 state object. + #[inline(always)] pub fn shake128_init() -> KeccakState { KeccakState { state: GenericState::<1, u64>::new(), @@ -355,26 +374,31 @@ pub mod portable { } /// Absorb + #[inline(always)] pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8]) { absorb_final::<1, u64, 168, 0x1fu8>(&mut s.state, [data0]); } /// Squeeze three blocks + #[inline(always)] pub fn shake128_squeeze_first_three_blocks(s: &mut KeccakState, out0: &mut [u8]) { squeeze_first_three_blocks::<1, u64, 168>(&mut s.state, [out0]) } /// Squeeze five blocks + #[inline(always)] pub fn shake128_squeeze_first_five_blocks(s: &mut KeccakState, out0: &mut [u8]) { squeeze_first_five_blocks::<1, u64, 168>(&mut s.state, [out0]) } /// Squeeze another block + #[inline(always)] pub fn shake128_squeeze_next_block(s: &mut KeccakState, out0: &mut [u8]) { squeeze_next_block::<1, u64, 168>(&mut s.state, [out0]) } /// Create a new SHAKE-256 state object. + #[inline(always)] pub fn shake256_init() -> KeccakState { KeccakState { state: GenericState::<1, u64>::new(), @@ -382,16 +406,19 @@ pub mod portable { } /// Absorb some data for SHAKE-256 for the last time + #[inline(always)] pub fn shake256_absorb_final(s: &mut KeccakState, data: &[u8]) { absorb_final::<1, u64, 136, 0x1fu8>(&mut s.state, [data]); } /// Squeeze the first SHAKE-256 block + #[inline(always)] pub fn shake256_squeeze_first_block(s: &mut KeccakState, out: &mut [u8]) { squeeze_first_block::<1, u64, 136>(&mut s.state, [out]) } /// Squeeze the next SHAKE-256 block + #[inline(always)] pub fn shake256_squeeze_next_block(s: &mut KeccakState, out: &mut [u8]) { squeeze_next_block::<1, u64, 136>(&mut s.state, [out]) } @@ -417,6 +444,7 @@ pub mod neon { /// A portable SHA3 224 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha224(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -429,6 +457,7 @@ pub mod neon { /// A portable SHA3 256 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha256(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -441,6 +470,7 @@ pub mod neon { /// A portable SHA3 384 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha384(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -453,6 +483,7 @@ pub mod neon { /// A portable SHA3 512 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn sha512(digest: &mut [u8], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -465,6 +496,7 @@ pub mod neon { /// A portable SHAKE128 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn shake128(digest: &mut [u8; LEN], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -477,6 +509,7 @@ pub mod neon { /// A portable SHAKE256 implementation. #[allow(unused_variables)] + #[inline(always)] pub fn shake256(digest: &mut [u8; LEN], data: &[u8]) { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -496,6 +529,7 @@ pub mod neon { /// /// Writes the two results into `out0` and `out1` #[allow(unused_variables)] + #[inline(always)] pub fn shake256(input0: &[u8], input1: &[u8], out0: &mut [u8], out1: &mut [u8]) { // TODO: make argument ordering consistent #[cfg(not(feature = "simd128"))] @@ -562,6 +596,7 @@ pub mod neon { } /// Initialise the `KeccakState2`. + #[inline(always)] pub fn init() -> KeccakState { #[cfg(not(feature = "simd128"))] unimplemented!(); @@ -579,6 +614,7 @@ pub mod neon { } /// Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. + #[inline(always)] #[allow(unused_variables)] pub fn shake128_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) { #[cfg(not(feature = "simd128"))] @@ -598,6 +634,7 @@ pub mod neon { } /// Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. + #[inline(always)] #[allow(unused_variables)] pub fn shake256_absorb_final(s: &mut KeccakState, data0: &[u8], data1: &[u8]) { #[cfg(not(feature = "simd128"))] @@ -647,6 +684,7 @@ pub mod neon { /// Squeeze 2 times the first three blocks in parallel in the /// [`KeccakState`] and return the output in `out0` and `out1`. #[allow(unused_variables)] + #[inline(always)] pub fn shake128_squeeze_first_three_blocks( s: &mut KeccakState, out0: &mut [u8], @@ -670,6 +708,7 @@ pub mod neon { /// Squeeze five blocks #[allow(unused_variables)] + #[inline(always)] pub fn shake128_squeeze_first_five_blocks( s: &mut KeccakState, out0: &mut [u8], @@ -685,6 +724,7 @@ pub mod neon { } /// Squeeze block + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_first_block( s: &mut KeccakState, @@ -701,6 +741,7 @@ pub mod neon { } /// Squeeze next block + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_next_block( s: &mut KeccakState, @@ -775,6 +816,7 @@ pub mod neon { /// Squeeze 2 times the next block in parallel in the /// [`KeccakState`] and return the output in `out0` and `out1`. #[allow(unused_variables)] + #[inline(always)] pub fn shake128_squeeze_next_block( s: &mut KeccakState, out0: &mut [u8], @@ -801,6 +843,7 @@ pub mod neon { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] + #[inline(always)] fn _shake128_squeezexN( state: &mut [KeccakState; 2], ) -> [[u8; LEN]; N] { @@ -864,6 +907,7 @@ pub mod avx2 { /// Perform 4 SHAKE256 operations in parallel #[allow(unused_variables, clippy::too_many_arguments)] // TODO: decide if we want to fall back here + #[inline(always)] pub fn shake256( input0: &[u8], input1: &[u8], @@ -900,6 +944,7 @@ pub mod avx2 { /// /// **PANICS** when `N` is not 2, 3, or 4. #[allow(unused_variables, non_snake_case)] + #[inline(always)] fn _shake256xN(input: &[[u8; 33]; N]) -> [[u8; LEN]; N] { debug_assert!(N == 2 || N == 3 || N == 4); let mut out = [[0u8; LEN]; N]; @@ -985,6 +1030,7 @@ pub mod avx2 { pub type KeccakState = [crate::portable::KeccakState; 4]; /// Initialise the [`KeccakState`]. + #[inline(always)] pub fn init() -> KeccakState { #[cfg(not(feature = "simd256"))] unimplemented!(); @@ -1011,6 +1057,7 @@ pub mod avx2 { } /// Absorb + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_absorb_final( s: &mut KeccakState, @@ -1048,6 +1095,7 @@ pub mod avx2 { } /// Absorb + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_absorb_final( s: &mut KeccakState, @@ -1063,6 +1111,7 @@ pub mod avx2 { } /// Squeeze block + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_first_block( s: &mut KeccakState, @@ -1078,6 +1127,7 @@ pub mod avx2 { } /// Squeeze next block + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake256_squeeze_next_block( s: &mut KeccakState, @@ -1125,6 +1175,7 @@ pub mod avx2 { } /// Squeeze three blocks + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_first_three_blocks( s: &mut KeccakState, @@ -1165,6 +1216,7 @@ pub mod avx2 { } /// Squeeze five blocks + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_first_five_blocks( s: &mut KeccakState, @@ -1234,6 +1286,7 @@ pub mod avx2 { } /// Squeeze another block + #[inline(always)] #[allow(unused_variables)] // TODO: decide if we want to fall back here pub fn shake128_squeeze_next_block( s: &mut KeccakState, diff --git a/libcrux-sha3/src/simd/avx2.rs b/libcrux-sha3/src/simd/avx2.rs index 5ccfc10ef..07578e1d1 100644 --- a/libcrux-sha3/src/simd/avx2.rs +++ b/libcrux-sha3/src/simd/avx2.rs @@ -1,59 +1,46 @@ use crate::traits::internal::*; use libcrux_intrinsics::avx2::*; -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn rotate_left(x: Vec256) -> Vec256 { +#[inline(always)] +fn rotate_left(x: Vec256) -> Vec256 { debug_assert!(LEFT + RIGHT == 64); // XXX: This could be done more efficiently, if the shift values are multiples of 8. mm256_xor_si256(mm256_slli_epi64::(x), mm256_srli_epi64::(x)) } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 { +#[inline(always)] +fn _veor5q_u64(a: Vec256, b: Vec256, c: Vec256, d: Vec256, e: Vec256) -> Vec256 { let ab = mm256_xor_si256(a, b); let cd = mm256_xor_si256(c, d); let abcd = mm256_xor_si256(ab, cd); mm256_xor_si256(abcd, e) } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 { +#[inline(always)] +fn _vrax1q_u64(a: Vec256, b: Vec256) -> Vec256 { mm256_xor_si256(a, rotate_left::<1, 63>(b)) } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn _vxarq_u64(a: Vec256, b: Vec256) -> Vec256 { +#[inline(always)] +fn _vxarq_u64(a: Vec256, b: Vec256) -> Vec256 { let ab = mm256_xor_si256(a, b); rotate_left::(ab) } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 { +#[inline(always)] +fn _vbcaxq_u64(a: Vec256, b: Vec256, c: Vec256) -> Vec256 { mm256_xor_si256(a, mm256_andnot_si256(c, b)) } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 { +#[inline(always)] +fn _veorq_n_u64(a: Vec256, c: u64) -> Vec256 { // Casting here is required, doesn't change the value. let c = mm256_set1_epi64x(c as i64); mm256_xor_si256(a, c) } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn xor(a: Vec256, b: Vec256) -> Vec256 { - mm256_xor_si256(a, b) -} - -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) { +#[inline(always)] +pub(crate) fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [&[u8]; 4]) { debug_assert!(RATE <= blocks[0].len() && RATE % 8 == 0 && (RATE % 32 == 8 || RATE % 32 == 16)); for i in 0..RATE / 32 { let v0 = mm256_loadu_si256_u8(&blocks[0][32 * i..32 * (i + 1)]); @@ -105,24 +92,20 @@ unsafe fn load_block(s: &mut [[Vec256; 5]; 5], blocks: [&[u8] } #[inline(always)] -#[allow(unsafe_code)] pub(crate) fn load_block_full(s: &mut [[Vec256; 5]; 5], blocks: [[u8; 200]; 4]) { - unsafe { - load_block::( - s, - [ - &blocks[0] as &[u8], - &blocks[1] as &[u8], - &blocks[2] as &[u8], - &blocks[3] as &[u8], - ], - ) - }; + load_block::( + s, + [ + &blocks[0] as &[u8], + &blocks[1] as &[u8], + &blocks[2] as &[u8], + &blocks[3] as &[u8], + ], + ); } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) { +#[inline(always)] +pub(crate) fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u8]; 4]) { for i in 0..RATE / 32 { let v0l = mm256_permute2x128_si256::<0x20>( s[(4 * i) / 5][(4 * i) % 5], @@ -176,19 +159,17 @@ unsafe fn store_block(s: &[[Vec256; 5]; 5], out: [&mut [u8]; } #[inline(always)] -#[allow(unsafe_code)] pub(crate) fn store_block_full(s: &[[Vec256; 5]; 5]) -> [[u8; 200]; 4] { let mut out0 = [0u8; 200]; let mut out1 = [0u8; 200]; let mut out2 = [0u8; 200]; let mut out3 = [0u8; 200]; - unsafe { store_block::(s, [&mut out0, &mut out1, &mut out2, &mut out3]) }; + store_block::(s, [&mut out0, &mut out1, &mut out2, &mut out3]); [out0, out1, out2, out3] } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { +#[inline(always)] +fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { [ &a[0][start..start + len], &a[1][start..start + len], @@ -197,9 +178,8 @@ unsafe fn slice_4(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { ] } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] -#[allow(unsafe_code)] -unsafe fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { +#[inline(always)] +fn split_at_mut_4(out: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { let [out0, out1, out2, out3] = out; let (out00, out01) = out0.split_at_mut(mid); let (out10, out11) = out1.split_at_mut(mid); @@ -213,75 +193,53 @@ impl KeccakItem<4> for Vec256 { fn zero() -> Self { mm256_set1_epi64x(0) } - #[inline(always)] - #[allow(unsafe_code)] fn xor5(a: Self, b: Self, c: Self, d: Self, e: Self) -> Self { - unsafe { _veor5q_u64(a, b, c, d, e) } + _veor5q_u64(a, b, c, d, e) } - #[inline(always)] - #[allow(unsafe_code)] fn rotate_left1_and_xor(a: Self, b: Self) -> Self { - unsafe { _vrax1q_u64(a, b) } + _vrax1q_u64(a, b) } - #[inline(always)] - #[allow(unsafe_code)] fn xor_and_rotate(a: Self, b: Self) -> Self { - unsafe { _vxarq_u64::(a, b) } + _vxarq_u64::(a, b) } - #[inline(always)] - #[allow(unsafe_code)] fn and_not_xor(a: Self, b: Self, c: Self) -> Self { - unsafe { _vbcaxq_u64(a, b, c) } + _vbcaxq_u64(a, b, c) } - #[inline(always)] - #[allow(unsafe_code)] fn xor_constant(a: Self, c: u64) -> Self { - unsafe { _veorq_n_u64(a, c) } + _veorq_n_u64(a, c) } - #[inline(always)] - #[allow(unsafe_code)] fn xor(a: Self, b: Self) -> Self { - unsafe { xor(a, b) } + mm256_xor_si256(a, b) } - #[inline(always)] - #[allow(unsafe_code)] fn load_block(a: &mut [[Self; 5]; 5], b: [&[u8]; 4]) { - unsafe { load_block::(a, b) } + load_block::(a, b) } - #[inline(always)] - #[allow(unsafe_code)] fn store_block(a: &[[Self; 5]; 5], b: [&mut [u8]; 4]) { - unsafe { store_block::(a, b) } + store_block::(a, b) } - #[inline(always)] fn load_block_full(a: &mut [[Self; 5]; 5], b: [[u8; 200]; 4]) { load_block_full::(a, b) } - #[inline(always)] fn store_block_full(a: &[[Self; 5]; 5]) -> [[u8; 200]; 4] { store_block_full::(a) } - #[inline(always)] - #[allow(unsafe_code)] fn slice_n(a: [&[u8]; 4], start: usize, len: usize) -> [&[u8]; 4] { - unsafe { slice_4(a, start, len) } + slice_4(a, start, len) } - #[inline(always)] - #[allow(unsafe_code)] fn split_at_mut_n(a: [&mut [u8]; 4], mid: usize) -> ([&mut [u8]; 4], [&mut [u8]; 4]) { - unsafe { split_at_mut_4(a, mid) } + split_at_mut_4(a, mid) } // TODO: Do we need this, or not? cf. https://github.com/cryspen/libcrux/issues/482 From ef381ba1570c3de62ed541eaa5ec4213b1d7cd7a Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 8 Nov 2024 09:21:45 +0100 Subject: [PATCH 68/74] merged --- .github/workflows/c.yml | 11 +- .github/workflows/hax.yml | 11 +- .github/workflows/mlkem.yml | 39 +- .github/workflows/s390x.yml | 44 + .gitignore | 4 +- Cargo.lock | 56 +- Cargo.toml | 9 +- benchmarks/benches/kyber768.rs | 2 +- fstar-helpers/Makefile.base | 4 +- fstar-helpers/README.md | 5 - .../fstar-bitvec/BitVec.Equality.fst | 48 - .../fstar-bitvec/BitVec.Equality.fsti | 17 - .../BitVec.Intrinsics.Constants.fst | 264 - .../BitVec.Intrinsics.TestShuffle.fst | 203 - .../fstar-bitvec/BitVec.Intrinsics.fsti | 425 -- fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 67 - fstar-helpers/fstar-bitvec/BitVecEq.fst | 12 - fstar-helpers/fstar-bitvec/BitVecEq.fsti | 293 - fstar-helpers/fstar-bitvec/MkSeq.fst | 59 - fstar-helpers/fstar-bitvec/RwLemmas.fst | 71 - fstar-helpers/fstar-bitvec/Tactics.Folds.fst | 82 - fstar-helpers/fstar-bitvec/Tactics.GetBit.fst | 66 - .../fstar-bitvec/Tactics.MachineInts.fst | 273 - fstar-helpers/fstar-bitvec/Tactics.Pow2.fst | 58 - fstar-helpers/fstar-bitvec/Tactics.Seq.fst | 123 - fstar-helpers/fstar-bitvec/Tactics.Utils.fst | 328 -- fstar-helpers/fstar-bitvec/dep.graph | 2316 -------- libcrux-intrinsics/Cargo.toml | 1 - .../Libcrux_intrinsics.Avx2_extract.fst | 1214 ---- .../Libcrux_intrinsics.Avx2_extract.fsti | 346 +- .../proofs/fstar/extraction/Makefile | 1 - libcrux-intrinsics/src/arm64_extract.rs | 9 - libcrux-intrinsics/src/avx2_extract.rs | 158 +- libcrux-ml-dsa/Cargo.toml | 10 +- libcrux-ml-dsa/hax.py | 172 + .../extraction/Libcrux_ml_dsa.Arithmetic.fst | 544 ++ .../extraction/Libcrux_ml_dsa.Arithmetic.fsti | 73 + .../extraction/Libcrux_ml_dsa.Constants.fsti | 44 + .../Libcrux_ml_dsa.Encoding.Commitment.fst | 170 + .../Libcrux_ml_dsa.Encoding.Commitment.fsti | 28 + .../Libcrux_ml_dsa.Encoding.Error.fst | 243 + .../Libcrux_ml_dsa.Encoding.Error.fsti | 40 + .../Libcrux_ml_dsa.Encoding.Gamma1.fst | 194 + .../Libcrux_ml_dsa.Encoding.Gamma1.fsti | 30 + .../Libcrux_ml_dsa.Encoding.Signature.fst | 348 ++ .../Libcrux_ml_dsa.Encoding.Signature.fsti | 37 + .../Libcrux_ml_dsa.Encoding.Signing_key.fst | 328 ++ .../Libcrux_ml_dsa.Encoding.Signing_key.fsti | 34 + .../extraction/Libcrux_ml_dsa.Encoding.T0.fst | 180 + .../Libcrux_ml_dsa.Encoding.T0.fsti | 36 + .../extraction/Libcrux_ml_dsa.Encoding.T1.fst | 129 + .../Libcrux_ml_dsa.Encoding.T1.fsti | 26 + ...bcrux_ml_dsa.Encoding.Verification_key.fst | 166 + ...crux_ml_dsa.Encoding.Verification_key.fsti | 29 + .../Libcrux_ml_dsa.Hash_functions.Neon.fsti | 281 + ...ibcrux_ml_dsa.Hash_functions.Portable.fsti | 377 ++ ...ibcrux_ml_dsa.Hash_functions.Shake128.fsti | 72 + ...ibcrux_ml_dsa.Hash_functions.Shake256.fsti | 106 + ...Libcrux_ml_dsa.Hash_functions.Simd256.fsti | 284 + .../extraction/Libcrux_ml_dsa.Matrix.fst | 473 ++ .../extraction/Libcrux_ml_dsa.Matrix.fsti | 90 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti | 58 + .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti | 58 + .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti | 58 + .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst | 65 + .../extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti | 143 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti | 58 + .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti | 58 + .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti | 58 + .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst | 65 + .../extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti | 143 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti | 58 + .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti | 58 + .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst | 65 + .../Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti | 58 + .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst | 65 + .../extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti | 143 + ...dsa.Ml_dsa_generic.Instantiations.Avx2.fst | 98 + ...sa.Ml_dsa_generic.Instantiations.Avx2.fsti | 79 + ...dsa.Ml_dsa_generic.Instantiations.Neon.fst | 98 + ...sa.Ml_dsa_generic.Instantiations.Neon.fsti | 79 + ...Ml_dsa_generic.Instantiations.Portable.fst | 97 + ...l_dsa_generic.Instantiations.Portable.fsti | 78 + ...rux_ml_dsa.Ml_dsa_generic.Multiplexing.fst | 163 + ...ux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti | 62 + .../Libcrux_ml_dsa.Ml_dsa_generic.fst | 958 ++++ .../Libcrux_ml_dsa.Ml_dsa_generic.fsti | 167 + .../fstar/extraction/Libcrux_ml_dsa.Ntt.fst | 407 ++ .../fstar/extraction/Libcrux_ml_dsa.Ntt.fsti | 111 + .../extraction/Libcrux_ml_dsa.Polynomial.fst | 258 + .../extraction/Libcrux_ml_dsa.Polynomial.fsti | 51 + .../extraction/Libcrux_ml_dsa.Pre_hash.fst | 30 + .../extraction/Libcrux_ml_dsa.Pre_hash.fsti | 113 + .../extraction/Libcrux_ml_dsa.Sample.fst | 1286 +++++ .../extraction/Libcrux_ml_dsa.Sample.fsti | 117 + .../extraction/Libcrux_ml_dsa.Samplex4.fst | 1295 +++++ .../extraction/Libcrux_ml_dsa.Samplex4.fsti | 121 + .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst | 267 + .../Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti | 30 + ...x_ml_dsa.Simd.Avx2.Encoding.Commitment.fst | 141 + ..._ml_dsa.Simd.Avx2.Encoding.Commitment.fsti | 7 + ...ibcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst | 229 + ...bcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti | 33 + ...bcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst | 291 + ...crux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti | 36 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst | 112 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti | 12 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst | 120 + .../Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti | 10 + .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fst | 345 ++ .../Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti | 39 + ...md.Avx2.Rejection_sample.Less_than_eta.fst | 137 + ...d.Avx2.Rejection_sample.Less_than_eta.fsti | 10 + ...jection_sample.Less_than_field_modulus.fst | 138 + ...ection_sample.Less_than_field_modulus.fsti | 12 + ...md.Avx2.Rejection_sample.Shuffle_table.fst | 107 + ...d.Avx2.Rejection_sample.Shuffle_table.fsti | 140 + .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst | 23 + .../Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti | 22 + .../extraction/Libcrux_ml_dsa.Simd.Avx2.fsti | 636 +++ ...ibcrux_ml_dsa.Simd.Portable.Arithmetic.fst | 608 ++ ...bcrux_ml_dsa.Simd.Portable.Arithmetic.fsti | 89 + ..._dsa.Simd.Portable.Encoding.Commitment.fst | 72 + ...dsa.Simd.Portable.Encoding.Commitment.fsti | 9 + ...ux_ml_dsa.Simd.Portable.Encoding.Error.fst | 332 ++ ...x_ml_dsa.Simd.Portable.Encoding.Error.fsti | 42 + ...x_ml_dsa.Simd.Portable.Encoding.Gamma1.fst | 376 ++ ..._ml_dsa.Simd.Portable.Encoding.Gamma1.fsti | 48 + ...bcrux_ml_dsa.Simd.Portable.Encoding.T0.fst | 310 ++ ...crux_ml_dsa.Simd.Portable.Encoding.T0.fsti | 17 + ...bcrux_ml_dsa.Simd.Portable.Encoding.T1.fst | 140 + ...crux_ml_dsa.Simd.Portable.Encoding.T1.fsti | 12 + .../Libcrux_ml_dsa.Simd.Portable.Ntt.fst | 1213 ++++ .../Libcrux_ml_dsa.Simd.Portable.Ntt.fsti | 83 + .../Libcrux_ml_dsa.Simd.Portable.Sample.fst | 123 + .../Libcrux_ml_dsa.Simd.Portable.Sample.fsti | 13 + ...bcrux_ml_dsa.Simd.Portable.Vector_type.fst | 29 + ...crux_ml_dsa.Simd.Portable.Vector_type.fsti | 14 + .../Libcrux_ml_dsa.Simd.Portable.fsti | 532 ++ .../extraction/Libcrux_ml_dsa.Simd.Traits.fst | 11 + .../Libcrux_ml_dsa.Simd.Traits.fsti | 225 + .../fstar/extraction/Libcrux_ml_dsa.Types.fst | 34 + .../extraction/Libcrux_ml_dsa.Types.fsti | 77 + .../fstar/extraction/Libcrux_ml_dsa.Utils.fst | 37 + .../extraction/Libcrux_ml_dsa.Utils.fsti | 8 + .../proofs/fstar/extraction}/Makefile | 2 + .../proofs/fstar/extraction/dep.graph | 4883 +++++++++++++++++ libcrux-ml-dsa/src/arithmetic.rs | 2 +- libcrux-ml-dsa/src/encoding/signature.rs | 4 +- libcrux-ml-dsa/src/hash_functions.rs | 685 ++- libcrux-ml-dsa/src/lib.rs | 5 +- libcrux-ml-dsa/src/ml_dsa_generic.rs | 93 +- .../src/ml_dsa_generic/instantiations.rs | 2 +- libcrux-ml-dsa/src/ntt.rs | 3 + libcrux-ml-dsa/src/polynomial.rs | 2 +- libcrux-ml-dsa/src/pre_hash.rs | 4 +- libcrux-ml-dsa/src/sample.rs | 10 +- libcrux-ml-dsa/src/samplex4.rs | 225 +- libcrux-ml-dsa/src/simd.rs | 3 + libcrux-ml-dsa/src/simd/avx2.rs | 22 +- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 3 + libcrux-ml-dsa/src/simd/avx2/vector_type.rs | 25 + libcrux-ml-dsa/src/simd/portable.rs | 20 +- .../src/simd/portable/arithmetic.rs | 50 +- .../src/simd/portable/encoding/commitment.rs | 2 +- .../src/simd/portable/encoding/error.rs | 6 +- .../src/simd/portable/encoding/gamma1.rs | 74 +- .../src/simd/portable/encoding/t0.rs | 99 +- .../src/simd/portable/encoding/t1.rs | 9 +- libcrux-ml-dsa/src/simd/portable/ntt.rs | 23 +- .../src/simd/portable/vector_type.rs | 26 + libcrux-ml-dsa/src/simd/tests.rs | 94 + libcrux-ml-dsa/src/simd/traits.rs | 99 - libcrux-ml-dsa/src/types.rs | 27 + libcrux-ml-kem/Cargo.toml | 8 +- libcrux-ml-kem/cg/karamel/endianness.h | 228 + libcrux-ml-kem/fuzz/.gitignore | 4 + libcrux-ml-kem/fuzz/Cargo.toml | 35 + libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs | 25 + libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs | 23 + libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs | 14 + libcrux-ml-kem/hax.py | 7 - ...m.Ind_cca.Instantiations.Avx2.Unpacked.fst | 89 + ....Ind_cca.Instantiations.Avx2.Unpacked.fsti | 56 + ...m.Ind_cca.Instantiations.Neon.Unpacked.fst | 89 + ....Ind_cca.Instantiations.Neon.Unpacked.fsti | 60 + ...d_cca.Instantiations.Portable.Unpacked.fst | 89 + ..._cca.Instantiations.Portable.Unpacked.fsti | 60 + ...Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst | 108 + ...ibcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti | 86 + ...Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst | 108 + ...ibcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti | 94 + ...rux_ml_kem.Mlkem1024.Portable.Unpacked.fst | 108 + ...ux_ml_kem.Mlkem1024.Portable.Unpacked.fsti | 94 + .../Libcrux_ml_kem.Mlkem1024.Rand.fst | 51 + .../Libcrux_ml_kem.Mlkem1024.Rand.fsti | 39 + .../Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst | 104 + ...Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti | 84 + .../Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst | 104 + ...Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti | 92 + ...crux_ml_kem.Mlkem512.Portable.Unpacked.fst | 105 + ...rux_ml_kem.Mlkem512.Portable.Unpacked.fsti | 92 + .../Libcrux_ml_kem.Mlkem512.Rand.fst | 49 + .../Libcrux_ml_kem.Mlkem512.Rand.fsti | 39 + .../Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst | 140 + ...Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti | 106 + .../Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst | 141 + ...Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti | 117 + ...crux_ml_kem.Mlkem768.Portable.Unpacked.fst | 141 + ...rux_ml_kem.Mlkem768.Portable.Unpacked.fsti | 117 + .../Libcrux_ml_kem.Mlkem768.Rand.fst | 51 + .../Libcrux_ml_kem.Mlkem768.Rand.fsti | 39 + libcrux-ml-kem/src/constant_time_ops.rs | 141 +- libcrux-ml-kem/src/hash_functions.rs | 161 +- libcrux-ml-kem/src/ind_cca.rs | 88 +- libcrux-ml-kem/src/ind_cca/instantiations.rs | 45 +- libcrux-ml-kem/src/ind_cca/multiplexing.rs | 58 +- libcrux-ml-kem/src/ind_cpa.rs | 3 +- libcrux-ml-kem/src/invert_ntt.rs | 106 +- libcrux-ml-kem/src/matrix.rs | 43 - libcrux-ml-kem/src/mlkem1024.rs | 16 - libcrux-ml-kem/src/mlkem512.rs | 45 +- libcrux-ml-kem/src/mlkem768.rs | 16 - libcrux-ml-kem/src/ntt.rs | 178 +- libcrux-ml-kem/src/polynomial.rs | 48 +- libcrux-ml-kem/src/sampling.rs | 43 +- libcrux-ml-kem/src/serialize.rs | 130 +- libcrux-ml-kem/src/types.rs | 4 - libcrux-ml-kem/src/utils.rs | 7 - libcrux-ml-kem/src/variant.rs | 8 - libcrux-ml-kem/src/vector/avx2.rs | 41 +- libcrux-ml-kem/src/vector/avx2/arithmetic.rs | 277 +- libcrux-ml-kem/src/vector/avx2/compress.rs | 3 - libcrux-ml-kem/src/vector/avx2/ntt.rs | 8 - libcrux-ml-kem/src/vector/avx2/sampling.rs | 13 - libcrux-ml-kem/src/vector/avx2/serialize.rs | 856 ++- libcrux-ml-kem/src/vector/neon.rs | 12 - libcrux-ml-kem/src/vector/neon/vector_type.rs | 26 +- libcrux-ml-kem/src/vector/portable.rs | 197 +- .../src/vector/portable/arithmetic.rs | 307 +- .../src/vector/portable/compress.rs | 38 +- libcrux-ml-kem/src/vector/portable/ntt.rs | 414 +- .../src/vector/portable/sampling.rs | 5 - .../src/vector/portable/serialize.rs | 829 +-- .../src/vector/portable/vector_type.rs | 17 +- libcrux-ml-kem/src/vector/traits.rs | 161 +- libcrux-sha3/Cargo.toml | 2 +- libcrux-sha3/proofs/fstar/extraction/Makefile | 1 - proofs/fstar/extraction-edited/Makefile | 151 +- .../extraction-secret-independent/Makefile | 135 +- proofs/fstar/extraction/Makefile | 128 +- .../fstar/extraction/Libcrux_platform.X86.fst | 69 - .../extraction/Libcrux_platform.X86.fsti | 2 +- sys/pqclean/src/bindings.rs | 2 +- 262 files changed, 29756 insertions(+), 10489 deletions(-) create mode 100644 .github/workflows/s390x.yml delete mode 100644 fstar-helpers/README.md delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Equality.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Equality.fsti delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti delete mode 100644 fstar-helpers/fstar-bitvec/BitVec.Utils.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVecEq.fst delete mode 100644 fstar-helpers/fstar-bitvec/BitVecEq.fsti delete mode 100644 fstar-helpers/fstar-bitvec/MkSeq.fst delete mode 100644 fstar-helpers/fstar-bitvec/RwLemmas.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Folds.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.GetBit.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Pow2.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Seq.fst delete mode 100644 fstar-helpers/fstar-bitvec/Tactics.Utils.fst delete mode 100644 fstar-helpers/fstar-bitvec/dep.graph delete mode 100644 libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst delete mode 100644 libcrux-intrinsics/proofs/fstar/extraction/Makefile create mode 100755 libcrux-ml-dsa/hax.py create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti rename {fstar-helpers/fstar-bitvec => libcrux-ml-dsa/proofs/fstar/extraction}/Makefile (69%) create mode 100644 libcrux-ml-dsa/proofs/fstar/extraction/dep.graph create mode 100644 libcrux-ml-dsa/src/simd/avx2/vector_type.rs create mode 100644 libcrux-ml-dsa/src/simd/portable/vector_type.rs create mode 100644 libcrux-ml-dsa/src/simd/tests.rs create mode 100644 libcrux-ml-kem/cg/karamel/endianness.h create mode 100644 libcrux-ml-kem/fuzz/.gitignore create mode 100644 libcrux-ml-kem/fuzz/Cargo.toml create mode 100644 libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs create mode 100644 libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs create mode 100644 libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst create mode 100644 libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti delete mode 100644 libcrux-sha3/proofs/fstar/extraction/Makefile delete mode 100644 sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst diff --git a/.github/workflows/c.yml b/.github/workflows/c.yml index c3535185b..5345cad14 100644 --- a/.github/workflows/c.yml +++ b/.github/workflows/c.yml @@ -118,7 +118,7 @@ jobs: - name: 🔨 Build run: | - cmake -B build + LIBCRUX_BENCHMARKS=1 cmake -B build cmake --build build - name: 🏃🏻‍♀️ Test @@ -132,7 +132,7 @@ jobs: - name: 🔨 Build Release run: | rm -rf build - cmake -B build -DCMAKE_BUILD_TYPE=Release + LIBCRUX_BENCHMARKS=1 cmake -B build -DCMAKE_BUILD_TYPE=Release cmake --build build --config Release if: ${{ matrix.os != 'windows-latest' }} @@ -159,13 +159,6 @@ jobs: cmake -B build cmake --build build # FIXME: Benchmark build for cg on Windows CI is not working right now. - if: ${{ matrix.os != 'windows-latest' }} - - # FIXME: Benchmark build for cg on Windows CI are not working right now. - # - name: 🏃🏻‍♀️ Test (cg) - # working-directory: libcrux-ml-kem/cg - # run: ./build/Debug/ml_kem_test - # if: ${{ matrix.os == 'windows-latest' }} - name: 🏃🏻‍♀️ Test run: ./build/ml_kem_test diff --git a/.github/workflows/hax.yml b/.github/workflows/hax.yml index 39c5c4267..e385b948e 100644 --- a/.github/workflows/hax.yml +++ b/.github/workflows/hax.yml @@ -68,4 +68,13 @@ jobs: - name: 🏃 Extract ML-DSA crate working-directory: libcrux-ml-dsa - run: cargo hax into fstar + run: ./hax.py extract + + - name: 🏃 Lax ML-DSA crate + working-directory: libcrux-ml-dsa + run: | + env FSTAR_HOME=${{ github.workspace }}/fstar \ + HACL_HOME=${{ github.workspace }}/hacl-star \ + HAX_HOME=${{ github.workspace }}/hax \ + PATH="${PATH}:${{ github.workspace }}/fstar/bin" \ + ./hax.py prove --admit diff --git a/.github/workflows/mlkem.yml b/.github/workflows/mlkem.yml index 575339c5d..039a850f4 100644 --- a/.github/workflows/mlkem.yml +++ b/.github/workflows/mlkem.yml @@ -87,11 +87,6 @@ jobs: rustc --print=cfg cargo build --verbose $RUST_TARGET_FLAG --features pre-verification - - name: 🔨 Build unpacked - run: | - rustc --print=cfg - cargo build --verbose $RUST_TARGET_FLAG --features pre-verification,unpacked - - name: 🔨 Build Release run: cargo build --verbose --release $RUST_TARGET_FLAG --features pre-verification @@ -173,3 +168,37 @@ jobs: run: | cargo clean cargo hack test --each-feature $EXCLUDE_FEATURES --verbose $RUST_TARGET_FLAG + + fuzz: + strategy: + fail-fast: false + matrix: + os: + - macos-latest # macos-14 m1 + - ubuntu-latest + + runs-on: ${{ matrix.os }} + defaults: + run: + shell: bash + working-directory: libcrux-ml-kem + + steps: + - uses: actions/checkout@v4 + + - name: 🛠️ Setup Rust Nightly + run: | + rustup toolchain install nightly + cargo install cargo-fuzz + + - name: 🛠️ Update dependencies + run: cargo update + + - name: 🏃🏻‍♀️ Decaps + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run decaps -- -runs=100000 + + - name: 🏃🏻‍♀️ Encaps + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run encaps -- -runs=100000 + + - name: 🏃🏻‍♀️ KeyGen + run: CARGO_PROFILE_RELEASE_LTO=false cargo +nightly fuzz run keygen -- -runs=1000000 diff --git a/.github/workflows/s390x.yml b/.github/workflows/s390x.yml new file mode 100644 index 000000000..e76c37b62 --- /dev/null +++ b/.github/workflows/s390x.yml @@ -0,0 +1,44 @@ +name: s390x - Build & Test + +on: + push: + pull_request: + branches: ["main", "dev"] + workflow_dispatch: + merge_group: + +env: + CARGO_TERM_COLOR: always + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + s390x: + runs-on: ubuntu-latest + name: Build on ubuntu-22.04 s390x + steps: + - uses: actions/checkout@v4 + - uses: uraimo/run-on-arch-action@v2 + name: Run + id: runcmd + with: + arch: s390x + distro: ubuntu22.04 + + # Speed up builds by storing container images in + # a GitHub package registry. + githubToken: ${{ github.token }} + + run: | + apt-get -y update + apt-get install -y curl gcc g++ make cmake ninja-build git + cd libcrux-ml-kem/c + cmake -B build -G"Ninja Multi-Config" + cmake --build build + ./build/Debug/ml_kem_test + cd ../cg + cmake -B build -G"Ninja Multi-Config" + cmake --build build + ./build/Debug/ml_kem_test diff --git a/.gitignore b/.gitignore index e1ba64f55..3eb7f0598 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,6 @@ kyber-crate/ # F* .fstar-cache .depend -**/proofs/fstar/*/#*# -**/proofs/fstar/*/.#* +/proofs/fstar/*/#*# +/proofs/fstar/*/.#* hax.fst.config.json diff --git a/Cargo.lock b/Cargo.lock index 4b69f652c..e0c1238a6 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -704,7 +704,17 @@ name = "hax-lib" version = "0.1.0-alpha.1" source = "git+https://github.com/hacspec/hax/?branch=main#291e34e51a0182c0f1b29f27cbafe3d40490e39a" dependencies = [ - "hax-lib-macros", + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", + "num-bigint", + "num-traits", +] + +[[package]] +name = "hax-lib" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" +dependencies = [ + "hax-lib-macros 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "num-bigint", "num-traits", ] @@ -714,7 +724,20 @@ name = "hax-lib-macros" version = "0.1.0-alpha.1" source = "git+https://github.com/hacspec/hax/?branch=main#291e34e51a0182c0f1b29f27cbafe3d40490e39a" dependencies = [ - "hax-lib-macros-types", + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", + "paste", + "proc-macro-error", + "proc-macro2", + "quote", + "syn 2.0.86", +] + +[[package]] +name = "hax-lib-macros" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" +dependencies = [ + "hax-lib-macros-types 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "paste", "proc-macro-error", "proc-macro2", @@ -734,6 +757,18 @@ dependencies = [ "uuid", ] +[[package]] +name = "hax-lib-macros-types" +version = "0.1.0-alpha.1" +source = "git+https://github.com/hacspec/hax/#4291b195f4dee2bec5568ee6a0b6fe6a108623fb" +dependencies = [ + "proc-macro2", + "quote", + "serde", + "serde_json", + "uuid", +] + [[package]] name = "heck" version = "0.5.0" @@ -899,6 +934,7 @@ version = "0.0.2-beta.2" dependencies = [ "clap", "getrandom", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/?branch=main)", "hex", "libcrux", "libcrux-ecdh", @@ -971,9 +1007,6 @@ dependencies = [ [[package]] name = "libcrux-intrinsics" version = "0.0.2-beta.2" -dependencies = [ - "hax-lib", -] [[package]] name = "libcrux-kem" @@ -992,6 +1025,7 @@ name = "libcrux-ml-dsa" version = "0.0.2-beta.2" dependencies = [ "criterion", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1007,7 +1041,7 @@ name = "libcrux-ml-kem" version = "0.0.2-beta.2" dependencies = [ "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", @@ -1017,6 +1051,14 @@ dependencies = [ "serde_json", ] +[[package]] +name = "libcrux-ml-kem-fuzz" +version = "0.0.0" +dependencies = [ + "libcrux-ml-kem", + "libfuzzer-sys", +] + [[package]] name = "libcrux-platform" version = "0.0.2-beta.2" @@ -1053,7 +1095,7 @@ version = "0.0.2-beta.2" dependencies = [ "cavp", "criterion", - "hax-lib", + "hax-lib 0.1.0-alpha.1 (git+https://github.com/hacspec/hax/)", "hex", "libcrux-intrinsics", "libcrux-platform", diff --git a/Cargo.toml b/Cargo.toml index bcdb8b03f..625c177a3 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -8,6 +8,7 @@ members = [ "benchmarks", "fuzz", "libcrux-ml-kem", + "libcrux-ml-kem/fuzz", "libcrux-sha3", "libcrux-ml-dsa", "libcrux-intrinsics", @@ -74,13 +75,7 @@ log = { version = "0.4", optional = true } # WASM API wasm-bindgen = { version = "0.2.87", optional = true } getrandom = { version = "0.2", features = ["js"], optional = true } - -# When using the hax toolchain, we have more dependencies. -# This is only required when doing proofs. -#[target.'cfg(hax)'.dependencies] -[workspace.dependencies] -hax-lib-macros = { git = "https://github.com/hacspec/hax", branch = "main" } -hax-lib = { git = "https://github.com/hacspec/hax/", branch = "main" } +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/", branch = "main" } [dev-dependencies] libcrux = { path = ".", features = ["rand", "tests"] } diff --git a/benchmarks/benches/kyber768.rs b/benchmarks/benches/kyber768.rs index 2fec056a9..0341a881e 100644 --- a/benchmarks/benches/kyber768.rs +++ b/benchmarks/benches/kyber768.rs @@ -80,7 +80,7 @@ pub fn comparisons_pk_validation(c: &mut Criterion) { b.iter_batched( || libcrux_kem::deterministic::mlkem768_generate_keypair_derand(seed), |key_pair| { - let _valid = libcrux_kem::ml_kem768_validate_public_key(key_pair.into_parts().1); + let _valid = libcrux_kem::ml_kem768_validate_public_key(&key_pair.into_parts().1); }, BatchSize::SmallInput, ) diff --git a/fstar-helpers/Makefile.base b/fstar-helpers/Makefile.base index b4e0d962b..54c2552b1 100644 --- a/fstar-helpers/Makefile.base +++ b/fstar-helpers/Makefile.base @@ -1,5 +1,5 @@ # Base Makefile for F* in libcrux. -# This inherits from Makefile.generic, and adds the `specs` folder from HACL and the `libcrux-ml-kem/proofs/fstar/spec` folder. +# This inherits from Makefile.generic, and adds the `specs` folder from HACL. VERIFY_SLOW_MODULES ?= no ifeq (${VERIFY_SLOW_MODULES},no) @@ -10,5 +10,5 @@ EXTRA_HELPMESSAGE += printf "Libcrux specifics:\n"; EXTRA_HELPMESSAGE += target SLOW_MODULES 'a list of modules to verify fully only when `VERIFY_SLOW_MODULES` is set to `yes`. When `VERIFY_SLOW_MODULES`, those modules are admitted.'; EXTRA_HELPMESSAGE += target VERIFY_SLOW_MODULES '`yes` or `no`, defaults to `no`'; -FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs $(shell git rev-parse --show-toplevel)/libcrux-ml-kem/proofs/fstar/spec $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec +FSTAR_INCLUDE_DIRS_EXTRA += $(HACL_HOME)/specs include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.generic diff --git a/fstar-helpers/README.md b/fstar-helpers/README.md deleted file mode 100644 index 122ed5b03..000000000 --- a/fstar-helpers/README.md +++ /dev/null @@ -1,5 +0,0 @@ -This folder provides F* helpers: - - - `Makefile.generic` is the generic hax Makefile, available here: https://gist.github.com/W95Psp/4c304132a1f85c5af4e4959dd6b356c3. `Makefile.generic` is not supposed to be edited. - - `Makefile.base` is the base file that adds a couple of include folders that are useful generally in the scope of libcrux verification with F*. - - `fstar-bitvec` F* modules related to bitvectors. diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst deleted file mode 100644 index 5e21832c7..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst +++ /dev/null @@ -1,48 +0,0 @@ -module BitVec.Equality - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality - -private let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f - -let rec bv_equality'' #n (bv1 bv2: bit_vec n) - : r: bool {r <==> feq bv1 bv2} - = if n = 0 then true - else let n' = n - 1 in - if bv1 n' = bv2 n' - then - ( - let bv1' = mk_bv (fun i -> bv1 i) in - let bv2' = mk_bv (fun i -> bv2 i) in - if bv_equality'' #n' bv1' bv2' - then ( - assert (forall (x: nat{x < n'}). bv1' x == bv1 x); - assert (forall (x: nat{x < n'}). bv2' x == bv2 x); - true - ) - else false - ) - else false - -let bv_equality' #n (bv1 bv2: bit_vec n) - : r: bool {r <==> bv1 == bv2} - = extensionality _ _ bv1 bv2; - bv_equality'' bv1 bv2 - - -let bv_equality #n (bv1 bv2: bit_vec n) = bv_equality' bv1 bv2 - -let bv_equality_elim #n (bv1 bv2: bit_vec n) - : Lemma (requires bv_equality bv1 bv2) - (ensures bv1 == bv2) - = () -let bv_equality_intro #n (bv1 bv2: bit_vec n) - : Lemma (requires bv1 == bv2) - (ensures bv_equality bv1 bv2) - = () - -let rewrite n (bv1: bit_vec n) - : Lemma (bv_equality #n bv1 bv1 == true) - = () diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti deleted file mode 100644 index 5340903b4..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti +++ /dev/null @@ -1,17 +0,0 @@ -module BitVec.Equality - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality - -val bv_equality #n (bv1 bv2: bit_vec n): bool -val bv_equality_elim #n (bv1 bv2: bit_vec n) - : Lemma (requires bv_equality bv1 bv2) - (ensures bv1 == bv2) -val bv_equality_intro #n (bv1 bv2: bit_vec n) - : Lemma (requires bv1 == bv2) - (ensures bv_equality bv1 bv2) -val rewrite n (bv1: bit_vec n): Lemma (bv_equality #n bv1 bv1 == true) - - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst deleted file mode 100644 index 9d2614842..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst +++ /dev/null @@ -1,264 +0,0 @@ -module BitVec.Intrinsics.Constants - -open Core -open Rust_primitives -open FStar.Mul -open FStar.FunctionalExtensionality -open BitVec.Utils -open BitVec.Equality - -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let offset = i % 16 in - match i / 16 with - | 0 -> get_bit x15 (sz offset) - | 1 -> get_bit x14 (sz offset) - | 2 -> get_bit x13 (sz offset) - | 3 -> get_bit x12 (sz offset) - | 4 -> get_bit x11 (sz offset) - | 5 -> get_bit x10 (sz offset) - | 6 -> get_bit x9 (sz offset) - | 7 -> get_bit x8 (sz offset) - | 8 -> get_bit x7 (sz offset) - | 9 -> get_bit x6 (sz offset) - | 10 -> get_bit x5 (sz offset) - | 11 -> get_bit x4 (sz offset) - | 12 -> get_bit x3 (sz offset) - | 13 -> get_bit x2 (sz offset) - | 14 -> get_bit x1 (sz offset) - | 15 -> get_bit x0 (sz offset) - ) - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s < bit_vec 256 = admit () - -open Tactics.Utils - -open FStar.Tactics - -(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are -unification variables. This returns a list of terms to substitute `x1` -... `xN` with. *) -let unify_app (t fn: term) norm_steps: Tac (option (list term)) - = let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in - let _fake_goal = - (* create a goal `b1 -> ... -> bn -> squash True` *) - let trivial = pack_comp (C_Total (`squash True)) in - unshelve (fresh_uvar (Some (mk_arr bds trivial))) - in - (* get back the binders `b1`, ..., `bn` *) - let bds = intros () in - let args = map (fun (b: binder) -> b <: term) bds in - let norm_term = norm_term (hnf::norm_steps) in - let fn, t = norm_term (mk_e_app fn args), norm_term t in - let vars = map (fun b -> - let b = inspect_binder b in - let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in - let nv: namedv_view = {uniq; ppname; sort = seal (`_)} in - (FStar.Reflection.V2.pack_namedv nv, b.binder_sort) - ) bds in - let?# substs = fst (try_unify (cur_env ()) vars fn t) in - if List.Tot.length substs <> List.Tot.length bds - then fail "unify_app: inconsistent lengths"; - (* solve the trivial goal introduced at the begining *) - trivial (); - Some (List.Tot.rev (map (fun (_, t) -> t) substs)) - -irreducible let add (x y: int): int = x + y - -let f (a b c d: int): int = add (add (add a b) c) d - -// #push-options "--print_full_names --print_implicits --print_bound_var_types" -let _ = assert true by ( - let r = - unify_app - (quote (f 1 2 3 4)) - (quote f) - [delta_only [`%f]] - in - let s = term_to_string (quote r) - in - print s - ) - -let test x y (#[( - let n = fresh_namedv () in - let y = quote y in - let y' = `(madd_rhs (`#n)) in - let n = FStar.Reflection.V2.pack_namedv n in - let t = match try_unify (cur_env ()) [(n,`(n: nat {n < 16}))] y y' with - | (Some [v, t'], _) -> - `(stupid (`#t')) - | _ -> `(stupid (`#y)) in - exact t -)]f: bit_vec 256 -> bit_vec 256) = f x - -let xx = fun x -> test x (madd_rhs 12) - -irreducible let vec256_to_i16s (bv: bit_vec 256) - : (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - = admit () - -irreducible let rw_vec256_to_i16_ints - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : Lemma ( - vec256_to_i16s (mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15) - == ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) - ) = admit () - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s <= 1 - && v x0 = v x2 && v x0 = v x4 && v x0 = v x6 && v x0 = v x8 - && v x0 = v x10 && v x0 = v x12 && v x0 = v x14 - && v x1 = 1 && v x3 = 1 && v x5 = 1 && v x7 = 1 - && v x9 = 1 && v x11= 1 && v x13= 1 && v x15= 1 - then match Tactics.Pow2.log2 (v x0 <: nat) with - | Some coef -> - if coef < 16 - then ( - assert (v ((1s < None - else None -#pop-options - -open FStar.Tactics.V2 -[@@FStar.Tactics.V2.postprocess_with (fun _ -> - compute (); - Tactics.Seq.norm_index (); - compute (); - fail "x" -)] -let aa = - let n = 12 in - let tuple = ( - ( (1s < n | None -> 0 in - x - -open Tactics.Utils -open FStar.Tactics.V2 -module Visit = FStar.Tactics.Visit - -let rec any (f: 'a -> bool) (l: list 'a): bool - = match l with - | [] -> false - | hd::tl -> if f hd - then true - else any f tl - -exception FoundFreeLocalVar -let is_closed_term (x: term): Tac bool - = try - let _ = FStar.Tactics.Visit.visit_tm ( - function - | Tv_Var _ | Tv_BVar _ -> raise FoundFreeLocalVar - | x -> x - ) x - in true - with | FoundFreeLocalVar -> false - | e -> raise e - -let rw_mm256_set_epi16 t = - let?# (f, [arg,_]) = expect_app_n t 1 in - let?# _ = expect_free_var f (`%vec256_to_i16_ints) in - let?? _ = is_closed_term arg in - let?# (f, args) = expect_app_n arg 16 in - let?# _ = expect_free_var f (`%mm256_set_epi16) in - pointwise' (fun _ -> - let _ = let?# (lhs, _, _) = expect_lhs_eq_rhs () in - Some (if any (fun (arg, _) -> term_eq lhs arg) args - then norm [primops; iota; delta; zeta_full] - else ()) - in trefl () - ); - Some () - -let rec expect_madd_rhs' (bv: bit_vec 256) (n:nat {n < 16}) - : result: option (n: nat {n < 16}) { match result with - | Some n -> bv == madd_rhs n - | _ -> True - } - = if bv_equality bv (madd_rhs n) - then ( bv_equality_elim bv (madd_rhs n); - Some n ) - else if n = 0 then None - else expect_madd_rhs' bv (n - 1) - -irreducible let expect_madd_rhs (bv: bit_vec 256): option (n: nat {n < 16}) - = expect_madd_rhs' bv 15 - -// let rewrite_expect_madd_rhs -// (bv: bit_vec 256) (n: nat {n < 16}) -// : Lemma (requires bv == madd_rhs n) -// (ensures ) -// = () - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst deleted file mode 100644 index 0c60d6587..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst +++ /dev/null @@ -1,203 +0,0 @@ -module BitVec.Intrinsics.TestShuffle - -open Rust_primitives -open FStar.Mul -open BitVec.Utils -open BitVec.Intrinsics - -assume val stuck: #a:Type -> #b:Type -> a -> b - -let index64 l (i: nat {i < List.Tot.length l}) = - match l with - | [x0;x1;x2;x3] -> - (match i with - | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3) - | [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31;x32;x33;x34;x35;x36;x37;x38;x39;x40;x41;x42;x43;x44;x45;x46;x47;x48;x49;x50;x51;x52;x53;x54;x55;x56;x57;x58;x59;x60;x61;x62;x63] -> - (match i with - | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3 | 4 -> x4 | 5 -> x5 | 6 -> x6 | 7 -> x7 | 8 -> x8 | 9 -> x9 | 10 -> x10 | 11 -> x11 | 12 -> x12 | 13 -> x13 | 14 -> x14 | 15 -> x15 - | 16 -> x16 | 17 -> x17 | 18 -> x18 | 19 -> x19 | 20 -> x20 | 21 -> x21 | 22 -> x22 | 23 -> x23 | 24 -> x24 | 25 -> x25 | 26 -> x26 | 27 -> x27 | 28 -> x28 | 29 -> x29 | 30 -> x30 | 31 -> x31 - | 32 -> x32 | 33 -> x33 | 34 -> x34 | 35 -> x35 | 36 -> x36 | 37 -> x37 | 38 -> x38 | 39 -> x39 | 40 -> x40 | 41 -> x41 | 42 -> x42 | 43 -> x43 | 44 -> x44 | 45 -> x45 | 46 -> x46 | 47 -> x47 - | 48 -> x48 | 49 -> x49 | 50 -> x50 | 51 -> x51 | 52 -> x52 | 53 -> x53 | 54 -> x54 | 55 -> x55 | 56 -> x56 | 57 -> x57 | 58 -> x58 | 59 -> x59 | 60 -> x60 | 61 -> x61 | 62 -> x62 | 63 -> x63) - | _ -> stuck "index" - -assume val nth: list bit -> nat -> bit - -let bv_of_list_list (n: pos) (l: list (l: list bit {List.Tot.length l == n})): bit_vec (List.Tot.length l * n) - = mk_bv (fun i -> nth (index64 l (i / n)) (i % n)) - -let z: l: list bit {List.Tot.length l == 4} = [0;0;0;0] - -type result #t0 #t1 #t2 #t3 #t4 = { - vector: t0; - adjacent_2_combined: t1; - adjacent_8_combined: t2; - combined': t3; - combined: t4; - } - -// /// We view `x` as a sequence of pairs of 16 bits, of the shape -// /// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. -// /// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. -// let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = -// mk_bv (fun i -> let j = i % 32 in -// // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` -// // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` -// let is_zero = -// // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` -// j >= n * 2 -// in -// if is_zero -// then 0 -// else if j < n -// then x i // we want to produce the bit `aⱼ` -// else -// // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` -// x (i - n + 16) -// ) - -// let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = -// mk_bv (fun i -> -// let j = i / 32 in -// let index = (List.Tot.index b (7 - j) % 8) * 32 in -// a (index + i % 32)) - -let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_madd_epi16_specialized' vector 4 - // Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector - // (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127;f 128;f 129;f 130;f 131;f 132;f 133;f 134;f 135;f 136;f 137;f 138;f 139;f 140;f 141;f 142;f 143;f 144;f 145;f 146;f 147;f 148;f 149;f 150;f 151;f 152;f 153;f 154;f 155;f 156;f 157;f 158;f 159;f 160;f 161;f 162;f 163;f 164;f 165;f 166;f 167;f 168;f 169;f 170;f 171;f 172;f 173;f 174;f 175;f 176;f 177;f 178;f 179;f 180;f 181;f 182;f 183;f 184;f 185;f 186;f 187;f 188;f 189;f 190;f 191;f 192;f 193;f 194;f 195;f 196;f 197;f 198;f 199;f 200;f 201;f 202;f 203;f 204;f 205;f 206;f 207;f 208;f 209;f 210;f 211;f 212;f 213;f 214;f 215;f 216;f 217;f 218;f 219;f 220;f 221;f 222;f 223;f 224;f 225;f 226;f 227;f 228;f 229;f 230;f 231;f 232;f 233;f 234;f 235;f 236;f 237;f 238;f 239;f 240;f 241;f 242;f 243;f 244;f 245;f 246;f 247;f 248;f 249;f 250;f 251;f 252;f 253;f 254;f 255] -let map128 (f: (i: nat {i < 128}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127] - -let test (a b c d e f g h i j k l m n o p: (l: list bit {List.Tot.length l == 4})) = - let input = bv_of_list_list 4 [ - a;z;z;z; b;z;z;z; c;z;z;z; d;z;z;z; - e;z;z;z; f;z;z;z; g;z;z;z; h;z;z;z; - i;z;z;z; j;z;z;z; k;z;z;z; l;z;z;z; - m;z;z;z; n;z;z;z; o;z;z;z; p;z;z;z; - - // z;z;z;a; z;z;z;b; z;z;z;c; z;z;z;d; - // z;z;z;e; z;z;z;f; z;z;z;g; z;z;z;h; - // z;z;z;i; z;z;z;j; z;z;z;k; z;z;z;l; - // z;z;z;m; z;z;z;n; z;z;z;o; z;z;z;p; - ] in - serialize_4_ input - - -// let xx a b c d e f g h i j k l m n o p = -// Pervasives.norm [iota; primops; zeta_full; delta] ( -// Pervasives.norm [iota; primops; zeta; delta] ( -// let {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} = test a b c d e f g h i j k l m n o p in -// let vector = map256 (fun (idx: nat{idx < 256}) -> vector idx) in -// let adjacent_2_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_2_combined idx) in -// let adjacent_8_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_8_combined idx) in -// let combined' = map256 (fun (idx: nat{idx < 256}) -> combined' idx) in -// let combined = map128 (fun (idx: nat{idx < 128}) -> combined idx) in -// // map128 (fun (idx: nat {idx < 128}) -> test a b c d e f g h i j k l m n o p idx) -// {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} -// // (vector, adjacent_2_combined) -// ) -// ) - - - -open FStar.Tactics.V2 -open Tactics.Utils - - -open Libcrux_intrinsics.Avx2_extract {t_Vec256, t_Vec128} -// open BitVec.Intrinsics { - -// } - -#push-options "--compat_pre_core 0" -let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - BitVec.Intrinsics.mm256_madd_epi16 vector - (BitVec.Intrinsics.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); - assert (forall (i: nat {i < 64}). - // let local_i = i / 4 in - combined i == vector ((i / 4) * 16 + i % 4) - ) by ( - // unfold wrappers - norm [primops; iota; zeta; delta_namespace [ - `%BitVec.Intrinsics.mm256_shuffle_epi8; - `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; - `%BitVec.Intrinsics.mm256_madd_epi16; - `%BitVec.Intrinsics.mm256_castsi256_si128; - "BitVec.Utils"; - ]]; - Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> - let reduce t = - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.FunctionalExtensionality"; - t; - `%BitVec.Utils.mk_bv; - `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]]; - norm [primops; iota; zeta_full; delta_namespace [ - "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) - ]] - in - reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); - reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); - grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); - flip (); smt (); - reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); - // focus (fun _ -> dump' "Goal!!"); - trivial () - )) - ); - combined diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti deleted file mode 100644 index a101013a6..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti +++ /dev/null @@ -1,425 +0,0 @@ -module BitVec.Intrinsics - -open Core -open Rust_primitives -open FStar.Mul -open BitVec.Utils -open BitVec.Equality -open Tactics.Utils - -(*** The intrinsics *) -let mm256_slli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit >= v shift then vec (i - v shift) else 0) - -let mm256_srli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 16 in - if nth_bit < 16 - v shift then vec (i + v shift) else 0) - -let mm256_srli_epi64 (shift: i32 {v shift >= 0 /\ v shift <= 64}) (vec: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 64 in - if nth_bit < 64 - v shift then vec (i + v shift) else 0) - -let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 - = mk_bv (fun i -> vec i) -let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 - = mk_bv (fun i -> vec (i + 128)) - -let mm256_si256_from_two_si128 (lower upper: bit_vec 128): bit_vec 256 - = mk_bv (fun i -> if i < 128 then lower i else upper (i - 128)) - -let mm_loadu_si128 (bytes: t_Array u8 (sz 16)): bit_vec 128 - = mk_bv (fun i -> get_bit (Seq.index bytes (i / 8)) (sz (i % 8))) - -let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i32) = get_bit x (sz (i % 32)) in - match i / 32 with - | 0 -> h x7 | 1 -> h x6 | 2 -> h x5 | 3 -> h x4 - | 4 -> h x3 | 5 -> h x2 | 6 -> h x1 | 7 -> h x0) - -let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i16) = get_bit x (sz (i % 16)) in - match i / 16 with - | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 - | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 - | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 - | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 - ) - -let mm_set_epi8 - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: u8) - : bit_vec 128 - = mk_bv (fun i -> - let h (x: u8) = get_bit x (sz (i % 8)) in - match i / 8 with - | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 - | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 - | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 - | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 - ) - -let mm256_set_epi8 - (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8) - : bit_vec 256 - = mk_bv (fun i -> - let h (x: i8) = get_bit x (sz (i % 8)) in - match i / 8 with - | 0 -> h x31 | 1 -> h x30 | 2 -> h x29 | 3 -> h x28 - | 4 -> h x27 | 5 -> h x26 | 6 -> h x25 | 7 -> h x24 - | 8 -> h x23 | 9 -> h x22 | 10 -> h x21 | 11 -> h x20 - | 12 -> h x19 | 13 -> h x18 | 14 -> h x17 | 15 -> h x16 - | 16 -> h x15 | 17 -> h x14 | 18 -> h x13 | 19 -> h x12 - | 20 -> h x11 | 21 -> h x10 | 22 -> h x9 | 23 -> h x8 - | 24 -> h x7 | 25 -> h x6 | 26 -> h x5 | 27 -> h x4 - | 28 -> h x3 | 29 -> h x2 | 30 -> h x1 | 31 -> h x0 - ) - -val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 -let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 - = mk_bv (fun i -> if i % 16 < n then 1 else 0) - -let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 - = mk_bv (fun i -> if y i = 0 then 0 else x i) - -let mm256_set1_epi16 (constant: i16) - (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < `(mm256_set1_epi16_pow2_minus_one (`#x)) - | _ -> (quote (mm256_set1_epi16_no_semantics constant)) - )]result: bit_vec 256) - : bit_vec 256 = result - -private let saturate8 (v: bit_vec 16): bit_vec 8 - = let on_upper_bits (+) (f: (n:nat{n >= 8 && n <= 15}) -> _) - = f 8 + f 9 + f 10 + f 11 + f 12 + f 13 + f 14 + f 15 - in - let any1 = on_upper_bits ( || ) (fun i -> v i = 1) in - let all1 = on_upper_bits ( && ) (fun i -> v i = 1) in - let negative = v 15 = 1 in - mk_bv (fun i -> - let last_bit = i = 7 in - if negative - then if last_bit - then 1 - else if all1 - then v i - else 0 - else if any1 - then if last_bit - then 0 - else 1 - else v i - ) - -let mm_movemask_epi8_bv (a: bit_vec 128): bit_vec 128 - = mk_bv (fun j -> - if j < 16 - then a ((j * 8) + 7) - else 0 - ) - -let mm_movemask_epi8 (a: bit_vec 128): i32 - = bit_vec_to_int_t 32 (mk_bv (fun i -> mm_movemask_epi8_bv a i)) - -let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128 - = mk_bv (fun i -> - let nth_block = i / 8 in - let offset8 = nth_block * 8 in - let offset16' = nth_block * 16 in - let offset16 = offset16' % 128 in - let vec: bit_vec 128 = if offset16' < 128 then a else b in - saturate8 (mk_bv (fun j -> vec (offset16 + j))) (i - offset8) - ) - - - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = if nth_i16 % 2 = 0 then 4 else 0 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This is a very specialized version of mm256_mullo_epi16 -let mm256_mullo_epi16_specialized3 (a: bit_vec 256): bit_vec 256 = - mk_bv (fun i -> - let nth_bit = i % 16 in - let nth_i16 = i / 16 in - let shift = 6 - (nth_i16 % 4) * 2 in - if nth_bit >= shift then a (i - shift) else 0 - ) - -// This term will be stuck, we don't know anything about it -val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256 - -open FStar.Tactics.V2 - - - -let mm256_mullo_epi16 - (a count: bit_vec 256) - (#[( - if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized1 a)) - else if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a)) - else - if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s - | _ -> false - then Tactics.exact (quote (mm256_mullo_epi16_specialized3 a)) - else - Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) - )]result: bit_vec 256): bit_vec 256 = result - -let madd_rhs (n: nat {n < 16}) = - mm256_set_epi16 - (1s < bit_vec 256 -> bit_vec 256 - -let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool) - : r:bool {r <==> (forall i. f i)} - = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = - match n with - | 0 -> true - | _ -> f (n - 1) && h (n - 1) - in h max - -/// We view `x` as a sequence of pairs of 16 bits, of the shape -/// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. -/// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. -let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = - mk_bv (fun i -> let j = i % 32 in - // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` - // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` - let is_zero = - // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` - j >= n * 2 - in - if is_zero - then 0 - else if j < n - then x i // we want to produce the bit `aⱼ` - else - // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` - x (i - n + 16) - ) - -let mm256_concat_pairs_n - (n: u8 {v n < 16}) - (x: bit_vec 256 {forall (i: nat {i < 256}). i % 16 < v n || x i = 0}) = - mm256_madd_epi16_specialized' x (v n) - -let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = - if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0) - then mm256_madd_epi16_specialized' x n - else mm256_madd_epi16_no_semantic x (madd_rhs n) - -val mm_shuffle_epi8_no_semantics (a b: bit_vec 128): bit_vec 128 -let mm_shuffle_epi8_u8 (a: bit_vec 128) (b: list int {List.Tot.length b == 16}): bit_vec 128 = - mk_bv (fun i -> - let nth = i / 8 in - let index = List.Tot.index b (15 - nth) in - if index < 0 then 0 - else let index = index % 16 in - a (index * 8 + i % 8 + i / 128 * 128)) - -let mm_shuffle_epi8 - (x y: bit_vec 128) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 -> - mm_set_epi8 - (UInt8.uint_to_t x0 ) (UInt8.uint_to_t x1 ) (UInt8.uint_to_t x2 ) (UInt8.uint_to_t x3 ) (UInt8.uint_to_t x4 ) (UInt8.uint_to_t x5 ) (UInt8.uint_to_t x6 ) (UInt8.uint_to_t x7 ) - (UInt8.uint_to_t x8 ) (UInt8.uint_to_t x9 ) (UInt8.uint_to_t x10) (UInt8.uint_to_t x11) (UInt8.uint_to_t x12) (UInt8.uint_to_t x13) (UInt8.uint_to_t x14) (UInt8.uint_to_t x15))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] -> - `(mm_shuffle_epi8_u8 (`@x) - (mk_list_16 - (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) - (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15))) - | _ -> quote (mm_shuffle_epi8_no_semantics x y) in - exact t - )]result: bit_vec 128) - : bit_vec 128 - = result - -val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 -let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 = - mk_bv (fun i -> - let nth = i / 8 in - let index = List.Tot.index b (31 - nth) in - if index < 0 then 0 - else let index = index % 16 in - a (index * 8 + i % 8 + i / 128 * 128)) - -let mm256_shuffle_epi8 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31 -> - mm256_set_epi8 - (Int8.int_to_t x0 ) (Int8.int_to_t x1 ) (Int8.int_to_t x2 ) (Int8.int_to_t x3 ) (Int8.int_to_t x4 ) (Int8.int_to_t x5 ) (Int8.int_to_t x6 ) (Int8.int_to_t x7 ) - (Int8.int_to_t x8 ) (Int8.int_to_t x9 ) (Int8.int_to_t x10) (Int8.int_to_t x11) (Int8.int_to_t x12) (Int8.int_to_t x13) (Int8.int_to_t x14) (Int8.int_to_t x15) - (Int8.int_to_t x16) (Int8.int_to_t x17) (Int8.int_to_t x18) (Int8.int_to_t x19) (Int8.int_to_t x20) (Int8.int_to_t x21) (Int8.int_to_t x22) (Int8.int_to_t x23) - (Int8.int_to_t x24) (Int8.int_to_t x25) (Int8.int_to_t x26) (Int8.int_to_t x27) (Int8.int_to_t x28) (Int8.int_to_t x29) (Int8.int_to_t x30) (Int8.int_to_t x31))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] -> - `(mm256_shuffle_epi8_i8 (`@x) - (mk_list_32 - (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) - (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15) - (`#x16) (`#x17) (`#x18) (`#x19) (`#x20) (`#x21) (`#x22) (`#x23) - (`#x24) (`#x25) (`#x26) (`#x27) (`#x28) (`#x29) (`#x30) (`#x31))) - | _ -> quote (mm256_shuffle_epi8_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm256_permutevar8x32_epi32_no_semantics (a b: bit_vec 256): bit_vec 256 -let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = - mk_bv (fun i -> - let j = i / 32 in - let index = (List.Tot.index b (7 - j) % 8) * 32 in - a (index + i % 32)) - -let mm256_permutevar8x32_epi32 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> - mm256_set_epi32 - (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) - (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> - `(mm256_permutevar8x32_epi32_i32 (`@x) - (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) - | _ -> quote (mm256_permutevar8x32_epi32_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm256_sllv_epi32_no_semantics (x y: bit_vec 256): bit_vec 256 -let mm256_sllv_epi32_i32 (vec: bit_vec 256) (counts: list _ {List.Tot.length counts == 8}): bit_vec 256 - = mk_bv (fun i -> let nth_bit = i % 32 in - let shift = List.Tot.index counts (7 - i / 32) in - if shift >= 0 && nth_bit >= shift then vec (i - shift) else 0) - -let mm256_sllv_epi32 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) - (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> - mm256_set_epi32 - (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) - (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with - | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> - `(mm256_sllv_epi32_i32 (`@x) - (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) - | _ -> quote (mm256_sllv_epi32_no_semantics x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - - -let mm256_madd_epi16 - (x y: bit_vec 256) - (#[( - let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with - | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n)) - | _ -> quote (mm256_madd_epi16_no_semantic x y) in - exact t - )]result: bit_vec 256) - : bit_vec 256 - = result - -val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128) - // : r: t_Array u8 (sz 16) {forall i. vec i == get_bit (Seq.index r (i / 8)) (sz (i % 8))} - : r: t_Array u8 (sz 16) {forall i. vec i == bit_vec_of_int_t_array r 8 i} - -open FStar.Stubs.Tactics.V2.Builtins -open FStar.Stubs.Tactics.V2 -open FStar.Tactics.V2.Derived -open FStar.Tactics.V2 - -let rec bv_to_string #len (bv: bit_vec len): string - = if len = 0 then "" - else string_of_int (bv (len - 1)) - ^ bv_to_string #(len - 1) (mk_bv (fun i -> bv i)) - -let bv_of_string #len (s: string): Tac (bit_vec len) - = let l = FStar.String.list_of_string s - |> filter (function ' ' | '\n' -> false | _ -> true) - |> map #_ #bit (function '1' -> 1 <: bit | '0' -> 0 | c -> fail ("expected 0 or 1, got [" ^ String.string_of_char c ^ "]")) in - if FStar.List.Tot.length l = len - then mk_bv (fun (i: nat {i < len}) -> List.Tot.index l i) - else fail ("expected a bv of length " ^ string_of_int len ^ ", got a bv of length " ^ string_of_int (FStar.List.Tot.length l)) - -let call_native_intrinsic' #ilen name raw_args (bitvecs: list (bit_vec ilen)) : Tac string = - let bitvecs = List.Tot.map bv_to_string bitvecs in - let args = List.Tot.append raw_args bitvecs in - let result = launch_process "bash" ("/tmp/run.sh"::name::args) "" in - print ("process stdout is [" ^ result ^ "]"); - FStar.String.list_of_string result - |> filter (function ' ' | '\n' -> false | _ -> true) - |> String.string_of_list - -let call_native_intrinsic #ilen olen name raw_args (bitvecs: list (bit_vec ilen)) : Tac (bit_vec olen) = - bv_of_string (call_native_intrinsic' #ilen name raw_args bitvecs) - -let random_bv len: Tac (bit_vec len) - = call_native_intrinsic #1 _ "rand" [string_of_int len] [] - -let tassert (x: bool): Tac unit - = if x then () else fail "tassert" - - -private let example: bit_vec 256 = mk_bv (fun i -> if i % 16 = 15 then 1 else 0) - -private let x = bv_to_string example -private let y = bv_to_string (mm256_srli_epi16 15l example) - diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst deleted file mode 100644 index 3d2d19c98..000000000 --- a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst +++ /dev/null @@ -1,67 +0,0 @@ -module BitVec.Utils - -open Core -open FStar.FunctionalExtensionality -open BitVec.Equality -open Rust_primitives.BitVectors - -let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f - -let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) - : (l:list a {List.Tot.length l == 32}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in - assert_norm (List.Tot.length l == 32); - l - -let mk_list_16 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: a) - : (l:list a {List.Tot.length l == 16}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] in - assert_norm (List.Tot.length l == 16); - l - -let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) - : (l:list a {List.Tot.length l == 8}) - = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in - assert_norm (List.Tot.length l == 8); - l - -let rw_get_bit_cast #t #u - (x: int_t t) (nth: usize) - : Lemma (requires v nth < bits u /\ v nth < bits u) - (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) - [SMTPat (get_bit (cast_mod #t #u x) nth)] - = () - -let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) - : Lemma (requires v y >= 0 /\ v y < bits t) - (ensures eq2 #bit (get_bit (x >>! y) i ) - (if v i < bits t - v y - then get_bit x (mk_int (v i + v y)) - else if signed t - then get_bit x (mk_int (bits t - 1)) - else 0)) - = () - -unfold type forall_sig (n: nat) = pred: ((i:nat{i < n}) -> bool) - -> r: bool {r <==> (forall i. pred i)} - -let forall8: forall_sig 8 = fun pred -> pred 0 && pred 1 && pred 2 && pred 3 - && pred 4 && pred 5 && pred 6 && pred 7 - -#push-options "--z3rlimit 400" -let forall16: forall_sig 16 = fun pred -> forall8 pred && forall8 (fun i -> pred (i + 8)) -let forall32: forall_sig 32 = fun pred -> forall16 pred && forall16 (fun i -> pred (i + 16)) -let forall64: forall_sig 64 = fun pred -> forall32 pred && forall32 (fun i -> pred (i + 32)) -let forall128: forall_sig 128 = fun pred -> forall64 pred && forall64 (fun i -> pred (i + 64)) -let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i -> pred (i + 128)) -#pop-options - -let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true) - -let bit_vec_to_int_t_lemma - #t (d: num_bits t) (bv: bit_vec d) - i - : Lemma (get_bit (bit_vec_to_int_t d bv) (sz i) == bv i) - [SMTPat (get_bit (bit_vec_to_int_t d bv) (sz i))] - = bit_vec_to_int_t_lemma d bv i - diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fst b/fstar-helpers/fstar-bitvec/BitVecEq.fst deleted file mode 100644 index c89f2fe35..000000000 --- a/fstar-helpers/fstar-bitvec/BitVecEq.fst +++ /dev/null @@ -1,12 +0,0 @@ -module BitVecEq - -open Core -open FStar.Mul -open FStar.FunctionalExtensionality - -let bit_vec_equal #n bv1 bv2 = forall i. bv1 i == bv2 i - -let bit_vec_equal_intro bv1 bv2 = () -let bit_vec_equal_elim bv1 bv2 = assert (feq bv1 bv2) - - diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fsti b/fstar-helpers/fstar-bitvec/BitVecEq.fsti deleted file mode 100644 index c370f28bf..000000000 --- a/fstar-helpers/fstar-bitvec/BitVecEq.fsti +++ /dev/null @@ -1,293 +0,0 @@ -module BitVecEq -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul -open MkSeq -open FStar.FunctionalExtensionality - -val bit_vec_equal (#n: nat) (bv1 bv2: bit_vec n): Type0 -val bit_vec_equal_intro (#n: nat) (bv1 bv2: bit_vec n) - : Lemma (requires forall i. bv1 i == bv2 i) - (ensures bit_vec_equal bv1 bv2) -val bit_vec_equal_elim (#n: nat) (bv1 bv2: bit_vec n) - : Lemma (requires bit_vec_equal #n bv1 bv2) - (ensures bv1 == bv2) - [SMTPat (bit_vec_equal #n bv1 bv2)] - -let bit_vec_equal_intro_principle () - : Lemma (forall n (bv1 bv2: bit_vec n). (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2) - = introduce forall n (bv1 bv2: bit_vec n). _ - with introduce (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2 - with _. bit_vec_equal_intro #n bv1 bv2 - -let bit_vec_equal_elim_principle () - : Lemma (forall n (bv1 bv2: bit_vec n). bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i)) - = introduce forall n (bv1 bv2: bit_vec n). _ - with introduce bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i) - with _. bit_vec_equal_elim #n bv1 bv2 - -let bit_vec_equal_trivial (bv1 bv2: bit_vec 0): Lemma (bv1 == bv2) - [SMTPat (eq2 #(bit_vec 0) bv1 bv2)] - = bit_vec_equal_intro bv1 bv2 - -let bit_vec_sub #n (bv: bit_vec n) (start: nat) (len: nat {start + len <= n}) - : bit_vec len - = on (i: nat {i < len}) - (fun i -> bv (start + i)) - -let bit_vec_equal_trivial_sub_smtpat (bv1: bit_vec 'n) - : Lemma (forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2) - [SMTPat (bit_vec_sub bv1 0 0)] - = introduce forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2 - with bit_vec_equal_trivial (bit_vec_sub bv1 0 0) bv2 - -unfold let retype #a #b (#_:unit{a == b}) - (x: a): b - = x - -let bit_vec_sub_all_lemma #n (bv: bit_vec n) - : Lemma (bit_vec_sub bv 0 n == bv) - [SMTPat (bit_vec_sub bv 0 n)] - = bit_vec_equal_intro (bit_vec_sub bv 0 n) bv - -let int_t_array_bitwise_eq' - #t1 #t2 #n1 #n2 - (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) - (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = bit_vec_equal (bit_vec_of_int_t_array arr1 d1) - (retype (bit_vec_of_int_t_array arr2 d2)) - -let int_t_array_bitwise_eq - #t1 #t2 #n1 #n2 - (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) - (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = bit_vec_of_int_t_array arr1 d1 == bit_vec_of_int_t_array arr2 d2 - -// let get_bit_intro () -// : Lemma (forall (#n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). -// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) -// else get_bit_nat (pow2 (bits n) + v x) (v nth))) -// = introduce forall (n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). -// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) -// else get_bit_nat (pow2 (bits n) + v x) (v nth)) -// with get_bit_intro #n x nth - -#push-options "--fuel 0 --ifuel 0 --z3rlimit 80" -/// Rewrite a `bit_vec_of_int_t_array (Seq.slice arr ...)` into a `bit_vec_sub ...` -let int_t_seq_slice_to_bv_sub_lemma #t #n - (arr: t_Array (int_t t) n) - (start: nat) (len: usize {start + v len <= v n}) - (d: num_bits t) - : Lemma ( bit_vec_of_int_t_array (Seq.slice arr start (start + v len) <: t_Array _ len) d - `bit_vec_equal` bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d)) - [SMTPat (bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d))] - = let bv1 = bit_vec_of_int_t_array #_ #len (Seq.slice arr start (start + v len)) d in - let bv2 = bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d) in - introduce forall i. bv1 i == bv2 i - with ( Seq.lemma_index_slice arr start (start + v len) (i / d); - Math.Lemmas.lemma_div_plus i start d; - Math.Lemmas.lemma_mod_plus i start d); - bit_vec_equal_intro bv1 bv2 - -#push-options "--split_queries always" -let int_t_eq_seq_slice_bv_sub_lemma #t #n1 #n2 - (arr1: t_Array (int_t t) n1) (arr2: t_Array (int_t t) n2) (d: num_bits t) - (start1 start2: nat) (len: nat {start1 + len <= v n1 /\ start2 + len <= v n2}) - : Lemma (requires Seq.slice arr1 start1 (start1 + len) == Seq.slice arr2 start2 (start2 + len)) - (ensures bit_vec_equal - (bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) - (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d))) - [SMTPat ((bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) == - (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d)))] - = let len = sz len in - int_t_seq_slice_to_bv_sub_lemma arr1 start1 len d; - int_t_seq_slice_to_bv_sub_lemma arr2 start2 len d; - // bit_vec_equal_elim_principle (); - bit_vec_equal_intro_principle () -#pop-options - -let bit_vec_equal_extend #n1 #n2 - (bv1: bit_vec n1) (bv2: bit_vec n2) (start1 start2: nat) - (len1: nat) - (len2: nat { start1 + len1 + len2 <= n1 /\ start2 + len1 + len2 <= n2}) - : Lemma - (requires - bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1 - /\ bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2) - (ensures bit_vec_sub bv1 start1 (len1+len2) == bit_vec_sub bv2 start2 (len1+len2)) - // [SMTPat (bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1); - // SMTPat () - // ] - // SMTPat (bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2)] - = let left1 = bit_vec_sub bv1 start1 len1 in - let left2 = bit_vec_sub bv2 start2 len1 in - let right1 = bit_vec_sub bv1 (start1 + len1) len2 in - let right2 = bit_vec_sub bv2 (start2 + len1) len2 in - // () - // bit_vec_equal_elim left1 left2 ; - // bit_vec_equal_elim right1 right2; - let entire1 = bit_vec_sub bv1 start1 (len1 + len2) in - let entire2 = bit_vec_sub bv2 start2 (len1 + len2) in - assert (forall (i:nat). i < len1 ==> left1 i == left2 i); - assert (forall (i:nat). i < len2 ==> right1 i == right2 i); - introduce forall (i:nat). i < len1 + len2 ==> entire1 i == entire2 i - with introduce i < len1 + len2 ==> entire1 i == entire2 i - with _. if i < len1 then assert (left1 i == left2 i) - else assert (entire1 i == right1 (i - len1)); - bit_vec_equal_intro entire1 entire2 -#pop-options - -// let bit_vec_equal_trans (#n: nat) (bv1 bv2 bv3: bit_vec n) -// : Lemma (requires bv1 `bit_vec_equal` bv2 /\ bv2 `bit_vec_equal` bv3) -// (ensures bv1 `bit_vec_equal` bv3) -// = bit_vec_equal_elim_principle (); -// bit_vec_equal_intro_principle () - -(* -let int_arr_bitwise_eq_range - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (offset1 offset2: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - }) - = bit_vec_equal #bits (fun i -> bit_vec_of_int_t_array arr1 d1 (i + offset1)) - = forall (k: nat). k < bits ==> - bit_vec_of_int_t_array arr1 d1 (offset1 + k) - == bit_vec_of_int_t_array arr2 d2 (offset2 + k) - -let int_arr_bitwise_eq_range_comm - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (offset1 offset2: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - }) - : Lemma (requires int_arr_bitwise_eq_range arr1 d1 arr2 d2 offset1 offset2 bits) - (ensures int_arr_bitwise_eq_range arr2 d2 arr1 d1 offset2 offset1 bits) - = () - -// kill that function in favor of range -let int_arr_bitwise_eq_up_to - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - (max: nat {max <= v n1 * d1}) - - = forall i. i < max - ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i - -let int_arr_bitwise_eq_ - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = int_arr_bitwise_eq_up_to arr1 d1 arr2 d2 (v n1 * d1) - -// move to fsti -let bit_vec_equal #n (bv1 bv2: bit_vec n) - = forall i. i < n ==> bv1 i == bv2 i - -let int_arr_bitwise_eq - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - = forall i. i < v n1 * d1 - ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i - -let int_arr_bitwise_eq_range_transitivity - #t1 #t2 #t3 #n1 #n2 #n3 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) - (d2: num_bits t2) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement3: int_t t3 -> Type0) - (arr3: t_Array (x: int_t t3 {refinement3 x}) n3) - (d3: num_bits t3) - (offset1 offset2 offset3: nat) - (bits: nat { - offset1 + bits <= v n1 * d1 - /\ offset2 + bits <= v n2 * d2 - /\ offset3 + bits <= v n3 * d3 - }) - : Lemma - (requires int_arr_bitwise_eq_range #t1 #t2 #n1 #n2 arr1 d1 arr2 d2 offset1 offset2 bits - /\ int_arr_bitwise_eq_range #t2 #t3 #n2 #n3 arr2 d2 arr3 d3 offset2 offset3 bits) - (ensures int_arr_bitwise_eq_range #t1 #t3 #n1 #n3 arr1 d1 arr3 d3 offset1 offset3 bits) - = () - - -let int_arr_bitwise_eq_range_intro - #t1 #t2 #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) - (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) - (d1: num_bits t1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) - (arr2: t_Array (x: int_t t2 {refinement x}) n2) - (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) - : Lemma - (requires int_arr_bitwise_eq arr1 d1 arr2 d2) - (ensures int_arr_bitwise_eq_range arr1 d1 arr2 d2 0 0 (v n1 * d1)) - = admit () - -let int_arr_bitwise_eq_range_intro_eq_slice - #t #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t -> Type0) - (arr1: t_Array (x: int_t t {refinement x}) n1) - (arr2: t_Array (x: int_t t {refinement x}) n2) - (d: num_bits t) - (offset1 offset2: nat) - (n: nat {offset1 + n < v n1 /\ offset2 + n < v n2}) - (bits: nat { - offset1 + bits <= v n1 * d - /\ offset2 + bits <= v n2 * d - /\ bits <= n * d - }) - : Lemma (requires Seq.slice arr1 offset1 (offset1 + n) == Seq.slice arr2 offset2 (offset2 + n)) - (ensures int_arr_bitwise_eq_range arr1 d arr2 d offset1 offset2 bits) - = admit () - -let int_arr_bitwise_eq_range_intro_eq - #t #n1 #n2 - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t -> Type0) - (arr1: t_Array (x: int_t t {refinement1 x}) n1) - (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t -> Type0) - (arr2: t_Array (x: int_t t {refinement2 x}) n2) - (d: num_bits t) - (n_offset1 n_offset2: nat) - (n: nat {n_offset1 + n <= v n1 /\ n_offset2 + n <= v n2}) - // (offset1 offset2: nat) - (bits: nat { - n_offset1 * d + bits <= v n1 * d - /\ n_offset2 * d + bits <= v n2 * d - /\ bits <= n * d - }) - : Lemma (requires forall (i: nat). i < n ==> Seq.index arr1 (i + n_offset1) == Seq.index arr2 (i + n_offset2)) - (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits) - = admit () -*) diff --git a/fstar-helpers/fstar-bitvec/MkSeq.fst b/fstar-helpers/fstar-bitvec/MkSeq.fst deleted file mode 100644 index 89c8e0216..000000000 --- a/fstar-helpers/fstar-bitvec/MkSeq.fst +++ /dev/null @@ -1,59 +0,0 @@ -module MkSeq -open Core - -open FStar.Tactics.V2 - -private let init (len: nat) (f: (i:nat{i < len}) -> Tac 'a): Tac (list 'a) - = let rec h (i: nat {i <= len}): Tac (list 'a) - = if i = len then [] else f i :: h (i + 1) - in h 0 - -private let tuple_proj (n: nat) (i: nat): Tac term - = if n = 1 then `(id) else - let name = "__proj__Mktuple" ^ string_of_int n ^ "__item___" ^ string_of_int (i + 1) in - Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) - -private let tuple_type (n: nat): Tac term - = if n = 1 then `(id) else - let name = "tuple" ^ string_of_int n in - Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) - -open Rust_primitives.Integers - -private let create_gen_tac (n: nat): Tac sigelt - = let typ_bd = {fresh_binder_named "t" (`Type0) with qual = FStar.Reflection.V2.Q_Implicit} in - let typ = binder_to_term typ_bd in - let input_typ = mk_e_app (tuple_type n) (init n (fun _ -> typ)) in - let input_bd = fresh_binder_named "tup" input_typ in - let output_type = `t_Array (`#typ) (sz (`@n)) in - let nth i = `((`#(tuple_proj n i)) (`#input_bd)) in - let mk_and: term -> term -> Tac term = fun t u -> `(`#t /\ `#u) in - let post = - let mk_inv s i = `(Seq.index (`#s) (`@i) == (`#(tuple_proj n i)) (`#input_bd)) in - let invs s = Tactics.fold_left mk_and (`(Seq.length (`#s) == (`@n))) (init n (mk_inv s)) in - let bd = fresh_binder_named "s" output_type in - mk_abs [bd] (invs bd) - in - let comp = C_Eff [] ["Prims"; "Pure"] - (`t_Array (`#typ) (sz (`@n))) - [ (`(requires True), Q_Explicit); (post, Q_Explicit)] [] - in - let args = [typ_bd; input_bd] in - let l = Tactics.fold_right (fun hd tl -> `((`#hd)::(`#tl))) (init n nth) (`[]) in - let indexes = - let f i = `((`#(nth i)) == List.Tot.index (`#l) (`@i)) in - Tactics.fold_left mk_and (`True) (init n f) - in - let lb_def = mk_abs args (`( - let l = `#l in - let s = Seq.createL l <: t_Array (`#typ) (sz (`@n)) in - FStar.Classical.forall_intro (Seq.lemma_index_is_nth s); - assert (`#indexes) by (Tactics.norm [primops; iota; delta; zeta]); - s - )) in - let lb_typ = mk_arr args (pack_comp comp) in - let open FStar.List.Tot in - let lb_fv = pack_fv (cur_module () @ ["create" ^ string_of_int n]) in - Sg_Let { isrec = false; lbs = [{ lb_fv; lb_us = []; lb_typ; lb_def }] } - -%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff --git a/fstar-helpers/fstar-bitvec/RwLemmas.fst b/fstar-helpers/fstar-bitvec/RwLemmas.fst deleted file mode 100644 index 1fc1e00de..000000000 --- a/fstar-helpers/fstar-bitvec/RwLemmas.fst +++ /dev/null @@ -1,71 +0,0 @@ -module RwLemmas - -open Core -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -open BitVecEq {} - -let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) - -#push-options "--z3rlimit 40" -let deserialize_10_int (bytes: t_Array u8 (sz 10)) = - let r0:i16 = - (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r2:i16 = - (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r3:i16 = - ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) - in - let r4:i16 = - (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) - in - let r6:i16 = - (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) - in - let r7:i16 = - ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) - in - let result:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - in - result -#pop-options - -let deserialize_10_int' (bytes: t_Array u8 (sz 10)): t_Array i16 (sz 8) - = MkSeq.create8 (deserialize_10_int bytes) - -#push-options "--compat_pre_core 0" -#push-options "--z3rlimit 80" -let fff_ (bytes: t_Array u8 (sz 10)) x: unit = - let bv1 = bit_vec_of_int_t_array bytes 8 in - let out = deserialize_10_int' bytes in - let bv2 = bit_vec_of_int_t_array out 10 in - assert (forall (i: nat { i < 80 }). bv1 i == bv2 i) by ( - Tactics.GetBit.prove_bit_vector_equality () - ) -#pop-options - diff --git a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst deleted file mode 100644 index c5ead30b0..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst +++ /dev/null @@ -1,82 +0,0 @@ -module Tactics.Folds - -open Core -module L = FStar.List.Tot -module S = FStar.Seq.Base -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Rust_primitives.Hax.Folds - -open Tactics.Utils - -// let unfold_fold_range -// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) -// (start_: int_t u) -// (end_: int_t u) -// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) -// (init: acc_t {inv init start_}) -// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} -// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) -// = if v start_ < v end_ -// then fold_range (start_ +! mk_int 1) end_ inv (f init start_) f -// else init - - -// #push-options "--z3rlimit 100" -// let unfold_fold_range -// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) -// (start_: int_t u) -// (end_: int_t u) -// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) -// (init: acc_t {inv init start_}) -// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} -// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) -// : Lemma ( fold_range start_ end_ inv init f -// == ( if v start_ < v end_ -// then -// fold_range (start_ +! mk_int 1) end_ inv (f init start_) f -// else init ) -// ) -// = admit () -// #pop-options - -// let expect_fold_range t -// = let?# (fr, [acc_t,_;u,_;start_,_;end_,_;inv,_;init,_;f,_]) = expect_app_n t 7 in -// let _ = expect_free_var fr (`%fold_range) in -// Some (acc_t, u, start_, end_, inv, init, f) - -// let make_fold_range_lemma (start_: nat) (end_: nat): Tac _ = -// let _ = tcut (quote (squash (forall acc_t u inv init f. -// fold_range #acc_t #u start_ end_ inv init f -// == fold_range #acc_t #u start_ end_ inv init f -// ))) in -// flip (); -// let acc_t = forall_intro () in -// let u = forall_intro () in -// let inv = forall_intro () in -// let init = forall_intro () in -// let f = forall_intro () in -// fail "xx"; -// let _ = rewrite_rhs () in -// flip (); -// focus (fun _ -> -// fail "xx"; -// apply_lemma_rw (`unfold_fold_range) -// ); -// () -// // rewrite_lhs -// // let aux start_ = - -// jlet _ = -// assert true by (make_fold_range_lemma 1 10) - -// in - - -// let tactic_fold_range t -// = let?# expect_fold_range _ = - diff --git a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst deleted file mode 100644 index abec9b4fe..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst +++ /dev/null @@ -1,66 +0,0 @@ -/// Provides tactics around `get_bit _ _ == get_bit _ _` goals -module Tactics.GetBit - -open Core -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -open BitVecEq -open Tactics.Seq - - -let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) - -/// Does one round of computation -let compute_one_round (): Tac _ = - norm [ iota; zeta; reify_ - ; delta_namespace [ - "FStar" - ; "BitVecEq" - ; implode_qn (cur_module ()) - ; "MkSeq" - ; `%Rust_primitives.Hax.array_of_list - ; `%Libcrux_ml_kem.Vector.Portable.Vector_type.__proj__Mkt_PortableVector__item__f_elements - ] - ; primops; unmeta]; - trace "compute_one_round: norm_pow2" norm_pow2; - trace "compute_one_round: norm_machine_int" norm_machine_int; - trace "compute_one_round: norm_index" norm_index - -/// Normalizes up to `get_bit` -let compute': unit -> Tac unit = goal_fixpoint compute_one_round - -/// Proves a goal of the shape `forall (i:nat{i < N}). get_bit ... i == get_bit ... i` (`N` is expected to be a literal) -let prove_bit_vector_equality'' (): Tac unit = - norm [ - iota; - primops; - delta_only [`%bit_vec_of_int_t_array; `%FunctionalExtensionality.on]; - delta_namespace [ - implode_qn (cur_module ()); - "Libcrux_intrinsics.Avx2_extract"; - "BitVec.Intrinsics"; - "BitVecEq"; - ]; - ]; - compute_one_round (); - prove_forall_nat_pointwise (print_time "SMT solved the goal in " (fun _ -> - Tactics.Seq.norm_index_minimal (); - l_to_r [`bit_vec_to_int_t_lemma]; - print ("Ask SMT: " ^ term_to_string (cur_goal ())); - focus smt_sync - )) -let prove_bit_vector_equality' (): Tac unit = - if lax_on () - then iterAll tadmit - else prove_bit_vector_equality'' () -let prove_bit_vector_equality (): Tac unit = - set_rlimit 100; - with_compat_pre_core 0 prove_bit_vector_equality' diff --git a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst deleted file mode 100644 index 85bb0bb78..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst +++ /dev/null @@ -1,273 +0,0 @@ -/// This module interprets machine integers terms that comes from -/// `FStar.[U]Int*` modules or from `Rust_primtiives.Integers` module. -/// It can then convert from and back those two representation, -/// normalize them, etc. -module Tactics.MachineInts - -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Option - -open Tactics.Utils -module RI = Rust_primitives.Integers - -/// The size of a machine int -type size = - | PtrSize - | Size of n:nat {match n with | 8 | 16 | 32 | 64 | 128 -> true | _ -> false} -/// The signedness of a machine int -type signedness = | Signed | Unsigned - -/// The operations we recognize on machine ints -type machine_int_op = | MkInt | V - -/// The AST of a machine int expression -noeq type machine_int_term = - /// Operations `mk_int` (aka `FStar.[U]Int*.[u]int_to_t`) and `v` - | Op { /// Which operation is it? - op: machine_int_op - /// Is that a generic (Rust_primitives.Integers) operation or a native one (FStar.[U]Int*)? - ; native: bool - ; size: size - ; signedness: signedness - ; contents: machine_int_term } - /// A (math) integer literal - | Lit of int - /// An arbitrary term - | Term of term - -/// Expect `n` to be a definition in a machine int namespace -let expect_native_machine_int_ns (n: string): (option (signedness & size & string)) - = match explode_qn n with - | "FStar"::int_module::[def_name] -> - let? (sign, size) = match int_module with - | "Int8" -> Some (Signed, Size 8) - | "Int16" -> Some (Signed, Size 16) - | "Int32" -> Some (Signed, Size 32) - | "Int64" -> Some (Signed, Size 64) - | "Int128" -> Some (Signed, Size 128) - | "UInt8" -> Some (Unsigned, Size 8) - | "UInt16" -> Some (Unsigned, Size 16) - | "UInt32" -> Some (Unsigned, Size 32) - | "UInt64" -> Some (Unsigned, Size 64) - | "UInt18" -> Some (Unsigned, Size 128) - | _ -> None - in Some (sign, size, def_name) - | _ -> None - -/// Given a sign and a size, produces the correct namespace `FStar.[U]Int*` -let mk_native_machine_int_ns (sign: signedness) (size: size): option (list string) - = let sign = match sign with | Signed -> "" | Unsigned -> "U" in - let? size = match size with | PtrSize -> None | Size n -> Some (string_of_int n) in - Some ["FStar"; sign ^ "Int" ^ size] - -/// Interpret HACL*'s `inttype`s -let expect_inttype t: Tac (option (signedness & size)) - = let t = norm_term [iota; reify_; delta_namespace ["Rust_primitives.Integers"; "Lib.IntTypes"]; primops; unmeta] t in - let?# t = expect_fvar t in - match t with - | `%RI.i8_inttype | `%Lib.IntTypes.S8 -> Some ( Signed, Size 8) - | `%RI.i16_inttype | `%Lib.IntTypes.S16 -> Some ( Signed, Size 16) - | `%RI.i32_inttype | `%Lib.IntTypes.S32 -> Some ( Signed, Size 32) - | `%RI.i64_inttype | `%Lib.IntTypes.S64 -> Some ( Signed, Size 64) - | `%RI.i128_inttype | `%Lib.IntTypes.S128 -> Some ( Signed, Size 128) - | `%RI.u8_inttype | `%Lib.IntTypes.U8 -> Some (Unsigned, Size 8) - | `%RI.u16_inttype | `%Lib.IntTypes.U16 -> Some (Unsigned, Size 16) - | `%RI.u32_inttype | `%Lib.IntTypes.U32 -> Some (Unsigned, Size 32) - | `%RI.u64_inttype | `%Lib.IntTypes.U64 -> Some (Unsigned, Size 64) - | `%RI.u128_inttype | `%Lib.IntTypes.U128 -> Some (Unsigned, Size 128) - | `%RI.isize_inttype -> Some (Signed, PtrSize) - | `%RI.usize_inttype -> Some (Unsigned, PtrSize) - | _ -> None - -/// Given a signedness and a size, creates a name `[ui]*_inttype` -let mk_inttype_name (sign: signedness) (size: size): name = - let sign = match sign with | Signed -> "i" | Unsigned -> "u" in - let size = match size with | PtrSize -> "size" | Size n -> string_of_int n in - ["Rust_primitives"; "Integers"; sign ^ size ^ "_inttype"] - -/// Given a signedness and a size, creates a term `[ui]*_inttype` -let mk_inttype (sign: signedness) (size: size): Tac term = - pack (Tv_FVar (pack_fv (mk_inttype_name sign size))) - -/// Interprets a term as a machine int. This function always returns -/// something: when `t` is not a machine int expression we recognize, -/// it returns `Term t`. Below, `term_to_machine_int_term` returns an -/// option. -let rec term_to_machine_int_term' (t: term): Tac machine_int_term = - match term_to_machine_int_term'' t with | Some t -> t | None -> Term t -and term_to_machine_int_term'' (t: term): Tac (option machine_int_term) = - let t = norm_term [delta_only [(`%RI.sz); (`%RI.isz)]] t in - match t with - | Tv_Const (C_Int n) -> Some (Lit n) - | _ -> - let?# (hd, args) = collect_app_hd t in - match expect_native_machine_int_ns hd, args with - | (Some (signedness, size, def_name), [arg, _]) -> begin - let native = true in - let contents = term_to_machine_int_term' arg in - let?# op = match def_name with - | "__uint_to_t" | "__int_to_t" | "uint_to_t" | "int_to_t" -> Some MkInt - | "v" -> Some V | _ -> None in - Some (Op {op; native; size; signedness; contents}) - end - | (None, [inttype, _; contents, _]) -> begin - let?# (signedness, size) = expect_inttype inttype in - let contents = term_to_machine_int_term' contents in - let?# op = match hd with | `%RI.mk_int -> Some MkInt - | `%RI.v -> Some V - | _ -> None in - Some (Op {op; native = false; size; signedness; contents}) - end - | _ -> None - -/// Tries to interpret a term as a machine int -let term_to_machine_int_term (t: term): Tac (option (t: machine_int_term {~(Term? t)})) - = match term_to_machine_int_term' t with - | Term _ -> None | t -> Some t - -/// Transform a machine int AST into a term. Note that this doesn't -/// support native usize/isize (aka `FStar.SizeT`), whence the option. -let rec machine_int_term_to_term (t: machine_int_term): Tac (option term) = - match t with - | Term t -> Some t - | Op {native = false; op; size; signedness; contents} -> - let inttype = mk_inttype signedness size in - let?# contents = machine_int_term_to_term contents in - let op = match op with | V -> `RI.v - | MkInt -> `RI.mk_int in - Some (`((`#op) #(`#inttype) (`#contents))) - | Op {native = true; op; size; signedness; contents} -> - let?# ns = mk_native_machine_int_ns signedness size in - let f = FStar.List.Tot.append ns [ - match op with - | MkInt -> (match signedness with | Signed -> "" | Unsigned -> "u") ^ "int_to_t" - | V -> "v" - ] in - let f = pack (Tv_FVar (pack_fv f)) in - let?# contents = machine_int_term_to_term contents in - Some (mk_e_app f [contents]) - | Lit n -> Some (pack (Tv_Const (C_Int n))) - -/// An operation on a machine_int_term -type operation = machine_int_term -> option machine_int_term - -/// Removes `mk_int (v ...)` or `v (mk_int ...)` when it's the same type -let rec flatten_machine_int_term: operation = function - | Op x -> begin match x.contents with - | Op y -> if x.op <> y.op && x.size = y.size && x.signedness = y.signedness - then Some (match flatten_machine_int_term y.contents with - | Some result -> result - | None -> y.contents) - else let? y = flatten_machine_int_term (Op y) in - Some (Op {x with contents = y}) - | _ -> None - end - | _ -> None - -/// Makes a machine int native or not -let rec change_native_machine_int_term (native: bool): operation = function - | Op x -> let contents = change_native_machine_int_term native x.contents in - if x.native = native - then None - else Some (Op { x with native - ; contents = match contents with - | Some contents -> contents - | None -> x.contents}) - | _ -> None - -/// Combines two operation together -let combine: operation -> operation -> operation = - fun f g t -> match f t with - | Some t -> (match g t with | Some t -> Some t | None -> Some t) - | None -> g t - -/// We call `x` a normal machine integer if `x` has no `mk_int (v -/// ...)` or `v (mk_int ...)` sequence and if all `mk_int` and `v` are -/// native (aka `FStar.[U]Int*.*`, not -/// `Rust_primitives.Integer.*`). Note `usize` is an exception, -/// `mk_int` and `v` alone one usizes (and isizes) cannot be reduced -/// further. -let norm_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term true) - -/// We call `x` a normal generic machine integer if `x` has no -/// `FStar.[U]Int*.[u]int_to_t/v`, and no `mk_int (v ...)` or `v -/// (mk_int ...)`. -let norm_generic_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term false) - -/// Unfolds `mk_int` using `mk_int_equiv_lemma` -let norm_mk_int () = - let?# (lhs, _) = expect_lhs_eq_uvar () in - let lhs' = term_to_machine_int_term lhs in - match?# lhs' with - | Op {op = MkInt; native = false; size; signedness; contents} -> - let inttype = mk_inttype signedness size in - let lemma = `(RI.mk_int_equiv_lemma #(`#inttype)) in - let lemma = norm_term [primops; iota; delta; zeta] lemma in - focus (fun _ -> - apply_lemma_rw lemma - ); - Some () - | _ -> None - -/// Lemmas to deal with the special case of usize -let rw_v_mk_int_usize x - : Lemma (eq2 (RI.v #RI.usize_inttype (RI.mk_int #RI.usize_inttype x)) x) = () -let rw_mk_int_v_usize x - : Lemma (eq2 (RI.mk_int #RI.usize_inttype (RI.v #RI.usize_inttype x)) x) = () - -/// Rewrites `goal_lhs` into `machine_int`. This function expects the -/// goal to be of the shape ` == (?...)`, where `` -/// is a machine int. Do not call this function directly. -let _rewrite_to (goal_lhs: term) (eq_type: typ) (machine_int: machine_int_term): Tac (option unit) - = let?# t_term = machine_int_term_to_term machine_int in - Some (focus (fun _ -> - let rw = tcut (`squash (eq2 #(`#eq_type) (`#goal_lhs) (`#t_term))) in - // This tcut will generate simple verification conditions, we - // discharge them right away - // iterAllSMT (fun () -> smt_sync `or_else` (fun _ -> dump "norm_mk_int: Could not solve SMT here")); - flip (); - pointwise' (fun () -> match norm_mk_int () with - | Some _ -> () - | None -> // special case for usize - (fun () -> (fun () -> apply_lemma_rw (`rw_v_mk_int_usize)) - `or_else` (fun () -> apply_lemma_rw (`rw_mk_int_v_usize))) - `or_else` trefl - ); - compute (); - trefl (); - apply_lemma_rw rw - )) - -/// Rewrites a goal deeply, replacing every machine integer expression -/// `x` by `f x` (when it is `Some _`). -let transform (f: machine_int_term -> option machine_int_term): Tac unit - = pointwise' (fun _ -> - match revert_if_none (fun _ -> - let?# (lhs, eq_type) = expect_lhs_eq_uvar () in - let?# machine_int = term_to_machine_int_term lhs in - let?# machine_int' = f machine_int in - let?# _ = _rewrite_to lhs eq_type machine_int' in - Some () - ) - with - | None -> trefl () - | _ -> () - ) - -open Rust_primitives.Integers -let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) - by (transform norm_machine_int_term; trefl ()) -let _ = assert (mk_int #u8_inttype 3 == 3uy) - by (transform norm_machine_int_term; trefl ()) -let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) - by (transform norm_machine_int_term) -let _ = assert (v (mk_int #usize_inttype 3) == 3) - by (transform norm_machine_int_term; trefl ()) -let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) - by (transform norm_machine_int_term; trefl ()) -let _ = assert (mk_int #u8_inttype 3 == 3uy) - by (transform norm_generic_machine_int_term; trefl ()) -let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) - by (transform norm_generic_machine_int_term; trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst deleted file mode 100644 index 9f6ee1f0f..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst +++ /dev/null @@ -1,58 +0,0 @@ -/// Provides tools to normalize `pow2` -module Tactics.Pow2 - -open Core -open Tactics.Utils -open FStar.Tactics.V2 - -/// Expects `t` to be of the shape `pow2 n`, with `n` a literal, returns n -let expect_pow2_literal t: Tac (option int) - = let?# (f, [x, _]) = expect_app_n t 1 in - let?# () = expect_free_var f (`%pow2) in - expect_int_literal x - -/// Expects `t` to be of the shape `pow2 n - 1`, with `n` a literal, returns n -let expect_pow2_minus_one_literal t: Tac (option int) - = let?# (f, [x, _; y, _]) = expect_app_n t 2 in - let?# () = expect_free_var f (`%op_Subtraction) in - let?# y = expect_int_literal y in - let?? () = y = 1 in - expect_pow2_literal x - -/// Fully normalize a term of the shape `pow2 n`, where `n` is a literal -let norm_pow2 (): Tac unit = - pointwise (fun () -> - let _ = let?# (t, _) = expect_lhs_eq_uvar () in - let?# n = expect_pow2_literal t in - debug ("Normalized `pow2 " ^ string_of_int n ^ "`"); - Some (norm [iota; zeta_full; reify_; delta; primops; unmeta]) in - trefl ()) - -/// Inverse of `pow2` -let rec log2 (n: nat): Tot (option (m: nat {pow2 m == n})) (decreases n) - = if n = 0 then None - else if n = 1 then Some 0 - else if n % 2 <> 0 then None - else match log2 (n / 2) with - | Some n -> Some (1 + n) - | None -> None - -/// Rewrite integers in the goal into `pow2 _ - 1` whenever possible -let rewrite_pow2_minus_one () = - pointwise (fun () -> - match let?# (t, _) = expect_lhs_eq_uvar () in - let?# n = expect_int_literal t in - if n >= 0 then - match log2 (n + 1) with - | Some e -> - let rw_lemma (): Lemma (n == pow2 e - 1) = () in - apply_lemma_rw (quote rw_lemma); - Some () - | _ -> None - else None - with None -> trefl () | _ -> () - ) - -// Test -let _ = fun (i: nat) -> assert (pow2 (i + 3) + pow2 10 == pow2 (i + 3) + 1024) - by (norm_pow2 (); trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst deleted file mode 100644 index 0a7015968..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst +++ /dev/null @@ -1,123 +0,0 @@ -module Tactics.Seq - -open Core -module L = FStar.List.Tot -module S = FStar.Seq -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul -open FStar.Option - -open Tactics.Utils -open Tactics.Pow2 - -(*** Rewrite lemmas *) -private let rw_seq_index_list #t (l: list t) i - : Lemma (S.index (S.seq_of_list l) i == FStar.List.Tot.index l i) - = () -private let rw_index_slice #typ (s: S.seq typ) i j n: Lemma (S.index (S.slice s i j) n == S.index s (normalize_term (i + n))) - = () -private let rw_index_upd s n v i - : Lemma (S.index (S.upd s n v) i == (if n = i then v else S.index s i)) - = () - -/// A version of `L.index` to mark specific instances we want to normalize. -let rec index_to_normalize #a (l: list a) (i:nat{i < L.length l}): Tot a - = let hd::tl = l in - if i = 0 then hd else index_to_normalize tl (i - 1) - -private let rec rw_index_to_index_to_normalize #a (l: list a) (i:nat{i < L.length l}) - : Lemma (L.index #a l i == index_to_normalize #a l i) - = if i = 0 then () else rw_index_to_index_to_normalize (L.tl l) (i - 1) - - -(*** Tactics that apply those lemmas only if needed *) -let tactic_list_index () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in - let?# () = expect_free_var f (`%FStar.List.Tot.index) in - let?# n = expect_int_literal index in - apply_lemma_rw (`rw_index_to_index_to_normalize); - Some () - -/// Expects `t` to be of the shape `seq_of_list #_ _` -let expect_seq_of_list (t: term): Tac (option (term & term)) - = let?# (f, [t,_; index,_]) = expect_app_n t 2 in - let?# _ = expect_free_var f (`%S.seq_of_list) in - Some (t, index) - -/// Expects `t` to be of the shape `index #_ _` -let expect_seq_index (t: term): Tac (option (term & term & term)) - = let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in - let?# () = expect_free_var f (`%S.index) in - Some (typ, l, index) - -/// Expects `t` to be of the shape `slice #_ _` -let expect_seq_slice (t: term): Tac (option (term & term & term & term)) - = let?# (f, [typ, _; s, _; i, _; j, _]) = expect_app_n t 4 in - let?# () = expect_free_var f (`%S.slice) in - Some (typ, s, i, j) - -/// Expects `t` to be of the shape `upd #_ _` -let expect_seq_upd (t: term): Tac (option (term & term & term & term)) - = let?# (f, [typ, _; s, _; i, _; v, _]) = expect_app_n t 4 in - let?# () = expect_free_var f (`%S.upd) in - Some (typ, s, i, v) - -let tactic_seq_index_of_list () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (_, l, _) = expect_seq_index t in - let?# _ = expect_seq_of_list l in - apply_lemma_rw (`rw_seq_index_list); - Some () - -let tactic_rw_index_slice () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (typ, s, index) = expect_seq_index t in - let?# (_, s, i, j) = expect_seq_slice s in - apply_lemma_rw (`rw_index_slice #(`#typ) (`#s) (`#i) (`#j)); - Some () - -let tactic_rw_index_upd () - = let?# (t, _) = expect_lhs_eq_uvar () in - let?# (typ, s, index) = expect_seq_index t in - let?# (_, s, i, v) = expect_seq_upd s in - apply_lemma_rw (`rw_index_upd #(`#typ) (`#s) (`#i) (`#v)); - Some () - -(*** Final tactics *) -let norm_zeta_full_list_index (): Tac unit - = norm [iota; primops; zeta_full; delta_only [`%index_to_normalize]] - - -let norm_index_minimal (): Tac unit - = pointwise ((unwrap ∘ tactic_list_index) ||> trefl); - norm_zeta_full_list_index () - -let norm_index' (): Tac unit - = pointwise ( (unwrap ∘ tactic_seq_index_of_list) - ||> (unwrap ∘ tactic_list_index) - ||> (unwrap ∘ tactic_rw_index_slice) - ||> (unwrap ∘ tactic_rw_index_upd) - ||> trefl) - -let norm_index (): Tac unit - = goal_fixpoint norm_index' (); - norm_zeta_full_list_index () - - -(*** Tests *) -let _ = assert ( - let s = S.seq_of_list [1;2;3;4;5;6] in - let s = S.slice s 2 4 in - S.index s 1 == 4 -) by (norm []; norm_index (); trefl ()) - -let _ = assert ( - L.index [L.index [1;2;3;4;5;6] (L.index [1;2;3;4;3;3] 2)] 0 == 4 -) by (norm_index(); trefl ()) -let _ = assert ( - S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;4;1]) 3);1]) 3);1]) 3 == 4 -) by (norm_index(); trefl ()) - diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst deleted file mode 100644 index 18030a682..000000000 --- a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst +++ /dev/null @@ -1,328 +0,0 @@ -module Tactics.Utils - -open Core -open FStar.Option -module L = FStar.List.Tot -open FStar.Tactics.V2 -open FStar.Tactics.V2.SyntaxHelpers -open FStar.Class.Printable -open FStar.Mul - -(*** Let operators *) -let (let?#) (x: option 'a) (f: 'a -> Tac (option 'b)): Tac (option 'b) - = match x with - | Some x -> f x - | None -> None - -let ( let?? ) (x: bool) (f: unit -> Tac (option 'a)): Tac (option 'a) - = if x then f () else None - -(*** Debug helpers *) -/// Dump before failing (in some cases, exception cathing messes with -/// `fail`) -let fail' msg = dump msg; fail msg - -exception Restore -/// Dumps a goal with a minimal number of binders in the environment -let dump' (msg: string): Tac unit - = try set_smt_goals []; - iterAll (fun _ -> let _ = repeat clear_top in ()); - dump msg; - raise Restore - with | _ -> () - -(*** `option _` helpers *) -/// Executes `f`, if it fails, execute `g`. Like `or_else`, but returns -/// a chunk. -let ( ||> ) (f: 'a -> Tac 'b) (g: 'a -> Tac 'b) (a: 'a): Tac 'b - = try f a with | _ -> g a - -exception ExpectedSome -/// Unwraps an option, throws `ExpectedSome` if the option is `None` -let unwrap (x: option 'a): Tac 'a - = match x with - | Some x -> x - | None -> raise ExpectedSome - -/// Expects an option to be `None`, otherwise throws an error -let expect (msg: string) (x: option 'a): Tac 'a - = match x with - | None -> dump' ("Expected " ^ msg); - fail ("Expected " ^ msg) - | Some x -> x - -(*** misc. utils *) -/// Reverse function composition (in Tac) -unfold let (>>>) (f: 'a -> Tac 'b) (g: 'b -> Tac 'c) (x: 'a): Tac 'c - = g (f x) -/// Function composition (in Tac) -unfold let (∘) (f: 'b -> Tac 'c) (g: 'a -> Tac 'b): 'a -> Tac 'c - = g >>> f - - -let trace (fun_name: string) (t: unit -> Tac 'b) = - print (fun_name ^ ": enter"); - let result = - try t () - with | e -> (print (fun_name ^ ": exit (with an exception!)"); raise e) - in - print (fun_name ^ ": exit"); - result - -(*** control utils *) -/// Repeats a tactic `f` until the goal is stable -let goal_fixpoint (f: unit -> Tac unit): unit -> Tac unit - = let rec aux (): Tac _ = - let goal0 = cur_goal () in - f (); - let goal1 = cur_goal () in - if not (term_eq goal0 goal1) then aux () - in aux - -private exception DoRefl -let some_or_refl (f: unit -> Tac (option unit)) - = or_else (fun _ -> match f () with | None -> raise DoRefl | _ -> ()) trefl - -/// Runs `f` on each subterms for rewrite. If `f` is `None` or raises -/// an error, applies `trefl`. -let pointwise_or_refl (f: unit -> Tac (option unit)) - = pointwise (fun _ -> some_or_refl f) - -let rec repeatWhile (f: unit -> Tac bool): Tac unit - = if f () then repeatWhile f - -(*** `expect_*` combinators *) -let expect_int_literal (t: term): Tac (option int) = - match inspect_unascribe t with - | Tv_Const (C_Int n) -> Some n - | _ -> None - -let expect_fvar (t: term): Tac (option string) = - match t with - | Tv_UInst fv _ - | Tv_FVar fv -> Some (implode_qn (inspect_fv fv)) - | _ -> None - -let expect_free_var (t: term) (fv: string): Tac (option unit) = - let?# fv' = expect_fvar t in - if fv = fv' then Some () else None - -let expect_lhs_eq_rhs_term t = - match term_as_formula t with - | Comp (Eq typ) lhs rhs -> - let typ = match typ with | None -> `_ | Some typ -> typ in - Some (lhs, rhs, typ) - | _ -> None - -let expect_lhs_eq_rhs () = - expect_lhs_eq_rhs_term (cur_goal ()) - -let expect_lhs_eq_uvar () = - match expect_lhs_eq_rhs () with - | Some (lhs, rhs, typ) -> - ( match rhs with | Tv_Uvar _ _ -> Some (lhs, typ) | _ -> None ) - | _ -> None - -let expect_app_n t n: Tac (option (term & (l: list _ {L.length l == n}))) = - let (head, args) = collect_app t in - if L.length args = n - then Some (head, args) - else None - -let expect_forall t: Tac _ = - match term_as_formula t with - | Forall bv typ phi -> Some (bv, typ, phi) - | _ -> None - -(*** Rewrite utils *) -private exception ForceRevert -let revert_if_none (f: unit -> Tac (option 'a)): Tac (option 'a) - = try match f () with Some x -> Some x - | None -> raise ForceRevert - with | ForceRevert -> None | e -> raise e - -/// Collects an application whose head is a free variable -let collect_app_hd t: Tac (option (string & list argv)) - = let (hd, args) = collect_app t in - let?# fv = expect_fvar hd in - Some (fv, args) - -let statement_of_lemma (lemma: term) = - let _, comp = collect_arr (tc (cur_env ()) lemma) in - match inspect_comp comp with - | C_Total x - | C_Lemma _ x _ -> ( - match x with - | Tv_Abs _ x -> `(squash (`#x)) - | _ -> `(squash (`#x)) - ) - | _ -> fail "statement_of_lemma: supports only Tot and Lemma" - -let weaken_eq2_lemma (u: Type) (t: Type {subtype_of t u}) (p q: t) () - : Lemma (requires ( == ) #u p q) - (ensures ( == ) #t p q) - = () - -/// `apply_lemma_rw` doesn't work if the goal is `(==) #t ... (?u ...)` while the lemma is `(==) #u .. (?u ....)`. `apply_lemma_rw_eqtype` fixes some of those case, and warns about it. -let apply_lemma_rw_eqtype (lemma: term): Tac unit - = try - apply_lemma_rw lemma - with - | e -> match - let stmt = statement_of_lemma lemma in - let?# (lemma_lhs, lemma_rhs, type_lemma') = expect_lhs_eq_rhs_term stmt in - let?# (goal_lhs, goal_rhs, type_goal') = expect_lhs_eq_rhs () in - let type_lemma = norm_term [delta; iota; primops] type_lemma' in - let type_goal = norm_term [delta; iota; primops] type_goal' in - if term_eq type_lemma type_goal - then None - else - ( print "######## Warning: apply_lemma_rw, rewrite equalities with different type"; - print ("######## Your lemma has eq over type " ^ term_to_string type_lemma); - print ("######## Your goal has eq over type " ^ term_to_string type_goal); - print ("######## Trying to weaken the type of the goal."); - apply_lemma ( - `weaken_eq2_lemma - (`#type_lemma') (`#type_goal') - (`#goal_lhs) (`#goal_rhs) - ); - apply_lemma_rw lemma; - Some () - ) - with | None -> raise e - | Some () -> () - -/// Rewrites LHS of an equality: on goal `squash (x == y)`, it will add `squash (x == (?u ...))`. -let rewrite_lhs (): Tac _ = - let (lhs, _, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_lhs)" in - let uvar = fresh_uvar (Some (tc (cur_env ()) lhs)) in - tcut (`squash (`#lhs == `#uvar)) - -/// Rewrites RHS of an equality: on goal `squash (x == y)`, it will add `squash (y == (?u ...))`. -let rewrite_rhs (): Tac _ = - let (_, rhs, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_rhs)" in - let uvar = fresh_uvar (Some (tc (cur_env ()) rhs)) in - tcut (`squash (`#rhs == `#uvar)) - -open FStar.Tactics -(*** Unification *) -(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are -unification variables. This returns a list of terms to substitute `x1` -... `xN` with. You probably want `norm_steps` to be `[delta_only -[`%the_name_of_function_fn]]` *) -exception UnifyAppReturn of (option (list term)) -let unify_app (t fn: term) norm_steps: Tac (option (list term)) - = let (* Tactic types are confusing, seems like we need V1 here *) - open FStar.Tactics.V1 in - let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in - try - let _fake_goal = - (* create a goal `b1 -> ... -> bn -> squash True` *) - let trivial = `squash True in - let trivial_comp = pack_comp (C_Total trivial) in - unshelve (fresh_uvar (Some (match bds with | [] -> trivial | _ -> mk_arr bds trivial_comp))) - in - (* get back the binders `b1`, ..., `bn` *) - let bds = intros () in - let args = FStar.Tactics.Util.map (fun (b: binder) -> b <: term) bds in - let norm_term = norm_term (hnf::norm_steps) in - let fn, t = norm_term (mk_e_app fn args), norm_term t in - let fn = `(((`#fn), ())) in - let dummy_var = fresh_namedv_named "dummy_var" in - let t = `(((`#t), (`#dummy_var))) in - let vars = map (fun b -> - let b = inspect_binder b in - let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in - let sort = b.binder_sort in - let nv: namedv_view = {uniq; ppname; sort = seal sort} in - (FStar.Reflection.V2.pack_namedv nv, sort) - ) bds in - let vars = - List.Tot.append - vars - [(FStar.Reflection.V2.pack_namedv dummy_var, `())] - in - let?# substs = fst (try_unify (cur_env ()) vars fn t) in - raise (UnifyAppReturn ( - if List.Tot.length substs <> List.Tot.length bds + 1 - then (print ("unify_app: WARNING: inconsistent lengths: " ^ string_of_int (List.Tot.length substs) ^ " - 1 VS " ^ string_of_int (List.Tot.length bds + 1)); None) - else ( - match substs with - | [] -> None - | _::substs -> Some (List.Tot.rev (map (fun (_, t) -> t) substs)) - ))) - with | UnifyAppReturn result -> result - | e -> raise e - -(*** Logging and time *) -let time_tactic_ms (t: 'a -> Tac 'b) (x: 'a): Tac ('b & int) - = let time0 = curms () in - let result = t x in - let time1 = curms () in - (result, time1 - time0) - -let print_time prefix (t: 'a -> Tac 'b) (x: 'a): Tac 'b - = let (result, time) = time_tactic_ms t x in - print (prefix ^ string_of_int (time / 1000) ^ "." ^ string_of_int ((time/100)%10) ^ "s"); - result - -(*** Unroll forall goals *) -let _split_forall_nat - (upper_bound: pos) - ($p: (i:nat{i < upper_bound}) -> Type0) - : Lemma (requires (if upper_bound = 0 then True - else p (upper_bound - 1) /\ (forall (i:nat{i < upper_bound - 1}). p i))) - (ensures forall (i:nat{i < upper_bound}). p i) - = () - - -let focus_first_forall_goal (t : unit -> Tac unit) : Tac unit = - let goals = goals () in - let found_goal = alloc false in - iterAll (fun _ -> - (match expect_forall (cur_goal ()) with - | Some _ -> - if read found_goal - then () - else begin - write found_goal true; - t (); - () - end - | _ -> - ()) - ); - if not (read found_goal) then t () - -/// Proves `forall (i:nat{i < bound})` for `bound` being a concrete int -let rec prove_forall_nat_pointwise (tactic: unit -> Tac unit): Tac unit - = focus_first_forall_goal (fun _ -> - let _ = - (* hacky way of printing the progress *) - let goal = term_to_string (cur_goal ()) in - let goal = match String.split ['\n'] goal with - | s::_ -> s | _ -> "" in - print ("prove_forall_pointwise: " ^ goal ^ "...") - in - apply_lemma (`_split_forall_nat); - trivial `or_else` (fun _ -> - if try norm [primops]; - split (); - true - with | e -> false - then ( - tactic (); - prove_forall_nat_pointwise tactic - ) - ) - ) - -#push-options "--compat_pre_core 2" -private let _example (phi: int -> Type0) (proof: (i:int -> Lemma (phi i))) = - assert (forall (i: nat {i < 40}). phi i) - by ( - prove_forall_nat_pointwise (fun _ -> - apply_lemma (quote proof) - ) - ) -#pop-options diff --git a/fstar-helpers/fstar-bitvec/dep.graph b/fstar-helpers/fstar-bitvec/dep.graph deleted file mode 100644 index 58c54a479..000000000 --- a/fstar-helpers/fstar-bitvec/dep.graph +++ /dev/null @@ -1,2316 +0,0 @@ -digraph { - "fstar_int32" -> "fstar_uint" - "fstar_int32" -> "fstar_uint" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_pervasives" -> "fstar_pervasives_native" - "fstar_pervasives" -> "fstar_pervasives_native" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_seq" -> "fstar_seq_properties" - "fstar_seq" -> "fstar_seq_properties" - "fstar_seq" -> "fstar_seq_base" - "fstar_seq" -> "fstar_seq_base" - "fstar_seq" -> "fstar_pervasives" - "fstar_seq" -> "fstar_pervasives" - "fstar_seq" -> "prims" - "fstar_seq" -> "prims" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_uint32" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_math_lemmas" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_mul" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_int" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "fstar_pervasives" - "fstar_int32" -> "prims" - "fstar_int32" -> "prims" - "fstar_int32" -> "fstar_int32" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v1_syntaxhelpers" -> "prims" - "fstar_tactics_v1_syntaxhelpers" -> "prims" - "core_option" -> "fstar_pervasives" - "core_option" -> "fstar_pervasives" - "core_option" -> "prims" - "core_option" -> "prims" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "prims" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "prims" - "fstar_squash" -> "prims" - "fstar_squash" -> "fstar_squash" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" - "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" - "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v1_builtins" -> "prims" - "fstar_stubs_tactics_v1_builtins" -> "prims" - "fstar_tactics_print" -> "fstar_tactics_namedview" - "fstar_tactics_print" -> "fstar_tactics_namedview" - "fstar_tactics_print" -> "fstar_tactics_v2_derived" - "fstar_tactics_print" -> "fstar_tactics_v2_derived" - "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_print" -> "fstar_tactics_effect" - "fstar_tactics_print" -> "fstar_tactics_effect" - "fstar_tactics_print" -> "fstar_reflection_v2" - "fstar_tactics_print" -> "fstar_reflection_v2" - "fstar_tactics_print" -> "fstar_pervasives" - "fstar_tactics_print" -> "fstar_pervasives" - "fstar_tactics_print" -> "prims" - "fstar_tactics_print" -> "prims" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_mul" - "lib_inttypes" -> "fstar_mul" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "prims" - "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" - "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" - "fstar_reflection_v1_compare" -> "fstar_pervasives" - "fstar_reflection_v1_compare" -> "fstar_pervasives" - "fstar_reflection_v1_compare" -> "prims" - "fstar_reflection_v1_compare" -> "prims" - "fstar_classical" -> "fstar_squash" - "fstar_classical" -> "fstar_squash" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "prims" - "fstar_classical" -> "prims" - "fstar_classical" -> "fstar_classical" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "prims" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_properties" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_list_tot_base" - "fstar_seq_properties" -> "fstar_squash" - "fstar_seq_properties" -> "fstar_squash" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_list_tot" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_pervasives_native" - "fstar_seq_properties" -> "fstar_classical" - "fstar_seq_properties" -> "fstar_classical" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_seq_base" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "fstar_pervasives" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "prims" - "fstar_seq_properties" -> "fstar_seq_properties" - "fstar_calc" -> "fstar_classical" - "fstar_calc" -> "fstar_classical" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_squash" - "fstar_calc" -> "fstar_squash" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "prims" - "fstar_calc" -> "prims" - "fstar_calc" -> "fstar_calc" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "prims" - "tactics_pow2" -> "fstar_tactics_effect" - "tactics_pow2" -> "fstar_tactics_effect" - "tactics_pow2" -> "fstar_tactics_v2" - "tactics_pow2" -> "fstar_tactics_v2" - "tactics_pow2" -> "tactics_utils" - "tactics_pow2" -> "tactics_utils" - "tactics_pow2" -> "core" - "tactics_pow2" -> "core" - "tactics_pow2" -> "fstar_pervasives" - "tactics_pow2" -> "fstar_pervasives" - "tactics_pow2" -> "prims" - "tactics_pow2" -> "prims" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "fstar_pervasives" - "fstar_classical" -> "prims" - "fstar_classical" -> "prims" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" - "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" - "fstar_stubs_reflection_v2_builtins" -> "fstar_order" - "fstar_stubs_reflection_v2_builtins" -> "fstar_order" - "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_builtins" -> "prims" - "fstar_stubs_reflection_v2_builtins" -> "prims" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "fstar_math_lemmas" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" - "fstar_option" -> "fstar_pervasives_native" - "fstar_option" -> "fstar_pervasives_native" - "fstar_option" -> "fstar_all" - "fstar_option" -> "fstar_all" - "fstar_option" -> "fstar_pervasives" - "fstar_option" -> "fstar_pervasives" - "fstar_option" -> "prims" - "fstar_option" -> "prims" - "fstar_propositionalextensionality" -> "fstar_pervasives" - "fstar_propositionalextensionality" -> "fstar_pervasives" - "fstar_propositionalextensionality" -> "prims" - "fstar_propositionalextensionality" -> "prims" - "fstar_erasedlogic" -> "fstar_ghost" - "fstar_erasedlogic" -> "fstar_ghost" - "fstar_erasedlogic" -> "fstar_pervasives" - "fstar_erasedlogic" -> "fstar_pervasives" - "fstar_erasedlogic" -> "prims" - "fstar_erasedlogic" -> "prims" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "core" - "bitveceq" -> "core" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "prims" - "bitveceq" -> "prims" - "bitveceq" -> "bitveceq" - "fstar_issue" -> "fstar_stubs_pprint" - "fstar_issue" -> "fstar_range" - "fstar_issue" -> "fstar_pervasives" - "fstar_issue" -> "fstar_pervasives" - "fstar_issue" -> "prims" - "fstar_issue" -> "prims" - "fstar_mul" -> "fstar_pervasives" - "fstar_mul" -> "fstar_pervasives" - "fstar_mul" -> "prims" - "fstar_mul" -> "prims" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_tactics_effect" - "tactics_utils" -> "fstar_char" - "tactics_utils" -> "fstar_string" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_reflection_v2" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_util" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics_v1" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_tactics" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_pervasives_native" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_mul" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_class_printable" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_tactics_v2" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_list_tot" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "fstar_option" - "tactics_utils" -> "core" - "tactics_utils" -> "core" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "fstar_pervasives" - "tactics_utils" -> "prims" - "tactics_utils" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "prims" - "fstar_stubs_tactics_types" -> "fstar_issue" - "fstar_stubs_tactics_types" -> "fstar_range" - "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" - "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" - "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_types" -> "fstar_pervasives" - "fstar_stubs_tactics_types" -> "fstar_pervasives" - "fstar_stubs_tactics_types" -> "prims" - "fstar_stubs_tactics_types" -> "prims" - "fstar_exn" -> "fstar_pervasives" - "fstar_exn" -> "fstar_pervasives" - "fstar_exn" -> "prims" - "fstar_exn" -> "prims" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "rust_primitives_arrays" - "core_iter" -> "core_ops_range" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "core_iter_adapters_step_by" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "fstar_pervasives_native" - "core_iter" -> "core_ops" - "core_iter" -> "core_ops" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "fstar_tactics_typeclasses" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_adapters_enumerate" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "core_iter_traits_iterator" - "core_iter" -> "rust_primitives" - "core_iter" -> "rust_primitives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "fstar_pervasives" - "core_iter" -> "prims" - "core_iter" -> "prims" - "fstar_functionalextensionality" -> "fstar_pervasives_native" - "fstar_functionalextensionality" -> "fstar_pervasives_native" - "fstar_functionalextensionality" -> "fstar_tactics_effect" - "fstar_functionalextensionality" -> "fstar_tactics_effect" - "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" - "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" - "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "fstar_functionalextensionality" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "rust_primitives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "fstar_pervasives" - "core_iter_adapters_step_by" -> "prims" - "core_iter_adapters_step_by" -> "prims" - "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v1_derived" -> "fstar_squash" - "fstar_tactics_v1_derived" -> "fstar_squash" - "fstar_tactics_v1_derived" -> "fstar_range" - "fstar_tactics_v1_derived" -> "fstar_pervasives_native" - "fstar_tactics_v1_derived" -> "fstar_pervasives_native" - "fstar_tactics_v1_derived" -> "fstar_tactics_visit" - "fstar_tactics_v1_derived" -> "fstar_tactics_visit" - "fstar_tactics_v1_derived" -> "fstar_list_tot_base" - "fstar_tactics_v1_derived" -> "fstar_list_tot_base" - "fstar_tactics_v1_derived" -> "fstar_vconfig" - "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_derived" -> "fstar_tactics_util" - "fstar_tactics_v1_derived" -> "fstar_tactics_util" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" - "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1_derived" -> "fstar_tactics_effect" - "fstar_tactics_v1_derived" -> "fstar_tactics_effect" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1" - "fstar_tactics_v1_derived" -> "fstar_reflection_v1" - "fstar_tactics_v1_derived" -> "fstar_pervasives" - "fstar_tactics_v1_derived" -> "fstar_pervasives" - "fstar_tactics_v1_derived" -> "prims" - "fstar_tactics_v1_derived" -> "prims" - "fstar_tactics_visit" -> "fstar_pervasives_native" - "fstar_tactics_visit" -> "fstar_pervasives_native" - "fstar_tactics_visit" -> "fstar_tactics_util" - "fstar_tactics_visit" -> "fstar_tactics_util" - "fstar_tactics_visit" -> "fstar_tactics_effect" - "fstar_tactics_visit" -> "fstar_tactics_effect" - "fstar_tactics_visit" -> "fstar_reflection_v2" - "fstar_tactics_visit" -> "fstar_reflection_v2" - "fstar_tactics_visit" -> "fstar_pervasives" - "fstar_tactics_visit" -> "fstar_pervasives" - "fstar_tactics_visit" -> "prims" - "fstar_tactics_visit" -> "prims" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint8" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint16" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_uint32" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int16" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_int32" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_seq" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "fstar_functionalextensionality" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_integers" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "rust_primitives_arrays" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_mul" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "fstar_pervasives" - "rust_primitives_bitvectors" -> "prims" - "rust_primitives_bitvectors" -> "prims" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "fstar_uint16" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "rust_primitives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "fstar_pervasives" - "core_num_error" -> "prims" - "core_num_error" -> "prims" - "bitveceq" -> "fstar_math_lemmas" - "bitveceq" -> "fstar_math_lemmas" - "bitveceq" -> "fstar_seq" - "bitveceq" -> "fstar_seq" - "bitveceq" -> "fstar_classical_sugar" - "bitveceq" -> "fstar_classical_sugar" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "fstar_functionalextensionality" - "bitveceq" -> "mkseq" - "bitveceq" -> "mkseq" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "fstar_mul" - "bitveceq" -> "core" - "bitveceq" -> "core" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "fstar_pervasives" - "bitveceq" -> "prims" - "bitveceq" -> "prims" - "lib_inttypes" -> "fstar_bitvector" - "lib_inttypes" -> "fstar_bitvector" - "lib_inttypes" -> "fstar_seq" - "lib_inttypes" -> "fstar_seq" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_uint" - "lib_inttypes" -> "fstar_pervasives_native" - "lib_inttypes" -> "fstar_pervasives_native" - "lib_inttypes" -> "fstar_int_cast_full" - "lib_inttypes" -> "fstar_int_cast_full" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int" - "lib_inttypes" -> "fstar_int_cast" - "lib_inttypes" -> "fstar_int_cast" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int128" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int64" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int32" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int16" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_int8" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint128" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint64" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint32" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint16" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_uint8" - "lib_inttypes" -> "fstar_math_lemmas" - "lib_inttypes" -> "fstar_math_lemmas" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "fstar_pervasives" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "prims" - "lib_inttypes" -> "lib_inttypes" - "fstar_int_cast_full" -> "fstar_uint128" - "fstar_int_cast_full" -> "fstar_uint128" - "fstar_int_cast_full" -> "fstar_uint64" - "fstar_int_cast_full" -> "fstar_uint64" - "fstar_int_cast_full" -> "fstar_int_cast" - "fstar_int_cast_full" -> "fstar_int_cast" - "fstar_int_cast_full" -> "fstar_pervasives" - "fstar_int_cast_full" -> "fstar_pervasives" - "fstar_int_cast_full" -> "prims" - "fstar_int_cast_full" -> "prims" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "fstar_list_tot" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "lib_inttypes" - "rust_primitives_hax" -> "core_slice" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "fstar_tactics_typeclasses" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "core_ops_index" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "fstar_seq" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_arrays" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "rust_primitives_integers" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "fstar_pervasives" - "rust_primitives_hax" -> "prims" - "rust_primitives_hax" -> "prims" - "fstar_reflection_v2_formula" -> "fstar_pervasives_native" - "fstar_reflection_v2_formula" -> "fstar_pervasives_native" - "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" - "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" - "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" - "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" - "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" - "fstar_reflection_v2_formula" -> "fstar_tactics_effect" - "fstar_reflection_v2_formula" -> "fstar_tactics_effect" - "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_formula" -> "fstar_reflection_const" - "fstar_reflection_v2_formula" -> "fstar_reflection_const" - "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_formula" -> "fstar_list_tot_base" - "fstar_reflection_v2_formula" -> "fstar_list_tot_base" - "fstar_reflection_v2_formula" -> "fstar_pervasives" - "fstar_reflection_v2_formula" -> "fstar_pervasives" - "fstar_reflection_v2_formula" -> "prims" - "fstar_reflection_v2_formula" -> "prims" - "fstar_tactics_unseal" -> "fstar_tactics_effect" - "fstar_tactics_unseal" -> "fstar_tactics_effect" - "fstar_tactics_unseal" -> "fstar_sealed" - "fstar_tactics_unseal" -> "fstar_pervasives" - "fstar_tactics_unseal" -> "fstar_pervasives" - "fstar_tactics_unseal" -> "prims" - "fstar_tactics_unseal" -> "prims" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_math_lemmas" - "fstar_int128" -> "fstar_math_lemmas" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "prims" - "fstar_int128" -> "prims" - "fstar_int128" -> "fstar_int128" - "tactics_seq" -> "fstar_tactics_effect" - "tactics_seq" -> "fstar_tactics_effect" - "tactics_seq" -> "fstar_pervasives_native" - "tactics_seq" -> "fstar_pervasives_native" - "tactics_seq" -> "tactics_pow2" - "tactics_seq" -> "tactics_pow2" - "tactics_seq" -> "tactics_utils" - "tactics_seq" -> "tactics_utils" - "tactics_seq" -> "fstar_option" - "tactics_seq" -> "fstar_option" - "tactics_seq" -> "fstar_mul" - "tactics_seq" -> "fstar_mul" - "tactics_seq" -> "fstar_class_printable" - "tactics_seq" -> "fstar_class_printable" - "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_seq" -> "fstar_tactics_v2" - "tactics_seq" -> "fstar_tactics_v2" - "tactics_seq" -> "fstar_seq_base" - "tactics_seq" -> "fstar_seq_base" - "tactics_seq" -> "fstar_list_tot" - "tactics_seq" -> "fstar_list_tot" - "tactics_seq" -> "core" - "tactics_seq" -> "core" - "tactics_seq" -> "fstar_pervasives" - "tactics_seq" -> "fstar_pervasives" - "tactics_seq" -> "prims" - "tactics_seq" -> "prims" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_seq" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "fstar_tactics_typeclasses" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_ops_control_flow" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_result" - "rust_primitives" -> "core_option" - "rust_primitives" -> "core_option" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_bitvectors" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_arrays" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "rust_primitives_integers" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "fstar_pervasives" - "rust_primitives" -> "prims" - "rust_primitives" -> "prims" - "fstar_set" -> "fstar_classical" - "fstar_set" -> "fstar_classical" - "fstar_set" -> "fstar_functionalextensionality" - "fstar_set" -> "fstar_functionalextensionality" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "prims" - "fstar_set" -> "prims" - "fstar_set" -> "fstar_set" - "fstar_tactics_v1_logic" -> "fstar_pervasives_native" - "fstar_tactics_v1_logic" -> "fstar_pervasives_native" - "fstar_tactics_v1_logic" -> "fstar_squash" - "fstar_tactics_v1_logic" -> "fstar_squash" - "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v1_logic" -> "fstar_classical" - "fstar_tactics_v1_logic" -> "fstar_classical" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1" - "fstar_tactics_v1_logic" -> "fstar_reflection_v1" - "fstar_tactics_v1_logic" -> "fstar_tactics_util" - "fstar_tactics_v1_logic" -> "fstar_tactics_util" - "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1_logic" -> "fstar_tactics_effect" - "fstar_tactics_v1_logic" -> "fstar_tactics_effect" - "fstar_tactics_v1_logic" -> "fstar_pervasives" - "fstar_tactics_v1_logic" -> "fstar_pervasives" - "fstar_tactics_v1_logic" -> "prims" - "fstar_tactics_v1_logic" -> "prims" - "fstar_class_printable" -> "fstar_seq" - "fstar_class_printable" -> "fstar_seq" - "fstar_class_printable" -> "fstar_uint64" - "fstar_class_printable" -> "fstar_uint64" - "fstar_class_printable" -> "fstar_int64" - "fstar_class_printable" -> "fstar_int64" - "fstar_class_printable" -> "fstar_uint32" - "fstar_class_printable" -> "fstar_uint32" - "fstar_class_printable" -> "fstar_int32" - "fstar_class_printable" -> "fstar_int32" - "fstar_class_printable" -> "fstar_uint16" - "fstar_class_printable" -> "fstar_uint16" - "fstar_class_printable" -> "fstar_int16" - "fstar_class_printable" -> "fstar_int16" - "fstar_class_printable" -> "fstar_int8" - "fstar_class_printable" -> "fstar_int8" - "fstar_class_printable" -> "fstar_uint8" - "fstar_class_printable" -> "fstar_uint8" - "fstar_class_printable" -> "fstar_char" - "fstar_class_printable" -> "fstar_list_tot" - "fstar_class_printable" -> "fstar_list_tot" - "fstar_class_printable" -> "fstar_tactics_typeclasses" - "fstar_class_printable" -> "fstar_tactics_typeclasses" - "fstar_class_printable" -> "fstar_seq_properties" - "fstar_class_printable" -> "fstar_seq_properties" - "fstar_class_printable" -> "fstar_string" - "fstar_class_printable" -> "fstar_pervasives" - "fstar_class_printable" -> "fstar_pervasives" - "fstar_class_printable" -> "prims" - "fstar_class_printable" -> "prims" - "tactics_getbit" -> "fstar_functionalextensionality" - "tactics_getbit" -> "fstar_functionalextensionality" - "tactics_getbit" -> "tactics_machineints" - "tactics_getbit" -> "tactics_machineints" - "tactics_getbit" -> "rust_primitives_hax" - "tactics_getbit" -> "rust_primitives_hax" - "tactics_getbit" -> "tactics_seq" - "tactics_getbit" -> "tactics_seq" - "tactics_getbit" -> "bitveceq" - "tactics_getbit" -> "bitveceq" - "tactics_getbit" -> "tactics_pow2" - "tactics_getbit" -> "tactics_pow2" - "tactics_getbit" -> "tactics_utils" - "tactics_getbit" -> "tactics_utils" - "tactics_getbit" -> "fstar_option" - "tactics_getbit" -> "fstar_option" - "tactics_getbit" -> "fstar_mul" - "tactics_getbit" -> "fstar_mul" - "tactics_getbit" -> "fstar_class_printable" - "tactics_getbit" -> "fstar_class_printable" - "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_getbit" -> "fstar_tactics_v2" - "tactics_getbit" -> "fstar_tactics_v2" - "tactics_getbit" -> "fstar_list_tot" - "tactics_getbit" -> "fstar_list_tot" - "tactics_getbit" -> "core" - "tactics_getbit" -> "core" - "tactics_getbit" -> "fstar_pervasives" - "tactics_getbit" -> "fstar_pervasives" - "tactics_getbit" -> "prims" - "tactics_getbit" -> "prims" - "tactics_machineints" -> "fstar_uint8" - "tactics_machineints" -> "fstar_uint8" - "tactics_machineints" -> "fstar_tactics_effect" - "tactics_machineints" -> "fstar_tactics_effect" - "tactics_machineints" -> "fstar_list_tot" - "tactics_machineints" -> "fstar_list_tot" - "tactics_machineints" -> "lib_inttypes" - "tactics_machineints" -> "lib_inttypes" - "tactics_machineints" -> "fstar_pervasives_native" - "tactics_machineints" -> "fstar_pervasives_native" - "tactics_machineints" -> "rust_primitives_integers" - "tactics_machineints" -> "rust_primitives_integers" - "tactics_machineints" -> "tactics_utils" - "tactics_machineints" -> "tactics_utils" - "tactics_machineints" -> "fstar_option" - "tactics_machineints" -> "fstar_option" - "tactics_machineints" -> "fstar_class_printable" - "tactics_machineints" -> "fstar_class_printable" - "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_machineints" -> "fstar_tactics_v2" - "tactics_machineints" -> "fstar_tactics_v2" - "tactics_machineints" -> "fstar_pervasives" - "tactics_machineints" -> "fstar_pervasives" - "tactics_machineints" -> "prims" - "tactics_machineints" -> "prims" - "fstar_preorder" -> "fstar_pervasives" - "fstar_preorder" -> "fstar_pervasives" - "fstar_preorder" -> "prims" - "fstar_preorder" -> "prims" - "fstar_reflection_const" -> "fstar_pervasives" - "fstar_reflection_const" -> "fstar_pervasives" - "fstar_reflection_const" -> "prims" - "fstar_reflection_const" -> "prims" - "fstar_tactics_bv" -> "fstar_pervasives_native" - "fstar_tactics_bv" -> "fstar_pervasives_native" - "fstar_tactics_bv" -> "fstar_uint" - "fstar_tactics_bv" -> "fstar_uint" - "fstar_tactics_bv" -> "fstar_bv" - "fstar_tactics_bv" -> "fstar_bv" - "fstar_tactics_bv" -> "fstar_reflection_v2_arith" - "fstar_tactics_bv" -> "fstar_reflection_v2_arith" - "fstar_tactics_bv" -> "fstar_reflection_v2_formula" - "fstar_tactics_bv" -> "fstar_reflection_v2_formula" - "fstar_tactics_bv" -> "fstar_tactics_v2" - "fstar_tactics_bv" -> "fstar_tactics_v2" - "fstar_tactics_bv" -> "fstar_pervasives" - "fstar_tactics_bv" -> "fstar_pervasives" - "fstar_tactics_bv" -> "prims" - "fstar_tactics_bv" -> "prims" - "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2" -> "fstar_tactics_smt" - "fstar_tactics_v2" -> "fstar_tactics_smt" - "fstar_tactics_v2" -> "fstar_tactics_mapply" - "fstar_tactics_v2" -> "fstar_tactics_mapply" - "fstar_tactics_v2" -> "fstar_tactics_namedview" - "fstar_tactics_v2" -> "fstar_tactics_namedview" - "fstar_tactics_v2" -> "fstar_tactics_visit" - "fstar_tactics_v2" -> "fstar_tactics_visit" - "fstar_tactics_v2" -> "fstar_tactics_print" - "fstar_tactics_v2" -> "fstar_tactics_print" - "fstar_tactics_v2" -> "fstar_tactics_util" - "fstar_tactics_v2" -> "fstar_tactics_util" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2" -> "fstar_tactics_v2_logic" - "fstar_tactics_v2" -> "fstar_tactics_v2_logic" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2" -> "fstar_tactics_effect" - "fstar_tactics_v2" -> "fstar_tactics_effect" - "fstar_tactics_v2" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2" -> "fstar_reflection_v2" - "fstar_tactics_v2" -> "fstar_reflection_v2" - "fstar_tactics_v2" -> "fstar_stubs_reflection_types" - "fstar_tactics_v2" -> "fstar_pervasives" - "fstar_tactics_v2" -> "fstar_pervasives" - "fstar_tactics_v2" -> "prims" - "fstar_tactics_v2" -> "prims" - "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_result" -> "fstar_pervasives" - "fstar_stubs_tactics_result" -> "fstar_pervasives" - "fstar_stubs_tactics_result" -> "prims" - "fstar_stubs_tactics_result" -> "prims" - "fstar_tactics_effect" -> "fstar_stubs_tactics_result" - "fstar_tactics_effect" -> "fstar_stubs_tactics_types" - "fstar_tactics_effect" -> "fstar_stubs_reflection_types" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "fstar_tactics_effect" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "prims" - "fstar_range" -> "fstar_sealed" - "fstar_range" -> "fstar_pervasives" - "fstar_range" -> "fstar_pervasives" - "fstar_range" -> "prims" - "fstar_range" -> "prims" - "fstar_monotonic_witnessed" -> "fstar_classical" - "fstar_monotonic_witnessed" -> "fstar_classical" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_preorder" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "fstar_pervasives" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "prims" - "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "fstar_uint32" - "fstar_st" -> "fstar_set" - "fstar_st" -> "fstar_set" - "fstar_st" -> "fstar_monotonic_witnessed" - "fstar_st" -> "fstar_monotonic_witnessed" - "fstar_st" -> "fstar_preorder" - "fstar_st" -> "fstar_preorder" - "fstar_st" -> "fstar_heap" - "fstar_st" -> "fstar_heap" - "fstar_st" -> "fstar_tset" - "fstar_st" -> "fstar_tset" - "fstar_st" -> "fstar_pervasives" - "fstar_st" -> "fstar_pervasives" - "fstar_st" -> "prims" - "fstar_st" -> "prims" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_list_tot" - "bitvec_intrinsics" -> "fstar_string" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_tactics_v2_derived" - "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" - "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" - "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_tactics" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_int16" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_tactics_v2" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "fstar_int32" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "tactics_utils" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_equality" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "bitvec_utils" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "fstar_mul" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "rust_primitives" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "core" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "fstar_pervasives" - "bitvec_intrinsics" -> "prims" - "bitvec_intrinsics" -> "prims" - "fstar_stubs_typechecker_core" -> "fstar_pervasives" - "fstar_stubs_typechecker_core" -> "fstar_pervasives" - "fstar_stubs_typechecker_core" -> "prims" - "fstar_stubs_typechecker_core" -> "prims" - "fstar_char" -> "fstar_uint32" - "fstar_char" -> "fstar_uint32" - "fstar_char" -> "fstar_pervasives" - "fstar_char" -> "fstar_pervasives" - "fstar_char" -> "prims" - "fstar_char" -> "prims" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_math_lemmas" - "fstar_int8" -> "fstar_math_lemmas" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "prims" - "fstar_int8" -> "prims" - "fstar_int8" -> "fstar_int8" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_mul" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_uint" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "fstar_pervasives" - "fstar_uint32" -> "prims" - "fstar_uint32" -> "prims" - "fstar_tset" -> "fstar_squash" - "fstar_tset" -> "fstar_squash" - "fstar_tset" -> "fstar_strongexcludedmiddle" - "fstar_tset" -> "fstar_strongexcludedmiddle" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_predicateextensionality" - "fstar_tset" -> "fstar_predicateextensionality" - "fstar_tset" -> "fstar_functionalextensionality" - "fstar_tset" -> "fstar_functionalextensionality" - "fstar_tset" -> "fstar_propositionalextensionality" - "fstar_tset" -> "fstar_propositionalextensionality" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "prims" - "fstar_tset" -> "prims" - "fstar_tset" -> "fstar_tset" - "tactics_folds" -> "tactics_utils" - "tactics_folds" -> "tactics_utils" - "tactics_folds" -> "rust_primitives_hax_folds" - "tactics_folds" -> "fstar_option" - "tactics_folds" -> "fstar_option" - "tactics_folds" -> "fstar_mul" - "tactics_folds" -> "fstar_mul" - "tactics_folds" -> "fstar_class_printable" - "tactics_folds" -> "fstar_class_printable" - "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" - "tactics_folds" -> "fstar_tactics_v2" - "tactics_folds" -> "fstar_tactics_v2" - "tactics_folds" -> "fstar_seq_base" - "tactics_folds" -> "fstar_seq_base" - "tactics_folds" -> "fstar_list_tot" - "tactics_folds" -> "fstar_list_tot" - "tactics_folds" -> "core" - "tactics_folds" -> "core" - "tactics_folds" -> "fstar_pervasives" - "tactics_folds" -> "fstar_pervasives" - "tactics_folds" -> "prims" - "tactics_folds" -> "prims" - "fstar_vconfig" -> "fstar_pervasives" - "fstar_vconfig" -> "fstar_pervasives" - "fstar_vconfig" -> "prims" - "fstar_vconfig" -> "prims" - "fstar_reflection_v2_derived" -> "fstar_list_tot_base" - "fstar_reflection_v2_derived" -> "fstar_list_tot_base" - "fstar_reflection_v2_derived" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived" -> "fstar_list_tot" - "fstar_reflection_v2_derived" -> "fstar_list_tot" - "fstar_reflection_v2_derived" -> "fstar_vconfig" - "fstar_reflection_v2_derived" -> "fstar_order" - "fstar_reflection_v2_derived" -> "fstar_order" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_derived" -> "fstar_reflection_const" - "fstar_reflection_v2_derived" -> "fstar_reflection_const" - "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_derived" -> "fstar_pervasives" - "fstar_reflection_v2_derived" -> "fstar_pervasives" - "fstar_reflection_v2_derived" -> "prims" - "fstar_reflection_v2_derived" -> "prims" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_set" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "fstar_pervasives" - "fstar_tset" -> "prims" - "fstar_tset" -> "prims" - "fstar_tactics" -> "fstar_tactics_v1" - "fstar_tactics" -> "fstar_tactics_v1" - "fstar_tactics" -> "fstar_pervasives" - "fstar_tactics" -> "fstar_pervasives" - "fstar_tactics" -> "prims" - "fstar_tactics" -> "prims" - "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v1_derived_lemmas" -> "prims" - "fstar_reflection_v1_derived_lemmas" -> "prims" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "fstar_pervasives" - "fstar_set" -> "prims" - "fstar_set" -> "prims" - "fstar_classical_sugar" -> "fstar_squash" - "fstar_classical_sugar" -> "fstar_squash" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "fstar_classical_sugar" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_pervasives_native" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_int128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_uint128" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_int64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_uint64" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_int32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_uint32" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_int16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_uint16" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_int8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "fstar_uint8" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "lib_inttypes" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_mul" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "fstar_pervasives" - "fstar_squash" -> "prims" - "fstar_squash" -> "prims" - "fstar_stubs_reflection_types" -> "fstar_sealed" - "fstar_stubs_reflection_types" -> "fstar_range" - "fstar_stubs_reflection_types" -> "fstar_pervasives" - "fstar_stubs_reflection_types" -> "fstar_pervasives" - "fstar_stubs_reflection_types" -> "prims" - "fstar_stubs_reflection_types" -> "prims" - "fstar_tactics_v1" -> "fstar_tactics_smt" - "fstar_tactics_v1" -> "fstar_tactics_smt" - "fstar_tactics_v1" -> "fstar_tactics_visit" - "fstar_tactics_v1" -> "fstar_tactics_visit" - "fstar_tactics_v1" -> "fstar_tactics_print" - "fstar_tactics_v1" -> "fstar_tactics_print" - "fstar_tactics_v1" -> "fstar_tactics_util" - "fstar_tactics_v1" -> "fstar_tactics_util" - "fstar_tactics_v1" -> "fstar_tactics_v1_logic" - "fstar_tactics_v1" -> "fstar_tactics_v1_logic" - "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" - "fstar_tactics_v1" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1" -> "fstar_tactics_v1_derived" - "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_v1" -> "fstar_tactics_effect" - "fstar_tactics_v1" -> "fstar_tactics_effect" - "fstar_tactics_v1" -> "fstar_stubs_tactics_types" - "fstar_tactics_v1" -> "fstar_reflection_v1_compare" - "fstar_tactics_v1" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1" -> "fstar_reflection_v1_formula" - "fstar_tactics_v1" -> "fstar_reflection_v1_derived" - "fstar_tactics_v1" -> "fstar_reflection_v1_derived" - "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" - "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" - "fstar_tactics_v1" -> "fstar_reflection_const" - "fstar_tactics_v1" -> "fstar_reflection_const" - "fstar_tactics_v1" -> "fstar_stubs_reflection_types" - "fstar_tactics_v1" -> "fstar_pervasives" - "fstar_tactics_v1" -> "fstar_pervasives" - "fstar_tactics_v1" -> "prims" - "fstar_tactics_v1" -> "prims" - "fstar_list_tot" -> "fstar_list_tot_properties" - "fstar_list_tot" -> "fstar_list_tot_properties" - "fstar_list_tot" -> "fstar_list_tot_base" - "fstar_list_tot" -> "fstar_list_tot_base" - "fstar_list_tot" -> "fstar_pervasives" - "fstar_list_tot" -> "fstar_pervasives" - "fstar_list_tot" -> "prims" - "fstar_list_tot" -> "prims" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "prims" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "fstar_ghost" - "fstar_bitvector" -> "fstar_seq" - "fstar_bitvector" -> "fstar_seq" - "fstar_bitvector" -> "fstar_mul" - "fstar_bitvector" -> "fstar_mul" - "fstar_bitvector" -> "fstar_pervasives" - "fstar_bitvector" -> "fstar_pervasives" - "fstar_bitvector" -> "prims" - "fstar_bitvector" -> "prims" - "core" -> "core_ops" - "core" -> "core_ops" - "core" -> "core_iter" - "core" -> "core_num" - "core" -> "rust_primitives" - "core" -> "rust_primitives" - "core" -> "fstar_pervasives" - "core" -> "fstar_pervasives" - "core" -> "prims" - "core" -> "prims" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "prims" - "fstar_uint" -> "prims" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_builtins" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxcoercions" -> "prims" - "fstar_tactics_v2_syntaxcoercions" -> "prims" - "fstar_tactics_v2_logic" -> "fstar_pervasives_native" - "fstar_tactics_v2_logic" -> "fstar_pervasives_native" - "fstar_tactics_v2_logic" -> "fstar_squash" - "fstar_tactics_v2_logic" -> "fstar_squash" - "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" - "fstar_tactics_v2_logic" -> "fstar_classical" - "fstar_tactics_v2_logic" -> "fstar_classical" - "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_logic" -> "fstar_tactics_util" - "fstar_tactics_v2_logic" -> "fstar_tactics_util" - "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" - "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" - "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_logic" -> "fstar_tactics_effect" - "fstar_tactics_v2_logic" -> "fstar_tactics_effect" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2" - "fstar_tactics_v2_logic" -> "fstar_reflection_v2" - "fstar_tactics_v2_logic" -> "fstar_pervasives" - "fstar_tactics_v2_logic" -> "fstar_pervasives" - "fstar_tactics_v2_logic" -> "prims" - "fstar_tactics_v2_logic" -> "prims" - "fstar_uint" -> "fstar_calc" - "fstar_uint" -> "fstar_calc" - "fstar_uint" -> "fstar_seq_base" - "fstar_uint" -> "fstar_seq_base" - "fstar_uint" -> "fstar_classical" - "fstar_uint" -> "fstar_classical" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_seq" - "fstar_uint" -> "fstar_math_lib" - "fstar_uint" -> "fstar_math_lib" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_math_lemmas" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_bitvector" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_mul" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "fstar_pervasives" - "fstar_uint" -> "prims" - "fstar_uint" -> "prims" - "fstar_uint" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "fstar_uint8" - "fstar_monotonic_pure" -> "fstar_pervasives" - "fstar_monotonic_pure" -> "fstar_pervasives" - "fstar_monotonic_pure" -> "prims" - "fstar_monotonic_pure" -> "prims" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_tactics_typeclasses" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "fstar_pervasives" - "core_ops_index" -> "prims" - "core_ops_index" -> "prims" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "fstar_uint64" - "fstar_float" -> "fstar_pervasives" - "fstar_float" -> "fstar_pervasives" - "fstar_float" -> "prims" - "fstar_float" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_ghost" - "fstar_reflection_v2_compare" -> "fstar_ghost" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2_compare" -> "fstar_pervasives_native" - "fstar_reflection_v2_compare" -> "fstar_pervasives_native" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_math_lib" - "fstar_int" -> "fstar_math_lib" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "prims" - "fstar_int" -> "prims" - "fstar_int" -> "fstar_int" - "fstar_int16" -> "fstar_uint" - "fstar_int16" -> "fstar_uint" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "prims" - "fstar_int16" -> "prims" - "fstar_list" -> "fstar_pervasives_native" - "fstar_list" -> "fstar_pervasives_native" - "fstar_list" -> "fstar_list_tot" - "fstar_list" -> "fstar_list_tot" - "fstar_list" -> "fstar_all" - "fstar_list" -> "fstar_all" - "fstar_list" -> "fstar_pervasives" - "fstar_list" -> "fstar_pervasives" - "fstar_list" -> "prims" - "fstar_list" -> "prims" - "fstar_predicateextensionality" -> "fstar_propositionalextensionality" - "fstar_predicateextensionality" -> "fstar_propositionalextensionality" - "fstar_predicateextensionality" -> "fstar_functionalextensionality" - "fstar_predicateextensionality" -> "fstar_functionalextensionality" - "fstar_predicateextensionality" -> "fstar_pervasives" - "fstar_predicateextensionality" -> "fstar_pervasives" - "fstar_predicateextensionality" -> "prims" - "fstar_predicateextensionality" -> "prims" - "fstar_reflection_v1_derived" -> "fstar_list_tot_base" - "fstar_reflection_v1_derived" -> "fstar_list_tot_base" - "fstar_reflection_v1_derived" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived" -> "fstar_pervasives_native" - "fstar_reflection_v1_derived" -> "fstar_vconfig" - "fstar_reflection_v1_derived" -> "fstar_order" - "fstar_reflection_v1_derived" -> "fstar_order" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_derived" -> "fstar_reflection_const" - "fstar_reflection_v1_derived" -> "fstar_reflection_const" - "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_derived" -> "fstar_pervasives" - "fstar_reflection_v1_derived" -> "fstar_pervasives" - "fstar_reflection_v1_derived" -> "prims" - "fstar_reflection_v1_derived" -> "prims" - "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" - "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v2_data" -> "prims" - "fstar_stubs_reflection_v2_data" -> "prims" - "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" - "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" - "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v1_builtins" -> "fstar_order" - "fstar_stubs_reflection_v1_builtins" -> "fstar_order" - "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_builtins" -> "prims" - "fstar_stubs_reflection_v1_builtins" -> "prims" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "prims" - "fstar_reflection_v2_arith" -> "fstar_classical" - "fstar_reflection_v2_arith" -> "fstar_classical" - "fstar_reflection_v2_arith" -> "fstar_list_tot" - "fstar_reflection_v2_arith" -> "fstar_list_tot" - "fstar_reflection_v2_arith" -> "fstar_pervasives_native" - "fstar_reflection_v2_arith" -> "fstar_pervasives_native" - "fstar_reflection_v2_arith" -> "fstar_list_tot_base" - "fstar_reflection_v2_arith" -> "fstar_list_tot_base" - "fstar_reflection_v2_arith" -> "fstar_order" - "fstar_reflection_v2_arith" -> "fstar_order" - "fstar_reflection_v2_arith" -> "fstar_reflection_v2" - "fstar_reflection_v2_arith" -> "fstar_reflection_v2" - "fstar_reflection_v2_arith" -> "fstar_tactics_v2" - "fstar_reflection_v2_arith" -> "fstar_tactics_v2" - "fstar_reflection_v2_arith" -> "fstar_pervasives" - "fstar_reflection_v2_arith" -> "fstar_pervasives" - "fstar_reflection_v2_arith" -> "prims" - "fstar_reflection_v2_arith" -> "prims" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "fstar_pervasives" - "fstar_functionalextensionality" -> "prims" - "fstar_functionalextensionality" -> "prims" - "fstar_reflection_termeq" -> "fstar_classical_sugar" - "fstar_reflection_termeq" -> "fstar_classical_sugar" - "fstar_reflection_termeq" -> "fstar_sealed" - "fstar_reflection_termeq" -> "fstar_pervasives_native" - "fstar_reflection_termeq" -> "fstar_pervasives_native" - "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" - "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_list_tot" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "fstar_pervasives" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "prims" - "fstar_reflection_termeq" -> "fstar_reflection_termeq" - "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" - "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" - "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" - "fstar_reflection_v2_derived_lemmas" -> "prims" - "fstar_reflection_v2_derived_lemmas" -> "prims" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "rust_primitives_hax" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "fstar_seq" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "core_ops_index" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_tactics_typeclasses" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "fstar_pervasives_native" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "core_iter_traits_iterator" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "rust_primitives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "fstar_pervasives" - "core_ops_range" -> "prims" - "core_ops_range" -> "prims" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_step_by" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "rust_primitives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "fstar_pervasives" - "core_iter_traits_iterator" -> "prims" - "core_iter_traits_iterator" -> "prims" - "fstar_bv" -> "fstar_list" - "fstar_bv" -> "fstar_list" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "prims" - "fstar_bv" -> "prims" - "fstar_math_lemmas" -> "fstar_calc" - "fstar_math_lemmas" -> "fstar_calc" - "fstar_math_lemmas" -> "fstar_math_lib" - "fstar_math_lemmas" -> "fstar_math_lib" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "fstar_math_lemmas" - "fstar_tactics_builtins" -> "fstar_stubs_tactics_v1_builtins" - "fstar_tactics_builtins" -> "fstar_pervasives" - "fstar_tactics_builtins" -> "fstar_pervasives" - "fstar_tactics_builtins" -> "prims" - "fstar_tactics_builtins" -> "prims" - "fstar_string" -> "fstar_all" - "fstar_string" -> "fstar_all" - "fstar_string" -> "fstar_list" - "fstar_string" -> "fstar_list" - "fstar_string" -> "fstar_char" - "fstar_string" -> "fstar_list_tot" - "fstar_string" -> "fstar_list_tot" - "fstar_string" -> "fstar_pervasives" - "fstar_string" -> "fstar_pervasives" - "fstar_string" -> "prims" - "fstar_string" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "prims" - "fstar_pervasives" -> "fstar_pervasives" - "fstar_tactics_util" -> "fstar_pervasives_native" - "fstar_tactics_util" -> "fstar_pervasives_native" - "fstar_tactics_util" -> "fstar_list_tot_base" - "fstar_tactics_util" -> "fstar_list_tot_base" - "fstar_tactics_util" -> "fstar_tactics_effect" - "fstar_tactics_util" -> "fstar_tactics_effect" - "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "fstar_pervasives" - "fstar_tactics_util" -> "prims" - "fstar_tactics_util" -> "prims" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "rust_primitives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "fstar_pervasives" - "core_slice_iter" -> "prims" - "core_slice_iter" -> "prims" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "fstar_pervasives" - "core_ops_control_flow" -> "prims" - "core_ops_control_flow" -> "prims" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "fstar_tactics_typeclasses" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_ops_index" - "core_slice" -> "core_slice_iter" - "core_slice" -> "core_slice_iter" - "core_slice" -> "fstar_seq" - "core_slice" -> "fstar_seq" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_integers" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "rust_primitives_arrays" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "fstar_pervasives" - "core_slice" -> "prims" - "core_slice" -> "prims" - "fstar_all" -> "fstar_exn" - "fstar_all" -> "fstar_exn" - "fstar_all" -> "fstar_st" - "fstar_all" -> "fstar_st" - "fstar_all" -> "fstar_heap" - "fstar_all" -> "fstar_heap" - "fstar_all" -> "fstar_pervasives" - "fstar_all" -> "fstar_pervasives" - "fstar_all" -> "prims" - "fstar_all" -> "prims" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "fstar_pervasives" - "fstar_ghost" -> "prims" - "fstar_ghost" -> "prims" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "prims" - "fstar_list_tot_properties" -> "fstar_classical" - "fstar_list_tot_properties" -> "fstar_classical" - "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" - "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" - "fstar_list_tot_properties" -> "fstar_classical_sugar" - "fstar_list_tot_properties" -> "fstar_classical_sugar" - "fstar_list_tot_properties" -> "fstar_pervasives_native" - "fstar_list_tot_properties" -> "fstar_pervasives_native" - "fstar_list_tot_properties" -> "fstar_list_tot_base" - "fstar_list_tot_properties" -> "fstar_list_tot_base" - "fstar_list_tot_properties" -> "fstar_pervasives" - "fstar_list_tot_properties" -> "fstar_pervasives" - "fstar_list_tot_properties" -> "prims" - "fstar_list_tot_properties" -> "prims" - "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" - "fstar_stubs_syntax_syntax" -> "fstar_pervasives" - "fstar_stubs_syntax_syntax" -> "fstar_pervasives" - "fstar_stubs_syntax_syntax" -> "prims" - "fstar_stubs_syntax_syntax" -> "prims" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "fstar_tactics_typeclasses" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "rust_primitives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "fstar_pervasives" - "core_ops_arith" -> "prims" - "core_ops_arith" -> "prims" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "fstar_math_lemmas" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "lib_inttypes" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_seq" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "fstar_mul" - "rust_primitives_hax_folds" -> "core_ops_range" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "rust_primitives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "fstar_pervasives" - "rust_primitives_hax_folds" -> "prims" - "rust_primitives_hax_folds" -> "prims" - "fstar_strongexcludedmiddle" -> "fstar_pervasives" - "fstar_strongexcludedmiddle" -> "fstar_pervasives" - "fstar_strongexcludedmiddle" -> "prims" - "fstar_strongexcludedmiddle" -> "prims" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_uint32" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_mul" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_uint" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "fstar_pervasives" - "fstar_uint8" -> "prims" - "fstar_uint8" -> "prims" - "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" - "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" - "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" - "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" - "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" - "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" - "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" - "fstar_stubs_tactics_v2_builtins" -> "prims" - "fstar_stubs_tactics_v2_builtins" -> "prims" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "fstar_pervasives_native" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "fstar_mul" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "fstar_reflection_v1" -> "fstar_reflection_v1_compare" - "fstar_reflection_v1" -> "fstar_reflection_const" - "fstar_reflection_v1" -> "fstar_reflection_const" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1" -> "fstar_pervasives" - "fstar_reflection_v1" -> "fstar_pervasives" - "fstar_reflection_v1" -> "prims" - "fstar_reflection_v1" -> "prims" - "fstar_bv" -> "fstar_math_lemmas" - "fstar_bv" -> "fstar_math_lemmas" - "fstar_bv" -> "fstar_seq" - "fstar_bv" -> "fstar_seq" - "fstar_bv" -> "fstar_bitvector" - "fstar_bv" -> "fstar_bitvector" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_uint" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "fstar_pervasives" - "fstar_bv" -> "prims" - "fstar_bv" -> "prims" - "fstar_bv" -> "fstar_bv" - "fstar_list_tot_base" -> "fstar_classical_sugar" - "fstar_list_tot_base" -> "fstar_classical_sugar" - "fstar_list_tot_base" -> "fstar_pervasives_native" - "fstar_list_tot_base" -> "fstar_pervasives_native" - "fstar_list_tot_base" -> "fstar_pervasives" - "fstar_list_tot_base" -> "fstar_pervasives" - "fstar_list_tot_base" -> "prims" - "fstar_list_tot_base" -> "prims" - "fstar_math_lib" -> "fstar_mul" - "fstar_math_lib" -> "fstar_mul" - "fstar_math_lib" -> "fstar_pervasives" - "fstar_math_lib" -> "fstar_pervasives" - "fstar_math_lib" -> "prims" - "fstar_math_lib" -> "prims" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "fstar_tactics_typeclasses" - "core_num" -> "core_ops_arith" - "core_num" -> "core_num_error" - "core_num" -> "core_result" - "core_num" -> "core_result" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "fstar_math_lemmas" - "core_num" -> "lib_inttypes" - "core_num" -> "lib_inttypes" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint128" - "core_num" -> "fstar_uint32" - "core_num" -> "fstar_uint32" - "core_num" -> "rust_primitives" - "core_num" -> "rust_primitives" - "core_num" -> "fstar_pervasives" - "core_num" -> "fstar_pervasives" - "core_num" -> "prims" - "core_num" -> "prims" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_mul" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "fstar_pervasives" - "fstar_math_lemmas" -> "prims" - "fstar_math_lemmas" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_uint32" - "fstar_int16" -> "fstar_math_lemmas" - "fstar_int16" -> "fstar_math_lemmas" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_mul" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_int" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "fstar_pervasives" - "fstar_int16" -> "prims" - "fstar_int16" -> "prims" - "fstar_int16" -> "fstar_int16" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "rust_primitives_bitvectors" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "bitvec_equality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "fstar_functionalextensionality" - "bitvec_utils" -> "core" - "bitvec_utils" -> "core" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "fstar_pervasives" - "bitvec_utils" -> "prims" - "bitvec_utils" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" - "fstar_tactics_typeclasses" -> "fstar_list_tot" - "fstar_tactics_typeclasses" -> "fstar_list_tot" - "fstar_tactics_typeclasses" -> "fstar_tactics_util" - "fstar_tactics_typeclasses" -> "fstar_tactics_util" - "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" - "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" - "fstar_tactics_typeclasses" -> "fstar_pervasives_native" - "fstar_tactics_typeclasses" -> "fstar_pervasives_native" - "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" - "fstar_tactics_typeclasses" -> "fstar_list_tot_base" - "fstar_tactics_typeclasses" -> "fstar_list_tot_base" - "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" - "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" - "fstar_tactics_typeclasses" -> "fstar_reflection_v2" - "fstar_tactics_typeclasses" -> "fstar_reflection_v2" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_int_cast" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "fstar_pervasives" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "prims" - "rust_primitives_integers" -> "rust_primitives_integers" - "fstar_tactics_namedview" -> "fstar_range" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "prims" - "fstar_reflection_v2" -> "fstar_reflection_v2_compare" - "fstar_reflection_v2" -> "fstar_reflection_v2_compare" - "fstar_reflection_v2" -> "fstar_reflection_const" - "fstar_reflection_v2" -> "fstar_reflection_const" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2" -> "fstar_reflection_v2_derived" - "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" - "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2" -> "fstar_pervasives" - "fstar_reflection_v2" -> "fstar_pervasives" - "fstar_reflection_v2" -> "prims" - "fstar_reflection_v2" -> "prims" - "fstar_int_cast" -> "fstar_int" - "fstar_int_cast" -> "fstar_int" - "fstar_int_cast" -> "fstar_int64" - "fstar_int_cast" -> "fstar_int64" - "fstar_int_cast" -> "fstar_int32" - "fstar_int_cast" -> "fstar_int32" - "fstar_int_cast" -> "fstar_int16" - "fstar_int_cast" -> "fstar_int16" - "fstar_int_cast" -> "fstar_int8" - "fstar_int_cast" -> "fstar_int8" - "fstar_int_cast" -> "fstar_uint64" - "fstar_int_cast" -> "fstar_uint64" - "fstar_int_cast" -> "fstar_uint32" - "fstar_int_cast" -> "fstar_uint32" - "fstar_int_cast" -> "fstar_uint16" - "fstar_int_cast" -> "fstar_uint16" - "fstar_int_cast" -> "fstar_uint8" - "fstar_int_cast" -> "fstar_uint8" - "fstar_int_cast" -> "fstar_pervasives" - "fstar_int_cast" -> "fstar_pervasives" - "fstar_int_cast" -> "prims" - "fstar_int_cast" -> "prims" - "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" - "fstar_stubs_errors_msg" -> "fstar_pervasives" - "fstar_stubs_errors_msg" -> "fstar_pervasives" - "fstar_stubs_errors_msg" -> "prims" - "fstar_stubs_errors_msg" -> "prims" - "fstar_tactics_mapply" -> "fstar_squash" - "fstar_tactics_mapply" -> "fstar_squash" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" - "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_mapply" -> "fstar_tactics_namedview" - "fstar_tactics_mapply" -> "fstar_tactics_namedview" - "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_tactics_effect" - "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" - "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_reflection_v2" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "fstar_pervasives" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "prims" - "fstar_tactics_mapply" -> "fstar_tactics_mapply" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_tset" - "fstar_monotonic_heap" -> "fstar_tset" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "prims" - "fstar_stubs_tactics_common" -> "fstar_range" - "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" - "fstar_stubs_tactics_common" -> "fstar_pervasives" - "fstar_stubs_tactics_common" -> "fstar_pervasives" - "fstar_stubs_tactics_common" -> "prims" - "fstar_stubs_tactics_common" -> "prims" - "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" - "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" - "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" - "fstar_stubs_reflection_v1_data" -> "prims" - "fstar_stubs_reflection_v1_data" -> "prims" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_list_tot" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "fstar_pervasives" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "prims" - "fstar_seq_base" -> "fstar_seq_base" - "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" - "fstar_tactics_v2_derived" -> "fstar_squash" - "fstar_tactics_v2_derived" -> "fstar_squash" - "fstar_tactics_v2_derived" -> "fstar_range" - "fstar_tactics_v2_derived" -> "fstar_pervasives_native" - "fstar_tactics_v2_derived" -> "fstar_pervasives_native" - "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" - "fstar_tactics_v2_derived" -> "fstar_tactics_visit" - "fstar_tactics_v2_derived" -> "fstar_tactics_visit" - "fstar_tactics_v2_derived" -> "fstar_list_tot_base" - "fstar_tactics_v2_derived" -> "fstar_list_tot_base" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" - "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" - "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" - "fstar_tactics_v2_derived" -> "fstar_vconfig" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" - "fstar_tactics_v2_derived" -> "fstar_tactics_util" - "fstar_tactics_v2_derived" -> "fstar_tactics_util" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" - "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2_derived" -> "fstar_tactics_effect" - "fstar_tactics_v2_derived" -> "fstar_tactics_effect" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2" - "fstar_tactics_v2_derived" -> "fstar_reflection_v2" - "fstar_tactics_v2_derived" -> "fstar_pervasives" - "fstar_tactics_v2_derived" -> "fstar_pervasives" - "fstar_tactics_v2_derived" -> "prims" - "fstar_tactics_v2_derived" -> "prims" - "fstar_uint128" -> "fstar_pervasives_native" - "fstar_uint128" -> "fstar_pervasives_native" - "fstar_uint128" -> "fstar_int_cast" - "fstar_uint128" -> "fstar_int_cast" - "fstar_uint128" -> "fstar_calc" - "fstar_uint128" -> "fstar_calc" - "fstar_uint128" -> "fstar_classical_sugar" - "fstar_uint128" -> "fstar_classical_sugar" - "fstar_uint128" -> "fstar_tactics_effect" - "fstar_uint128" -> "fstar_tactics_effect" - "fstar_uint128" -> "fstar_tactics_bv" - "fstar_uint128" -> "fstar_tactics_bv" - "fstar_uint128" -> "fstar_tactics_v2" - "fstar_uint128" -> "fstar_tactics_v2" - "fstar_uint128" -> "fstar_bv" - "fstar_uint128" -> "fstar_bv" - "fstar_uint128" -> "fstar_math_lemmas" - "fstar_uint128" -> "fstar_math_lemmas" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint64" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_uint32" - "fstar_uint128" -> "fstar_bitvector" - "fstar_uint128" -> "fstar_bitvector" - "fstar_uint128" -> "fstar_seq" - "fstar_uint128" -> "fstar_seq" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_uint" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_mul" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "fstar_pervasives" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "prims" - "fstar_uint128" -> "fstar_uint128" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "fstar_int8" -> "fstar_uint" - "fstar_int8" -> "fstar_uint" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_uint32" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_mul" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_int" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "fstar_pervasives" - "fstar_int8" -> "prims" - "fstar_int8" -> "prims" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "fstar_seq" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "lib_inttypes" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "fstar_list_tot" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "rust_primitives_integers" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "fstar_pervasives" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "prims" - "rust_primitives_arrays" -> "rust_primitives_arrays" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_int64" - "fstar_int128" -> "fstar_uint" - "fstar_int128" -> "fstar_uint" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_uint32" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_mul" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_int" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "fstar_pervasives" - "fstar_int128" -> "prims" - "fstar_int128" -> "prims" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_uint32" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_mul" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_uint" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "fstar_pervasives" - "fstar_uint16" -> "prims" - "fstar_uint16" -> "prims" - "fstar_calc" -> "fstar_range" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_preorder" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "fstar_pervasives" - "fstar_calc" -> "prims" - "fstar_calc" -> "prims" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_functionalextensionality" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "fstar_mul" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "rust_primitives" - "bitvec_equality" -> "core" - "bitvec_equality" -> "core" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "fstar_pervasives" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "prims" - "bitvec_equality" -> "bitvec_equality" - "fstar_sealed" -> "fstar_pervasives" - "fstar_sealed" -> "fstar_pervasives" - "fstar_sealed" -> "prims" - "fstar_sealed" -> "prims" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_seq" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_uint" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_math_lemmas" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_bitvector" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_mul" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "fstar_pervasives" - "fstar_int" -> "prims" - "fstar_int" -> "prims" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_uint32" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_mul" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_uint" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "fstar_pervasives" - "fstar_uint64" -> "prims" - "fstar_uint64" -> "prims" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_ghost" - "fstar_indefinitedescription" -> "fstar_squash" - "fstar_indefinitedescription" -> "fstar_squash" - "fstar_indefinitedescription" -> "fstar_classical" - "fstar_indefinitedescription" -> "fstar_classical" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "fstar_pervasives" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "prims" - "fstar_indefinitedescription" -> "fstar_indefinitedescription" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_math_lemmas" - "fstar_int64" -> "fstar_math_lemmas" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "prims" - "fstar_int64" -> "prims" - "fstar_int64" -> "fstar_int64" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "fstar_pervasives" - "fstar_classical_sugar" -> "prims" - "fstar_classical_sugar" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" - "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "fstar_pervasives" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "prims" - "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" - "fstar_pervasives_native" -> "prims" - "fstar_pervasives_native" -> "prims" - "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_tactics_effect" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "fstar_pervasives" - "fstar_tactics_typeclasses" -> "prims" - "fstar_tactics_typeclasses" -> "prims" - "fstar_stubs_pprint" -> "fstar_float" - "fstar_stubs_pprint" -> "fstar_char" - "fstar_stubs_pprint" -> "fstar_pervasives" - "fstar_stubs_pprint" -> "fstar_pervasives" - "fstar_stubs_pprint" -> "prims" - "fstar_stubs_pprint" -> "prims" - "fstar_sealed_inhabited" -> "fstar_sealed" - "fstar_sealed_inhabited" -> "fstar_pervasives" - "fstar_sealed_inhabited" -> "fstar_pervasives" - "fstar_sealed_inhabited" -> "prims" - "fstar_sealed_inhabited" -> "prims" - "fstar_tactics_namedview" -> "fstar_list_tot" - "fstar_tactics_namedview" -> "fstar_list_tot" - "fstar_tactics_namedview" -> "fstar_pervasives_native" - "fstar_tactics_namedview" -> "fstar_pervasives_native" - "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_reflection_v2" - "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_namedview" -> "fstar_tactics_util" - "fstar_tactics_namedview" -> "fstar_tactics_util" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_tactics_effect" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "fstar_pervasives" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "prims" - "fstar_tactics_namedview" -> "fstar_tactics_namedview" - "fstar_heap" -> "fstar_preorder" - "fstar_heap" -> "fstar_preorder" - "fstar_heap" -> "fstar_monotonic_heap" - "fstar_heap" -> "fstar_monotonic_heap" - "fstar_heap" -> "fstar_pervasives" - "fstar_heap" -> "fstar_pervasives" - "fstar_heap" -> "prims" - "fstar_heap" -> "prims" - "mkseq" -> "fstar_tactics_effect" - "mkseq" -> "fstar_tactics_effect" - "mkseq" -> "fstar_classical" - "mkseq" -> "fstar_classical" - "mkseq" -> "fstar_list_tot" - "mkseq" -> "fstar_list_tot" - "mkseq" -> "fstar_pervasives_native" - "mkseq" -> "fstar_pervasives_native" - "mkseq" -> "fstar_tactics" - "mkseq" -> "fstar_tactics" - "mkseq" -> "fstar_seq" - "mkseq" -> "fstar_seq" - "mkseq" -> "fstar_reflection_v2" - "mkseq" -> "fstar_reflection_v2" - "mkseq" -> "rust_primitives_integers" - "mkseq" -> "rust_primitives_integers" - "mkseq" -> "fstar_tactics_v2" - "mkseq" -> "fstar_tactics_v2" - "mkseq" -> "core" - "mkseq" -> "core" - "mkseq" -> "fstar_pervasives" - "mkseq" -> "fstar_pervasives" - "mkseq" -> "prims" - "mkseq" -> "prims" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" - "fstar_tactics_v2_syntaxhelpers" -> "prims" - "fstar_tactics_v2_syntaxhelpers" -> "prims" - "bitvec_intrinsics_constants" -> "fstar_tactics_visit" - "bitvec_intrinsics_constants" -> "fstar_tactics_visit" - "bitvec_intrinsics_constants" -> "tactics_seq" - "bitvec_intrinsics_constants" -> "tactics_seq" - "bitvec_intrinsics_constants" -> "tactics_pow2" - "bitvec_intrinsics_constants" -> "tactics_pow2" - "bitvec_intrinsics_constants" -> "fstar_tactics_effect" - "bitvec_intrinsics_constants" -> "fstar_tactics_effect" - "bitvec_intrinsics_constants" -> "fstar_list_tot" - "bitvec_intrinsics_constants" -> "fstar_list_tot" - "bitvec_intrinsics_constants" -> "fstar_reflection_v2" - "bitvec_intrinsics_constants" -> "fstar_reflection_v2" - "bitvec_intrinsics_constants" -> "fstar_pervasives_native" - "bitvec_intrinsics_constants" -> "fstar_pervasives_native" - "bitvec_intrinsics_constants" -> "fstar_tactics" - "bitvec_intrinsics_constants" -> "fstar_tactics" - "bitvec_intrinsics_constants" -> "tactics_utils" - "bitvec_intrinsics_constants" -> "tactics_utils" - "bitvec_intrinsics_constants" -> "fstar_tactics_v2" - "bitvec_intrinsics_constants" -> "fstar_tactics_v2" - "bitvec_intrinsics_constants" -> "fstar_int32" - "bitvec_intrinsics_constants" -> "fstar_int32" - "bitvec_intrinsics_constants" -> "fstar_int16" - "bitvec_intrinsics_constants" -> "fstar_int16" - "bitvec_intrinsics_constants" -> "bitvec_equality" - "bitvec_intrinsics_constants" -> "bitvec_equality" - "bitvec_intrinsics_constants" -> "bitvec_utils" - "bitvec_intrinsics_constants" -> "bitvec_utils" - "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" - "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" - "bitvec_intrinsics_constants" -> "fstar_mul" - "bitvec_intrinsics_constants" -> "fstar_mul" - "bitvec_intrinsics_constants" -> "rust_primitives" - "bitvec_intrinsics_constants" -> "rust_primitives" - "bitvec_intrinsics_constants" -> "core" - "bitvec_intrinsics_constants" -> "core" - "bitvec_intrinsics_constants" -> "fstar_pervasives" - "bitvec_intrinsics_constants" -> "fstar_pervasives" - "bitvec_intrinsics_constants" -> "prims" - "bitvec_intrinsics_constants" -> "prims" - "fstar_order" -> "fstar_pervasives_native" - "fstar_order" -> "fstar_pervasives_native" - "fstar_order" -> "fstar_pervasives" - "fstar_order" -> "fstar_pervasives" - "fstar_order" -> "prims" - "fstar_order" -> "prims" - "fstar_tactics_effect" -> "fstar_range" - "fstar_tactics_effect" -> "fstar_stubs_tactics_result" - "fstar_tactics_effect" -> "fstar_stubs_tactics_types" - "fstar_tactics_effect" -> "fstar_stubs_reflection_types" - "fstar_tactics_effect" -> "fstar_monotonic_pure" - "fstar_tactics_effect" -> "fstar_monotonic_pure" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "fstar_pervasives" - "fstar_tactics_effect" -> "prims" - "fstar_tactics_effect" -> "prims" - "core_ops" -> "core_ops_index" - "core_ops" -> "core_ops_index" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "fstar_tactics_typeclasses" - "core_ops" -> "rust_primitives" - "core_ops" -> "rust_primitives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "fstar_pervasives" - "core_ops" -> "prims" - "core_ops" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "fstar_mul" - "libcrux_intrinsics_avx2_extract" -> "core" - "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" - "libcrux_intrinsics_avx2_extract" -> "prims" - "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" - "core_result" -> "fstar_pervasives" - "core_result" -> "fstar_pervasives" - "core_result" -> "prims" - "core_result" -> "prims" - "fstar_monotonic_heap" -> "fstar_erasedlogic" - "fstar_monotonic_heap" -> "fstar_erasedlogic" - "fstar_monotonic_heap" -> "fstar_squash" - "fstar_monotonic_heap" -> "fstar_squash" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_set" - "fstar_monotonic_heap" -> "fstar_pervasives_native" - "fstar_monotonic_heap" -> "fstar_pervasives_native" - "fstar_monotonic_heap" -> "fstar_functionalextensionality" - "fstar_monotonic_heap" -> "fstar_functionalextensionality" - "fstar_monotonic_heap" -> "fstar_classical" - "fstar_monotonic_heap" -> "fstar_classical" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_preorder" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "fstar_pervasives" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "prims" - "fstar_monotonic_heap" -> "fstar_monotonic_heap" - "fstar_tactics_smt" -> "fstar_vconfig" - "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" - "fstar_tactics_smt" -> "fstar_tactics_effect" - "fstar_tactics_smt" -> "fstar_tactics_effect" - "fstar_tactics_smt" -> "fstar_pervasives" - "fstar_tactics_smt" -> "fstar_pervasives" - "fstar_tactics_smt" -> "prims" - "fstar_tactics_smt" -> "prims" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_order" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" - "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "fstar_pervasives" - "fstar_reflection_v2_compare" -> "prims" - "fstar_reflection_v2_compare" -> "prims" - "fstar_int64" -> "fstar_uint" - "fstar_int64" -> "fstar_uint" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_uint32" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_mul" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_int" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "fstar_pervasives" - "fstar_int64" -> "prims" - "fstar_int64" -> "prims" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "rust_primitives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "fstar_pervasives" - "core_iter_adapters_enumerate" -> "prims" - "core_iter_adapters_enumerate" -> "prims" - "fstar_reflection_v1_formula" -> "fstar_pervasives_native" - "fstar_reflection_v1_formula" -> "fstar_pervasives_native" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" - "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" - "fstar_reflection_v1_formula" -> "fstar_reflection_const" - "fstar_reflection_v1_formula" -> "fstar_reflection_const" - "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" - "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" - "fstar_reflection_v1_formula" -> "fstar_tactics_effect" - "fstar_reflection_v1_formula" -> "fstar_tactics_effect" - "fstar_reflection_v1_formula" -> "fstar_list_tot_base" - "fstar_reflection_v1_formula" -> "fstar_list_tot_base" - "fstar_reflection_v1_formula" -> "fstar_pervasives" - "fstar_reflection_v1_formula" -> "fstar_pervasives" - "fstar_reflection_v1_formula" -> "prims" - "fstar_reflection_v1_formula" -> "prims" -} diff --git a/libcrux-intrinsics/Cargo.toml b/libcrux-intrinsics/Cargo.toml index 5cacc5bee..cdc0acc2b 100644 --- a/libcrux-intrinsics/Cargo.toml +++ b/libcrux-intrinsics/Cargo.toml @@ -11,7 +11,6 @@ description = "Libcrux intrinsics crate" exclude = ["/proofs"] [dependencies] -hax-lib.workspace = true [features] simd128 = [] diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst deleted file mode 100644 index 167d0b324..000000000 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst +++ /dev/null @@ -1,1214 +0,0 @@ -module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" -open Core -open FStar.Mul - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3091; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_and_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3580; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_castsi128_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3681; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_extracti128_si256"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2293; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_madd_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 2613; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_mullo_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3439; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_slli_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3378; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm256_srli_epi16"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3719; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_movemask_epi8"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 3630; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_packs_epi16"); disambiguator = 0 - } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! -Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: -{ Ast.Make.e = - Ast.Make.App { - f = - { Ast.Make.e = - (Ast.Make.GlobalVar - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value })); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - )) - }; - args = - [{ Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr }; - { Ast.Make.e = - (Ast.Make.Literal - (Ast.String - "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath - "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = Ast.Make.TStr } - ]; - generic_args = []; bounds_impls = []; trait = None}; - span = - { Span.id = 1423; - data = - [{ Span.Imported.filename = - (Span.Imported.Real - (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); - hi = { Span.Imported.col = 14; line = 50 }; - lo = { Span.Imported.col = 12; line = 39 } } - ] - }; - typ = - Ast.Make.TApp { - ident = - `Concrete ({ Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "rust_primitives"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Type }); - args = []} - } - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_intrinsics"; - path = - [{ Concrete_ident.Imported.data = - (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "mm_storeu_bytes_si128"); - disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 16d93fb14..8e2571881 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -3,299 +3,205 @@ module Libcrux_intrinsics.Avx2_extract open Core open FStar.Mul -val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) +val mm256_abs_epi32 (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_add_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_and_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -unfold type t_Vec128 = bit_vec 128 -val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) -let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i +val mm256_andnot_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -unfold type t_Vec256 = bit_vec 256 -val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) -let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i +val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_abs_epi32 (a: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 ( +. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) +val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi128_si256 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_add_epi64 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_ps (a: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_andnot_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_castsi256_si128 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_blend_epi16 (v_CONTROL: i32) (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpeq_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_blend_epi32 (v_CONTROL: i32) (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_bsrli_epi128 (v_SHIFT_BY: i32) (x: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cmpgt_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_castsi128_si256 (vector: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_cvtepi16_epi32 (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_castsi256_ps (a: t_Vec256) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) +val mm256_extracti128_si256 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpeq_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_inserti128_si256 (v_CONTROL: i32) (vector vector_i128: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpgt_epi16 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i16 (input: t_Slice i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cmpgt_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_i32 (input: t_Slice i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_cvtepi16_epi32 (vector: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_loadu_si256_u8 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_inserti128_si256 (v_CONTROL: i32) (vector: t_Vec256) (vector_i128: t_Vec128) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_madd_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_i16 (input: t_Slice i16) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_movemask_ps (a: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_mul_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_i32 (input: t_Slice i32) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mul_epu32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_loadu_si256_u8 (input: t_Slice u8) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mul_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mul_epu32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_mullo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mulhi_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec256_as_i16x16 lhs) - (vec256_as_i16x16 rhs)) +val mm256_or_si256 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_mullo_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_packs_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_or_si256 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permute2x128_si256 (v_IMM8: i32) (a b: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_packs_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permute2x128_si256 (v_IMM8: i32) (a b: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_permutevar8x32_epi32 (vector control: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_permute4x64_epi64 (v_CONTROL: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_permutevar8x32_epi32} +val mm256_set1_epi32 (constant: i32) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi32 (constant: i32) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set1_epi64x (a: i64) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set1_epi64x (a: i64) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_set_epi16 + (input15 input14 input13 input12 input11 input10 input9 input8 input7 input6 input5 input4 input3 input2 input1 input0: + i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi32} +val mm256_set_epi32 (input7 input6 input5 input4 input3 input2 input1 input0: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) val mm256_set_epi64x (input3 input2 input1 input0: i64) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_set_epi8 + (byte31 byte30 byte29 byte28 byte27 byte26 byte25 byte24 byte23 byte22 byte21 byte20 byte19 byte18 byte17 byte16 byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + i8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_set_m128i (hi lo: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm256_setzero_si256: Prims.unit -> Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi8} +val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_set_m128i (hi lo: t_Vec128) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_setzero_si256: Prims.unit -> Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sign_epi32 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_shuffle_epi32 (v_CONTROL: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_slli_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_shuffle_epi8} +val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_sign_epi32 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_slli_epi64 (v_LEFT: i32) (x: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_slli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_slli_epi64 (v_LEFT: i32) (x: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_sllv_epi32} +val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srai_epi16 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec256_as_i16x16 vector)) +val mm256_srli_epi16 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srai_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srli_epi32 (v_SHIFT_BY: i32) (vector: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srlv_epi32 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_srlv_epi64 (vector counts: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm256_srlv_epi64 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: t_Vec256) - : Prims.Pure (t_Slice i16) - Prims.l_True - (ensures - fun output_future -> - let output_future:t_Slice i16 = output_future in - (Core.Slice.impl__len #i16 output_future <: usize) =. - (Core.Slice.impl__len #i16 output <: usize)) +val mm256_storeu_si256_i16 (output: t_Slice i16) (vector: u8) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: t_Vec256) +val mm256_storeu_si256_i32 (output: t_Slice i32) (vector: u8) : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: t_Vec256) +val mm256_storeu_si256_u8 (output: t_Slice u8) (vector: u8) : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -val mm256_sub_epi16 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:t_Vec256 = result in - vec256_as_i16x16 result == - Spec.Utils.map2 ( -. ) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs)) - -val mm256_sub_epi32 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_testz_si256 (lhs rhs: t_Vec256) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpackhi_epi32 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpackhi_epi64 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpacklo_epi32 (lhs rhs: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_unpacklo_epi64 (a b: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm256_xor_si256 (lhs rhs: t_Vec256) : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val mm_add_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 ( +. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) - -include BitVec.Intrinsics {mm_loadu_si128} - -val mm_mulhi_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec128_as_i16x8 lhs) - (vec128_as_i16x8 rhs)) - -val mm_mullo_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 mul_mod (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) - -val mm_set1_epi16 (constant: i16) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == Spec.Utils.create (sz 8) constant) +val mm256_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_set_epi32 (input3 input2 input1 input0: i32) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_sub_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_set_epi8} +val mm256_testz_si256 (lhs rhs: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_shuffle_epi8} +val mm256_unpackhi_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_sllv_epi32 (vector counts: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_unpackhi_epi64 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: t_Vec128) - : Prims.Pure t_Vec128 Prims.l_True (fun _ -> Prims.l_True) +val mm256_unpacklo_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_storeu_bytes_si128} +val mm256_unpacklo_epi64 (a b: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_si128 (output: t_Slice i16) (vector: t_Vec128) - : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) +val mm256_xor_si256 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_storeu_si128_i32 (output: t_Slice i32) (vector: t_Vec128) - : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) +val mm_add_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val mm_loadu_si128 (input: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val mm_sub_epi16 (lhs rhs: t_Vec128) - : Prims.Pure t_Vec128 - Prims.l_True - (ensures - fun result -> - let result:t_Vec128 = result in - vec128_as_i16x8 result == - Spec.Utils.map2 ( -. ) (vec128_as_i16x8 lhs) (vec128_as_i16x8 rhs)) +val mm_movemask_epi8 (vector: u8) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) -val vec256_blendv_epi32 (a b mask: t_Vec256) - : Prims.Pure t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val mm_mulhi_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_and_si256 as mm256_and_si256} -val lemma_mm256_and_si256 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] +val mm_mullo_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_castsi256_si128 as mm256_castsi256_si128} +val mm_packs_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_extracti128_si256 as mm256_extracti128_si256} +val mm_set1_epi16 (constant: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_madd_epi16 as mm256_madd_epi16} +val mm_set_epi32 (input3 input2 input1 input0: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_mullo_epi16 as mm256_mullo_epi16} -let lemma_mm256_mullo_epi16 v1 v2 : - Lemma (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2) == - Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) - [SMTPat (vec256_as_i16x16 (mm256_mullo_epi16 v1 v2))] = admit() +val mm_set_epi8 + (byte15 byte14 byte13 byte12 byte11 byte10 byte9 byte8 byte7 byte6 byte5 byte4 byte3 byte2 byte1 byte0: + u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set1_epi16 as mm256_set1_epi16} -val lemma_mm256_set1_epi16 constant - : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) - == Spec.Utils.create (sz 16) constant - ) - [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] +val mm_shuffle_epi8 (vector control: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_set_epi16 as mm256_set_epi16} -let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : - Lemma (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == - Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() +val mm_sllv_epi32 (vector counts: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_slli_epi16 as mm256_slli_epi16} +val mm_srli_epi64 (v_SHIFT_BY: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi16 as mm256_srli_epi16} +val mm_storeu_bytes_si128 (output: t_Slice u8) (vector: u8) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_srli_epi64 as mm256_srli_epi64} +val mm_storeu_si128 (output: t_Slice i16) (vector: u8) + : Prims.Pure (t_Slice i16) Prims.l_True (fun _ -> Prims.l_True) + +val mm_storeu_si128_i32 (output: t_Slice i32) (vector: u8) + : Prims.Pure (t_Slice i32) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_movemask_epi8 as mm_movemask_epi8} +val mm_sub_epi16 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm_packs_epi16 as mm_packs_epi16} +val vec256_blendv_epi32 (a b mask: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Makefile b/libcrux-intrinsics/proofs/fstar/extraction/Makefile deleted file mode 100644 index b4ce70a38..000000000 --- a/libcrux-intrinsics/proofs/fstar/extraction/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-intrinsics/src/arm64_extract.rs b/libcrux-intrinsics/src/arm64_extract.rs index d41241275..e43abc8f4 100644 --- a/libcrux-intrinsics/src/arm64_extract.rs +++ b/libcrux-intrinsics/src/arm64_extract.rs @@ -3,23 +3,14 @@ #![allow(non_camel_case_types, unsafe_code, unused_variables)] -#[hax_lib::opaque_type] pub type _uint16x4_t = u8; -#[hax_lib::opaque_type] pub type _int16x4_t = u8; -#[hax_lib::opaque_type] pub type _int16x8_t = u8; -#[hax_lib::opaque_type] pub type _uint8x16_t = u8; -#[hax_lib::opaque_type] pub type _uint16x8_t = u8; -#[hax_lib::opaque_type] pub type _uint32x4_t = u8; -#[hax_lib::opaque_type] pub type _int32x4_t = u8; -#[hax_lib::opaque_type] pub type _uint64x2_t = u8; -#[hax_lib::opaque_type] pub type _int64x2_t = u8; #[inline(always)] diff --git a/libcrux-intrinsics/src/avx2_extract.rs b/libcrux-intrinsics/src/avx2_extract.rs index ce78d81e5..8afb4ab49 100644 --- a/libcrux-intrinsics/src/avx2_extract.rs +++ b/libcrux-intrinsics/src/avx2_extract.rs @@ -3,33 +3,7 @@ #![allow(unused_variables, non_camel_case_types)] -#[cfg(hax)] -#[derive(Clone, Copy)] -#[hax_lib::fstar::replace( - interface, - r#" -unfold type $:{Vec256} = bit_vec 256 -val vec256_as_i16x16 (x: bit_vec 256) : t_Array i16 (sz 16) -let get_lane (v: bit_vec 256) (i:nat{i < 16}) = Seq.index (vec256_as_i16x16 v) i -"# -)] -pub struct Vec256(u8); - -#[cfg(hax)] -#[derive(Copy, Clone)] -#[hax_lib::fstar::replace( - interface, - r#" -unfold type $:{Vec128} = bit_vec 128 -val vec128_as_i16x8 (x: bit_vec 128) : t_Array i16 (sz 8) -let get_lane128 (v: bit_vec 128) (i:nat{i < 8}) = Seq.index (vec128_as_i16x8 v) i -"# -)] -pub struct Vec128(u8); - -#[cfg(not(hax))] pub type Vec256 = u8; -#[cfg(not(hax))] pub type Vec128 = u8; pub type Vec256Float = u8; @@ -37,8 +11,6 @@ pub fn mm256_storeu_si256_u8(output: &mut [u8], vector: Vec256) { debug_assert_eq!(output.len(), 32); unimplemented!() } - -#[hax_lib::ensures(|()| future(output).len() == output.len())] pub fn mm256_storeu_si256_i16(output: &mut [i16], vector: Vec256) { debug_assert_eq!(output.len(), 16); unimplemented!() @@ -57,13 +29,11 @@ pub fn mm_storeu_si128_i32(output: &mut [i32], vector: Vec128) { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_storeu_bytes_si128}")] pub fn mm_storeu_bytes_si128(output: &mut [u8], vector: Vec128) { debug_assert_eq!(output.len(), 16); unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_loadu_si128}")] pub fn mm_loadu_si128(input: &[u8]) -> Vec128 { debug_assert_eq!(input.len(), 16); unimplemented!() @@ -89,7 +59,6 @@ pub fn mm256_set_m128i(hi: Vec128, lo: Vec128) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_set_epi8}")] pub fn mm_set_epi8( byte15: u8, byte14: u8, @@ -111,7 +80,6 @@ pub fn mm_set_epi8( unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi8}")] pub fn mm256_set_epi8( byte31: i8, byte30: i8, @@ -149,33 +117,9 @@ pub fn mm256_set_epi8( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.create (sz 16) $constant"))] -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_set1_epi16 as ${mm256_set1_epi16}} -val lemma_mm256_set1_epi16 constant - : Lemma ( vec256_as_i16x16 (mm256_set1_epi16 constant) - == Spec.Utils.create (sz 16) constant - ) - [SMTPat (vec256_as_i16x16 (mm256_set1_epi16 constant))] -"# -)] pub fn mm256_set1_epi16(constant: i16) -> Vec256 { unimplemented!() } - -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_set_epi16 as ${mm256_set_epi16}} -let lemma_mm256_set_epi16 v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0 : - Lemma (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0) == - Spec.Utils.create16 v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 v11 v12 v13 v14 v15) - [SMTPat (vec256_as_i16x16 (${mm256_set_epi16} v15 v14 v13 v12 v11 v10 v9 v8 v7 v6 v5 v4 v3 v2 v1 v0))] = admit() -"# -)] pub fn mm256_set_epi16( input15: i16, input14: i16, @@ -197,8 +141,6 @@ pub fn mm256_set_epi16( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.create (sz 8) $constant"))] #[inline(always)] pub fn mm_set1_epi16(constant: i16) -> Vec128 { unimplemented!() @@ -213,8 +155,6 @@ pub fn mm256_set1_epi32(constant: i32) -> Vec256 { pub fn mm_set_epi32(input3: i32, input2: i32, input1: i32, input0: i32) -> Vec128 { unimplemented!() } - -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_set_epi32}")] #[inline(always)] pub fn mm256_set_epi32( input7: i32, @@ -229,27 +169,15 @@ pub fn mm256_set_epi32( unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (+.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] +#[inline(always)] pub fn mm_add_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } - -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (-.) (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] -pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { - unimplemented!() -} - -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (+.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] +#[inline(always)] pub fn mm256_add_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_madd_epi16 as ${mm256_madd_epi16}}" -)] +#[inline(always)] pub fn mm256_madd_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } @@ -258,12 +186,6 @@ pub fn mm256_add_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (-.) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] -pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { - unimplemented!() -} - #[inline(always)] pub fn mm256_add_epi64(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -274,26 +196,21 @@ pub fn mm256_abs_epi32(a: Vec256) -> Vec256 { unimplemented!() } +pub fn mm256_sub_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { + unimplemented!() +} pub fn mm256_sub_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_mullo_epi16 as ${mm256_mullo_epi16}} -let lemma_mm256_mullo_epi16 v1 v2 : - Lemma (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2) == - Spec.Utils.map2 mul_mod (vec256_as_i16x16 v1) (vec256_as_i16x16 v2)) - [SMTPat (vec256_as_i16x16 (${mm256_mullo_epi16} v1 v2))] = admit() -"# -)] +pub fn mm_sub_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { + unimplemented!() +} + pub fn mm256_mullo_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 mul_mod (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] pub fn mm_mullo_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -326,9 +243,6 @@ pub fn mm256_movemask_ps(a: Vec256Float) -> i32 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec128_as_i16x8 $result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (vec128_as_i16x8 $lhs) (vec128_as_i16x8 $rhs)"))] pub fn mm_mulhi_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -337,8 +251,6 @@ pub fn mm256_mullo_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) (vec256_as_i16x16 $lhs) (vec256_as_i16x16 $rhs)"))] pub fn mm256_mulhi_epi16(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } @@ -352,17 +264,6 @@ pub fn mm256_mul_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - r#" -include BitVec.Intrinsics {mm256_and_si256 as ${mm256_and_si256}} -val lemma_mm256_and_si256 lhs rhs - : Lemma ( vec256_as_i16x16 (mm256_and_si256 lhs rhs) - == Spec.Utils.map2 (&.) (vec256_as_i16x16 lhs) (vec256_as_i16x16 rhs) - ) - [SMTPat (vec256_as_i16x16 (mm256_and_si256 lhs rhs))] -"# -)] #[inline(always)] pub fn mm256_and_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() @@ -381,9 +282,6 @@ pub fn mm256_xor_si256(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (vec256_as_i16x16 $vector)"))] pub fn mm256_srai_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -393,10 +291,6 @@ pub fn mm256_srai_epi32(vector: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_srli_epi16 as ${mm256_srli_epi16::<0>}}" -)] pub fn mm256_srli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -410,20 +304,11 @@ pub fn mm_srli_epi64(vector: Vec128) -> Vec128 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() } - -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_srli_epi64 as ${mm256_srli_epi64::<0>}}" -)] pub fn mm256_srli_epi64(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 64); unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_slli_epi16 as ${mm256_slli_epi16::<0>}}" -)] pub fn mm256_slli_epi16(vector: Vec256) -> Vec256 { debug_assert!(SHIFT_BY >= 0 && SHIFT_BY < 16); unimplemented!() @@ -434,11 +319,9 @@ pub fn mm256_slli_epi32(vector: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm_shuffle_epi8}")] pub fn mm_shuffle_epi8(vector: Vec128, control: Vec128) -> Vec128 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_shuffle_epi8}")] pub fn mm256_shuffle_epi8(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } @@ -464,10 +347,6 @@ pub fn mm256_unpackhi_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_castsi256_si128 as ${mm256_castsi256_si128}}" -)] pub fn mm256_castsi256_si128(vector: Vec256) -> Vec128 { unimplemented!() } @@ -479,10 +358,6 @@ pub fn mm256_cvtepi16_epi32(vector: Vec128) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_packs_epi16 as ${mm_packs_epi16}}" -)] pub fn mm_packs_epi16(lhs: Vec128, rhs: Vec128) -> Vec128 { unimplemented!() } @@ -490,10 +365,6 @@ pub fn mm256_packs_epi32(lhs: Vec256, rhs: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_extracti128_si256 as ${mm256_extracti128_si256::<0>}}" -)] pub fn mm256_extracti128_si256(vector: Vec256) -> Vec128 { debug_assert!(CONTROL == 0 || CONTROL == 1); unimplemented!() @@ -523,21 +394,17 @@ pub fn vec256_blendv_epi32(a: Vec256, b: Vec256, mask: Vec256) -> Vec256 { unimplemented!() } -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm_movemask_epi8 as ${mm_movemask_epi8}}" -)] #[inline(always)] pub fn mm_movemask_epi8(vector: Vec128) -> i32 { unimplemented!() } -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_permutevar8x32_epi32}")] #[inline(always)] pub fn mm256_permutevar8x32_epi32(vector: Vec256, control: Vec256) -> Vec256 { unimplemented!() } +#[inline(always)] pub fn mm256_srlv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } @@ -549,9 +416,6 @@ pub fn mm256_srlv_epi64(vector: Vec256, counts: Vec256) -> Vec256 { pub fn mm_sllv_epi32(vector: Vec128, counts: Vec128) -> Vec128 { unimplemented!() } - -#[inline(always)] -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_sllv_epi32}")] pub fn mm256_sllv_epi32(vector: Vec256, counts: Vec256) -> Vec256 { unimplemented!() } diff --git a/libcrux-ml-dsa/Cargo.toml b/libcrux-ml-dsa/Cargo.toml index 9c1d52fea..63ab2a72b 100644 --- a/libcrux-ml-dsa/Cargo.toml +++ b/libcrux-ml-dsa/Cargo.toml @@ -19,6 +19,7 @@ bench = false # so libtest doesn't eat the arguments to criterion libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [dev-dependencies] rand = { version = "0.8" } @@ -29,8 +30,8 @@ criterion = "0.5" pqcrypto-dilithium = { version = "0.5.0" } #, default-features = false [features] -simd128 = [] -simd256 = [] +simd128 = ["libcrux-sha3/simd128", "libcrux-intrinsics/simd128"] +simd256 = ["libcrux-sha3/simd256", "libcrux-intrinsics/simd256"] acvp = [] # expose internal API for ACVP testing [[bench]] @@ -48,3 +49,8 @@ harness = false [[bench]] name = "ml-dsa" harness = false + +[lints.rust] +unexpected_cfgs = { level = "warn", check-cfg = [ + 'cfg(hax)', +] } diff --git a/libcrux-ml-dsa/hax.py b/libcrux-ml-dsa/hax.py new file mode 100755 index 000000000..e8d2ba309 --- /dev/null +++ b/libcrux-ml-dsa/hax.py @@ -0,0 +1,172 @@ +#! /usr/bin/env python3 + +import os +import argparse +import subprocess +import sys + + +def shell(command, expect=0, cwd=None, env={}): + subprocess_stdout = subprocess.DEVNULL + + print("Env:", env) + print("Command: ", end="") + for i, word in enumerate(command): + if i == 4: + print("'{}' ".format(word), end="") + else: + print("{} ".format(word), end="") + + print("\nDirectory: {}".format(cwd)) + + os_env = os.environ + os_env.update(env) + + ret = subprocess.run(command, cwd=cwd, env=os_env) + if ret.returncode != expect: + raise Exception("Error {}. Expected {}.".format(ret, expect)) + + +class extractAction(argparse.Action): + + def __call__(self, parser, args, values, option_string=None) -> None: + # Extract platform interfaces + include_str = "+:** -**::x86::init::cpuid -**::x86::init::cpuid_count" + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "80", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd="../sys/platform", + env=hax_env, + ) + + # Extract intrinsics interfaces + include_str = "+:**" + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "-C", + "--features", + "simd128,simd256", + ";", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "80", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd="../libcrux-intrinsics", + env=hax_env, + ) + + # Extract ml-dsa + includes = [ + "+**", + "-libcrux_ml_dsa::hash_functions::portable::*", + "-libcrux_ml_dsa::hash_functions::simd256::*", + "-libcrux_ml_dsa::hash_functions::neon::*", + "+:libcrux_ml_dsa::hash_functions::*::*", + ] + include_str = " ".join(includes) + interface_include = "+**" + cargo_hax_into = [ + "cargo", + "hax", + "-C", + "--features", + "simd128,simd256", + ";", + "into", + "-i", + include_str, + "fstar", + "--z3rlimit", + "100", + "--interfaces", + interface_include, + ] + hax_env = {} + shell( + cargo_hax_into, + cwd=".", + env=hax_env, + ) + return None + + +class proveAction(argparse.Action): + + def __call__(self, parser, args, values, option_string=None) -> None: + admit_env = {} + if args.admit: + admit_env = {"OTHERFLAGS": "--admit_smt_queries true"} + shell(["make", "-C", "proofs/fstar/extraction/"], env=admit_env) + return None + + +def parse_arguments(): + parser = argparse.ArgumentParser( + description="Libcrux prove script. " + + "Make sure to separate sub-command arguments with --." + ) + subparsers = parser.add_subparsers() + + extract_parser = subparsers.add_parser( + "extract", help="Extract the F* code for the proofs." + ) + extract_parser.add_argument("extract", nargs="*", action=extractAction) + + prover_parser = subparsers.add_parser( + "prove", + help=""" + Run F*. + + This typechecks the extracted code. + To lax-typecheck use --admit. + """, + ) + prover_parser.add_argument( + "--admit", + help="Admit all smt queries to lax typecheck.", + action="store_true", + ) + prover_parser.add_argument( + "prove", + nargs="*", + action=proveAction, + ) + + if len(sys.argv) == 1: + parser.print_help(sys.stderr) + sys.exit(1) + + return parser.parse_args() + + +def main(): + # Don't print unnecessary Python stack traces. + sys.tracebacklimit = 0 + parse_arguments() + + +if __name__ == "__main__": + main() diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst new file mode 100644 index 000000000..787aefa44 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fst @@ -0,0 +1,544 @@ +module Libcrux_ml_dsa.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let decompose_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let vector_low:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let vector_high:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ i -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let i:usize = i in + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + ((vector_low.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ j -> + let vector_high, vector_low:(t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let j:usize = j in + let low, high:(v_SIMDUnit & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_decompose #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((t.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + in + let vector_low:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_low + i + ({ + (vector_low.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_low.[ i + ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + low + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let vector_high:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vector_high + i + ({ + (vector_high.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (vector_high.[ i + ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + high + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + vector_high, vector_low + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + )) + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + vector_low, vector_high + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let power2round_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (t + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) = + temp_0_ + in + let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + temp_1_ + in + Rust_primitives.Hax.Folds.fold_enumerated_slice (ring_element + .Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + (fun temp_0_ temp_1_ -> + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) = + temp_0_ + in + let j, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + let t0_unit, t1_unit:(v_SIMDUnit & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_power2round #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + in + let t0:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0 + i + ({ + (t0.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t0.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + t0_unit + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + ({ + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (t1.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + t1_unit + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + )) + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + t0, t1 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + +let shift_left_then_reduce + (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + { + out with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_shift_left_then_reduce #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_SHIFT_BY + simd_unit + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + out + +let use_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (re_vector: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (hint.[ i ] <: t_Slice i32) + in + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + ((result.[ sz 0 ]).Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result j -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let j:usize = j in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + ({ + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_use_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((re_vector.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION)) + in + result + +let vector_infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + exceeds + (fun exceeds ring_element -> + let exceeds:bool = exceeds in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + exceeds || + (Libcrux_ml_dsa.Polynomial.impl__infinity_norm_exceeds #v_SIMDUnit ring_element bound + <: + bool)) + in + exceeds + +let make_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + v_DIMENSION + in + let true_hints:usize = sz 0 in + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + (fun temp_0_ i -> + let hint, true_hints:(t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) = temp_0_ in + let i:usize = i in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (hint_simd.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ j -> + let hint_simd, true_hints:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + usize) = + temp_0_ + in + let j:usize = j in + let one_hints_count, current_hint:(usize & v_SIMDUnit) = + Libcrux_ml_dsa.Simd.Traits.f_compute_hint #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA2 + ((low.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + ((high.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + .Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] + <: + v_SIMDUnit) + in + let hint_simd:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + hint_simd with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint_simd + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + current_hint + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let true_hints:usize = true_hints +! one_hints_count in + hint_simd, true_hints + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let hint:t_Array (t_Array i32 (sz 256)) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (Libcrux_ml_dsa.Polynomial.impl__to_i32_array #v_SIMDUnit hint_simd + <: + t_Array i32 (sz 256)) + in + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize)) + in + hint, true_hints <: (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti new file mode 100644 index 000000000..aa749b797 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Arithmetic.fsti @@ -0,0 +1,73 @@ +module Libcrux_ml_dsa.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val decompose_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val power2round_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (t: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (#v_SIMDUnit: Type0) + (v_SHIFT_BY: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (hint: t_Array (t_Array i32 (sz 256)) v_DIMENSION) + (re_vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION + ) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val vector_infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val make_hint + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (v_GAMMA2: i32) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (low high: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Array (t_Array i32 (sz 256)) v_DIMENSION & usize) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti new file mode 100644 index 000000000..6263c2610 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Constants.fsti @@ -0,0 +1,44 @@ +module Libcrux_ml_dsa.Constants +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_IN_LOWER_PART_OF_T: usize = sz 13 + +let v_BYTES_FOR_VERIFICATION_KEY_HASH: usize = sz 64 + +let v_COEFFICIENTS_IN_RING_ELEMENT: usize = sz 256 + +/// The length of `context` is serialized to a single `u8`. +let v_CONTEXT_MAX_LEN: usize = sz 255 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH: usize = sz 23 + +let v_BITS_IN_UPPER_PART_OF_T: usize = + v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! v_BITS_IN_LOWER_PART_OF_T + +/// Number of bytes of entropy required for key generation. +let v_KEY_GENERATION_RANDOMNESS_SIZE: usize = sz 32 + +let v_MASK_SEED_SIZE: usize = sz 64 + +let v_MESSAGE_REPRESENTATIVE_SIZE: usize = sz 64 + +let v_REJECTION_SAMPLE_BOUND_SIGN: usize = sz 814 + +let v_RING_ELEMENT_OF_T0S_SIZE: usize = + (v_BITS_IN_LOWER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let v_RING_ELEMENT_OF_T1S_SIZE: usize = + (v_BITS_IN_UPPER_PART_OF_T *! v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! sz 8 + +let v_SEED_FOR_A_SIZE: usize = sz 32 + +let v_SEED_FOR_ERROR_VECTORS_SIZE: usize = sz 64 + +let v_SEED_FOR_SIGNING_SIZE: usize = sz 32 + +/// Number of bytes of entropy required for signing. +let v_SIGNING_RANDOMNESS_SIZE: usize = sz 32 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst new file mode 100644 index 000000000..8634dfbe9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fst @@ -0,0 +1,170 @@ +module Libcrux_ml_dsa.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize + (#v_SIMDUnit: Type0) + (v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 128uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 192uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_commitment_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 6) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let (offset: usize):usize = sz 0 in + let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (vector <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + (fun temp_0_ ring_element -> + let offset, serialized:(usize & t_Array u8 v_OUTPUT_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (serialize #v_SIMDUnit v_RING_ELEMENT_SIZE ring_element <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_RING_ELEMENT_SIZE in + offset, serialized <: (usize & t_Array u8 v_OUTPUT_SIZE)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti new file mode 100644 index 000000000..0becaf037 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Commitment.fsti @@ -0,0 +1,28 @@ +module Libcrux_ml_dsa.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 4 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 6 + +val serialize + (#v_SIMDUnit: Type0) + (v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_vector + (#v_SIMDUnit: Type0) + (v_DIMENSION v_RING_ELEMENT_SIZE v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst new file mode 100644 index 000000000..84a413aa5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fst @@ -0,0 +1,243 @@ +module Libcrux_ml_dsa.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> Core.Slice.impl__chunks #u8 serialized (sz 3) + | 4uy -> Core.Slice.impl__chunks #u8 serialized (sz 4) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_error_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_ETA + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Slice.Iter.t_Chunks u8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 serialized v_RING_ELEMENT_SIZE + <: + Core.Slice.Iter.t_Chunks u8) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialize #v_SIMDUnit v_ETA bytes + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 3) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_error_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 4) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_SIZE) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti new file mode 100644 index 000000000..199d62d48 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Error.fsti @@ -0,0 +1,40 @@ +module Libcrux_ml_dsa.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 3 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 4 + +val deserialize + (#v_SIMDUnit: Type0) + (v_ETA: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION v_ETA v_RING_ELEMENT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + (v_ETA v_OUTPUT_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst new file mode 100644 index 000000000..470cf8ab6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fst @@ -0,0 +1,194 @@ +module Libcrux_ml_dsa.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> Core.Slice.impl__chunks #u8 serialized (sz 18) + | 19uy -> Core.Slice.impl__chunks #u8 serialized (sz 20) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + v_GAMMA1_EXPONENT + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_BYTES = Rust_primitives.Hax.repeat 0uy v_OUTPUT_BYTES in + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let serialized:t_Array u8 v_OUTPUT_BYTES = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 18) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_BYTES) + in + serialized + | 19uy -> + let serialized:t_Array u8 v_OUTPUT_BYTES = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_BYTES = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start + = + i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_gamma1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (sz 20) + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 v_OUTPUT_BYTES) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti new file mode 100644 index 000000000..c6b16420b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Gamma1.fsti @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 18 + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT_1: usize = sz 20 + +val deserialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + (v_GAMMA1_EXPONENT v_OUTPUT_BYTES: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_BYTES) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst new file mode 100644 index 000000000..974a66ac7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fst @@ -0,0 +1,348 @@ +module Libcrux_ml_dsa.Encoding.Signature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__deserialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let commitment_hash, rest_of_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 (serialized <: t_Slice u8) v_COMMITMENT_HASH_SIZE + in + let signer_response_serialized, hint_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + rest_of_serialized + (v_GAMMA1_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A + in + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_COLUMNS_IN_A + (fun signer_response temp_1_ -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let _:usize = temp_1_ in + true) + signer_response + (fun signer_response i -> + let signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + signer_response + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signer_response + i + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (signer_response_serialized.[ { + Core.Ops.Range.f_start = i *! v_GAMMA1_RING_ELEMENT_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0l (sz 256) <: t_Array i32 (sz 256)) + v_ROWS_IN_A + in + let previous_true_hints_seen:usize = sz 0 in + let i:usize = sz 0 in + let malformed_hint:bool = false in + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & + usize & + bool & + usize) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & + usize & + bool & + usize) = + temp_0_ + in + (i <. v_ROWS_IN_A <: bool) && (~.malformed_hint <: bool)) + (hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + (fun temp_0_ -> + let hint, i, malformed_hint, previous_true_hints_seen:(t_Array (t_Array i32 (sz 256)) + v_ROWS_IN_A & + usize & + bool & + usize) = + temp_0_ + in + let current_true_hints_seen:usize = + cast (hint_serialized.[ v_MAX_ONES_IN_HINT +! i <: usize ] <: u8) <: usize + in + let malformed_hint:bool = + if + current_true_hints_seen <. previous_true_hints_seen || + previous_true_hints_seen >. v_MAX_ONES_IN_HINT + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + let j:usize = previous_true_hints_seen in + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & + bool) = + temp_0_ + in + (~.malformed_hint <: bool) && (j <. current_true_hints_seen <: bool)) + (hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + (fun temp_0_ -> + let hint, j, malformed_hint:(t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & + bool) = + temp_0_ + in + let malformed_hint:bool = + if + j >. previous_true_hints_seen && + (hint_serialized.[ j ] <: u8) <=. + (hint_serialized.[ j -! sz 1 <: usize ] <: u8) + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + if ~.malformed_hint + then + let hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + i + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (hint.[ i ] + <: + t_Array i32 (sz 256)) + (cast (hint_serialized.[ j ] <: u8) <: usize) + 1l + <: + t_Array i32 (sz 256)) + in + let j:usize = j +! sz 1 in + hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool) + else + hint, j, malformed_hint + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool)) + in + if ~.malformed_hint + then + let previous_true_hints_seen:usize = current_true_hints_seen in + let i:usize = i +! sz 1 in + hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize) + else + hint, i, malformed_hint, previous_true_hints_seen + <: + (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A & usize & bool & usize)) + in + let i:usize = previous_true_hints_seen in + let i, malformed_hint:(usize & bool) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let i, malformed_hint:(usize & bool) = temp_0_ in + (i <. v_MAX_ONES_IN_HINT <: bool) && (~.malformed_hint <: bool)) + (i, malformed_hint <: (usize & bool)) + (fun temp_0_ -> + let i, malformed_hint:(usize & bool) = temp_0_ in + let malformed_hint:bool = + if (hint_serialized.[ i ] <: u8) <>. 0uy + then + let malformed_hint:bool = true in + malformed_hint + else malformed_hint + in + let i:usize = i +! sz 1 in + i, malformed_hint <: (usize & bool)) + in + if malformed_hint + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_MalformedHintError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A + ) Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Ok + ({ + Libcrux_ml_dsa.Types.f_commitment_hash + = + Core.Result.impl__unwrap #(t_Array u8 v_COMMITMENT_HASH_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_COMMITMENT_HASH_SIZE) + #FStar.Tactics.Typeclasses.solve + commitment_hash + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Core.Array.t_TryFromSliceError); + Libcrux_ml_dsa.Types.f_signer_response = signer_response; + Libcrux_ml_dsa.Types.f_hint = hint + } + <: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A) + <: + Core.Result.t_Result + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A + ) Libcrux_ml_dsa.Types.t_VerificationError + +let impl__serialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + = + let signature:t_Array u8 v_SIGNATURE_SIZE = Rust_primitives.Hax.repeat 0uy v_SIGNATURE_SIZE in + let offset:usize = sz 0 in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_COMMITMENT_HASH_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (self.Libcrux_ml_dsa.Types.f_commitment_hash <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_COMMITMENT_HASH_SIZE in + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_COLUMNS_IN_A + (fun temp_0_ temp_1_ -> + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let _:usize = temp_1_ in + true) + (offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + (fun temp_0_ i -> + let offset, signature:(usize & t_Array u8 v_SIGNATURE_SIZE) = temp_0_ in + let i:usize = i in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signature + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signature.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_GAMMA1_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Gamma1.serialize #v_SIMDUnit + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + (self.Libcrux_ml_dsa.Types.f_signer_response.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_GAMMA1_RING_ELEMENT_SIZE in + offset, signature <: (usize & t_Array u8 v_SIGNATURE_SIZE)) + in + let true_hints_seen:usize = sz 0 in + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (fun temp_0_ i -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let i:usize = i in + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.Libcrux_ml_dsa.Types.f_hint.[ i ] + <: + t_Array i32 (sz 256)) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + (fun temp_0_ temp_1_ -> + let signature, true_hints_seen:(t_Array u8 v_SIGNATURE_SIZE & usize) = temp_0_ in + let j, hint:(usize & i32) = temp_1_ in + if hint =. 1l <: bool + then + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + (offset +! true_hints_seen <: usize) + (cast (j <: usize) <: u8) + in + let true_hints_seen:usize = true_hints_seen +! sz 1 in + signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize) + else signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + in + let signature:t_Array u8 v_SIGNATURE_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize signature + ((offset +! v_MAX_ONES_IN_HINT <: usize) +! i <: usize) + (cast (true_hints_seen <: usize) <: u8) + in + signature, true_hints_seen <: (t_Array u8 v_SIGNATURE_SIZE & usize)) + in + signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti new file mode 100644 index 000000000..946d0fb21 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signature.fsti @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Encoding.Signature +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val impl__deserialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure + (Core.Result.t_Result + (Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val impl__serialize + (#v_SIMDUnit: Type0) + (v_COMMITMENT_HASH_SIZE v_COLUMNS_IN_A v_ROWS_IN_A v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_MAX_ONES_IN_HINT v_SIGNATURE_SIZE: + usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNATURE_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst new file mode 100644 index 000000000..1394c5939 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fst @@ -0,0 +1,328 @@ +module Libcrux_ml_dsa.Encoding.Signing_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + = + let seed_for_A, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_signing, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + in + let verification_key_hash, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + in + let s1_serialized, remaining_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_COLUMNS_IN_A <: usize) + in + let s2_serialized, t0_serialized:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + remaining_serialized + (v_ERROR_RING_ELEMENT_SIZE *! v_ROWS_IN_A <: usize) + in + let s1_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s1_serialized + in + let s2_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.Error.deserialize_to_vector_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + s2_serialized + in + let t0_as_ntt:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Encoding.T0.deserialize_to_vector_then_ntt #v_SIMDUnit v_ROWS_IN_A t0_serialized + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_signing + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + Core.Result.impl__unwrap #(t_Array u8 (sz 64)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 64)) + #FStar.Tactics.Typeclasses.solve + verification_key_hash + <: + Core.Result.t_Result (t_Array u8 (sz 64)) Core.Array.t_TryFromSliceError), + s1_as_ntt, + s2_as_ntt, + t0_as_ntt + <: + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + +let generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_SIGNING_KEY_SIZE + in + let offset:usize = sz 0 in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_A + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_signing + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE in + let verification_key_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let verification_key_hash:t_Array u8 (sz 64) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 64) + verification_key + verification_key_hash + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (verification_key_hash <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s1 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s2 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end = offset +! v_ERROR_RING_ELEMENT_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.Error.serialize #v_SIMDUnit + v_ETA + v_ERROR_RING_ELEMENT_SIZE + ring_element + <: + t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! v_ERROR_RING_ELEMENT_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Iter + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__iter #(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t0 <: t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + <: + Core.Slice.Iter.t_Iter (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + (fun temp_0_ ring_element -> + let offset, signing_key_serialized:(usize & t_Array u8 v_SIGNING_KEY_SIZE) = temp_0_ in + let ring_element:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + ring_element + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range signing_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (signing_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.T0.serialize #v_SIMDUnit ring_element <: t_Slice u8) + <: + t_Slice u8) + in + let offset:usize = offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE in + offset, signing_key_serialized <: (usize & t_Array u8 v_SIGNING_KEY_SIZE)) + in + signing_key_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti new file mode 100644 index 000000000..b8a8f2d90 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Signing_key.fsti @@ -0,0 +1,34 @@ +module Libcrux_ml_dsa.Encoding.Signing_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val deserialize_then_ntt + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_SIGNING_KEY_SIZE) + : Prims.Pure + (t_Array u8 (sz 32) & t_Array u8 (sz 32) & t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_serialized + (#v_SIMDUnit #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed_for_A seed_for_signing verification_key: t_Slice u8) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2 t0: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst new file mode 100644 index 000000000..b1193d6cd --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fst @@ -0,0 +1,180 @@ +module Libcrux_ml_dsa.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + Core.Slice.impl__chunks #u8 serialized (sz 13) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t0_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Iter.Adapters.Enumerate.t_Enumerate + (Core.Slice.Iter.t_Chunks u8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Iterator.f_enumerate #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 + serialized + Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE + <: + Core.Slice.Iter.t_Chunks u8) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + <: + Core.Iter.Adapters.Enumerate.t_Enumerate (Core.Slice.Iter.t_Chunks u8)) + ring_elements + (fun ring_elements temp_1_ -> + let ring_elements:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + ring_elements + in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize ring_elements + i + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (deserialize #v_SIMDUnit bytes + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + ring_elements + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 416) = Rust_primitives.Hax.repeat 0uy (sz 416) in + let serialized:t_Array u8 (sz 416) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 416) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t0_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 416)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti new file mode 100644 index 000000000..3969d9d7c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T0.fsti @@ -0,0 +1,36 @@ +module Libcrux_ml_dsa.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 13 + +val deserialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_to_vector_then_ntt + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 416)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst new file mode 100644 index 000000000..6a59315c3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fst @@ -0,0 +1,129 @@ +module Libcrux_ml_dsa.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Slice u8) + = + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = + Core.Slice.impl__chunks #u8 serialized (sz 10) + in + let result:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (result.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (result, serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & Core.Slice.Iter.t_Chunks u8) + ) + (fun temp_0_ i -> + let result, serialized_chunks:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks u8 & Core.Option.t_Option (t_Slice u8)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks u8) + #FStar.Tactics.Typeclasses.solve + serialized_chunks + in + let serialized_chunks:Core.Slice.Iter.t_Chunks u8 = tmp0 in + ({ + result with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_t1_deserialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice u8) out <: t_Slice u8) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit), + serialized_chunks + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Core.Slice.Iter.t_Chunks u8)) + in + result + +let serialize + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let serialized:t_Array u8 (sz 320) = Rust_primitives.Hax.repeat 0uy (sz 320) in + let serialized:t_Array u8 (sz 320) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (re.Libcrux_ml_dsa.Polynomial.f_simd_units + <: + t_Slice v_SIMDUnit) + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 320) = serialized in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized.[ { + Core.Ops.Range.f_start = i *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! serialize__OUTPUT_BYTES_PER_SIMD_UNIT <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Simd.Traits.f_t1_serialize #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice u8) + <: + t_Slice u8) + <: + t_Array u8 (sz 320)) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti new file mode 100644 index 000000000..f05c66a13 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.T1.fsti @@ -0,0 +1,26 @@ +module Libcrux_ml_dsa.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let serialize__OUTPUT_BYTES_PER_SIMD_UNIT: usize = sz 10 + +val deserialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array u8 (sz 320)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst new file mode 100644 index 000000000..94a614a45 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fst @@ -0,0 +1,166 @@ +module Libcrux_ml_dsa.Encoding.Verification_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + = + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let seed_for_A, serialized_remaining:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (serialized <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_ROWS_IN_A + (fun t1 temp_1_ -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let _:usize = temp_1_ in + true) + t1 + (fun t1 i -> + let t1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A + = + t1 + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1 + i + (Libcrux_ml_dsa.Encoding.T1.deserialize #v_SIMDUnit + (serialized_remaining.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 32)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 32)) + #FStar.Tactics.Typeclasses.solve + seed_for_A + <: + Core.Result.t_Result (t_Array u8 (sz 32)) Core.Array.t_TryFromSliceError), + t1 + <: + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + +let generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.repeat 0uy v_VERIFICATION_KEY_SIZE + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (verification_key_serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + seed_for_A + <: + t_Slice u8) + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_slice (t1 + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun verification_key_serialized temp_1_ -> + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + verification_key_serialized + in + let _:usize = temp_1_ in + true) + verification_key_serialized + (fun verification_key_serialized temp_1_ -> + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + verification_key_serialized + in + let i, ring_element:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + temp_1_ + in + let offset:usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (i *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize) + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range verification_key_serialized + ({ + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (verification_key_serialized.[ { + Core.Ops.Range.f_start = offset; + Core.Ops.Range.f_end + = + offset +! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T1S_SIZE <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + (Libcrux_ml_dsa.Encoding.T1.serialize #v_SIMDUnit ring_element <: t_Slice u8) + <: + t_Slice u8) + in + verification_key_serialized) + in + verification_key_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti new file mode 100644 index 000000000..59e60a0ee --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Encoding.Verification_key.fsti @@ -0,0 +1,29 @@ +module Libcrux_ml_dsa.Encoding.Verification_key +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val deserialize + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + : Prims.Pure + (t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val generate_serialized + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_VERIFICATION_KEY_SIZE: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (seed_for_A: t_Slice u8) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure (t_Array u8 v_VERIFICATION_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti new file mode 100644 index 000000000..9ad6829f1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Neon.fsti @@ -0,0 +1,281 @@ +module Libcrux_ml_dsa.Hash_functions.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val t_Shake128x4:Type0 + +/// Neon SHAKE 256 x4 state +val t_Shake256x4:Type0 + +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) + : Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (state: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb input0 input1 input2 input3); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 + in + let self:t_Shake128x4 = tmp0 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out5: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let tmp0, out4:(t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self + in + let self:t_Shake128x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out4 + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +val squeeze_next_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_x4_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_x4_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb_x4 + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb_x4 input0 input1 input2 input3); + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_x4_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_x4_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256_x4 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & + t_Array u8 v_OUT_LEN) = + shake256_x4 v_OUT_LEN input0 input1 input2 input3 out0 out1 out2 out3 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let out2:t_Array u8 v_OUT_LEN = tmp2 in + let out3:t_Array u8 v_OUT_LEN = tmp3 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti new file mode 100644 index 000000000..19bf6bae1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Portable.fsti @@ -0,0 +1,377 @@ +module Libcrux_ml_dsa.Hash_functions.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Portable SHAKE 128 state +type t_Shake128 = | Shake128 : t_Shake128 + +/// Portable SHAKE 128 x4 state. +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake128X4:Type0 + +/// Portable SHAKE 256 state +val t_Shake256:Type0 + +/// Portable SHAKE 256 x4 state. +/// We\'re using a portable implementation so this is actually sequential. +val t_Shake256X4:Type0 + +val t_Shake256Absorb:Type0 + +val t_Shake256Squeeze:Type0 + +val init_absorb__init_absorb (input: t_Slice u8) + : Prims.Pure Libcrux_sha3.Portable.t_KeccakState Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128X4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_shake256 (input: t_Slice u8) + : Prims.Pure t_Shake256 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256X4 Prims.l_True (fun _ -> Prims.l_True) + +val shake128 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake128.t_Xof t_Shake128 = + { + f_shake128_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake128_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake128 + = + fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = shake128 v_OUTPUT_LENGTH input out in + out + } + +val shake256 (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) + : Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) Prims.l_True (fun _ -> Prims.l_True) + +val shake256_absorb (st: t_Shake256Absorb) (input: t_Slice u8) + : Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) + +val shake256_absorb_final (st: t_Shake256Absorb) (input: t_Slice u8) + : Prims.Pure t_Shake256Squeeze Prims.l_True (fun _ -> Prims.l_True) + +val shake256_init: Prims.unit -> Prims.Pure t_Shake256Absorb Prims.l_True (fun _ -> Prims.l_True) + +val shake256_squeeze (st: t_Shake256Squeeze) (out: t_Slice u8) + : Prims.Pure (t_Shake256Squeeze & t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (state: t_Shake256X4) + : Prims.Pure + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (state: t_Shake128X4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (state: t_Shake128X4) + : Prims.Pure + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128X4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128X4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb input0 input1 input2 input3); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128X4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 + in + let self:t_Shake128X4 = tmp0 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128X4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128X4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128X4) + (out5: + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128X4) -> + let tmp0, out4:(t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self + in + let self:t_Shake128X4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out4 + in + self, hax_temp_output + <: + (t_Shake128X4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +val squeeze_next_block_shake256 (state: t_Shake256) + : Prims.Pure (t_Shake256 & t_Array u8 (sz 136)) Prims.l_True (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof t_Shake256 = + { + f_shake256_pre + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> true); + f_shake256_post + = + (fun + (v_OUTPUT_LENGTH: usize) + (input: t_Slice u8) + (out: t_Array u8 v_OUTPUT_LENGTH) + (out1: t_Array u8 v_OUTPUT_LENGTH) + -> + true); + f_shake256 + = + (fun (v_OUTPUT_LENGTH: usize) (input: t_Slice u8) (out: t_Array u8 v_OUTPUT_LENGTH) -> + let out:t_Array u8 v_OUTPUT_LENGTH = shake256 v_OUTPUT_LENGTH input out in + out); + f_init_absorb_pre = (fun (input: t_Slice u8) -> true); + f_init_absorb_post = (fun (input: t_Slice u8) (out: t_Shake256) -> true); + f_init_absorb = (fun (input: t_Slice u8) -> init_absorb_shake256 input); + f_squeeze_first_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_first_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_first_block + = + (fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_first_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136))); + f_squeeze_next_block_pre = (fun (self: t_Shake256) -> true); + f_squeeze_next_block_post + = + (fun (self: t_Shake256) (out2: (t_Shake256 & t_Array u8 (sz 136))) -> true); + f_squeeze_next_block + = + fun (self: t_Shake256) -> + let tmp0, out1:(t_Shake256 & t_Array u8 (sz 136)) = squeeze_next_block_shake256 self in + let self:t_Shake256 = tmp0 in + let hax_temp_output:t_Array u8 (sz 136) = out1 in + self, hax_temp_output <: (t_Shake256 & t_Array u8 (sz 136)) + } + +val squeeze_next_block_x4 (state: t_Shake256X4) + : Prims.Pure + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256X4 = + { + f_init_absorb_x4_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_x4_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256X4) + -> + true); + f_init_absorb_x4 + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb_x4 input0 input1 input2 input3); + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_first_block_x4_post + = + (fun + (self: t_Shake256X4) + (out5: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block_x4 + = + (fun (self: t_Shake256X4) -> + let tmp0, out4:(t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self + in + let self:t_Shake256X4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256X4) -> true); + f_squeeze_next_block_x4_post + = + (fun + (self: t_Shake256X4) + (out5: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block_x4 + = + (fun (self: t_Shake256X4) -> + let tmp0, out4:(t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self + in + let self:t_Shake256X4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256X4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_x4_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_x4_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256_x4 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let out0:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input0 out0 in + let out1:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input1 out1 in + let out2:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input2 out2 in + let out3:t_Array u8 v_OUT_LEN = shake256 v_OUT_LEN input3 out3 in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti new file mode 100644 index 000000000..aa229c844 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake128.fsti @@ -0,0 +1,72 @@ +module Libcrux_ml_dsa.Hash_functions.Shake128 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake128_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake128_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake128:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake128_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake128_post v_OUTPUT_LENGTH x0 x1 result) +} + +/// When sampling matrix A we always want to do 4 absorb/squeeze calls in +/// parallel. +class t_XofX4 (v_Self: Type0) = { + f_init_absorb_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_post x0 x1 x2 x3 result); + f_squeeze_first_five_blocks_pre: + v_Self -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) + -> Type0; + f_squeeze_first_five_blocks_post: + v_Self -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + t_Array u8 (sz 840) -> + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) + -> Type0; + f_squeeze_first_five_blocks: + x0: v_Self -> + x1: t_Array u8 (sz 840) -> + x2: t_Array u8 (sz 840) -> + x3: t_Array u8 (sz 840) -> + x4: t_Array u8 (sz 840) + -> Prims.Pure + (v_Self & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) + (f_squeeze_first_five_blocks_pre x0 x1 x2 x3 x4) + (fun result -> f_squeeze_first_five_blocks_post x0 x1 x2 x3 x4 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +let v_BLOCK_SIZE: usize = sz 168 + +let v_FIVE_BLOCKS_SIZE: usize = v_BLOCK_SIZE *! sz 5 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti new file mode 100644 index 000000000..bd150aa95 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Shake256.fsti @@ -0,0 +1,106 @@ +module Libcrux_ml_dsa.Hash_functions.Shake256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Xof (v_Self: Type0) = { + f_shake256_pre:v_OUTPUT_LENGTH: usize -> t_Slice u8 -> t_Array u8 v_OUTPUT_LENGTH -> Type0; + f_shake256_post: + v_OUTPUT_LENGTH: usize -> + t_Slice u8 -> + t_Array u8 v_OUTPUT_LENGTH -> + t_Array u8 v_OUTPUT_LENGTH + -> Type0; + f_shake256:v_OUTPUT_LENGTH: usize -> x0: t_Slice u8 -> x1: t_Array u8 v_OUTPUT_LENGTH + -> Prims.Pure (t_Array u8 v_OUTPUT_LENGTH) + (f_shake256_pre v_OUTPUT_LENGTH x0 x1) + (fun result -> f_shake256_post v_OUTPUT_LENGTH x0 x1 result); + f_init_absorb_pre:t_Slice u8 -> Type0; + f_init_absorb_post:t_Slice u8 -> v_Self -> Type0; + f_init_absorb:x0: t_Slice u8 + -> Prims.Pure v_Self (f_init_absorb_pre x0) (fun result -> f_init_absorb_post x0 result); + f_squeeze_first_block_pre:v_Self -> Type0; + f_squeeze_first_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; + f_squeeze_first_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) + (f_squeeze_first_block_pre x0) + (fun result -> f_squeeze_first_block_post x0 result); + f_squeeze_next_block_pre:v_Self -> Type0; + f_squeeze_next_block_post:v_Self -> (v_Self & t_Array u8 (sz 136)) -> Type0; + f_squeeze_next_block:x0: v_Self + -> Prims.Pure (v_Self & t_Array u8 (sz 136)) + (f_squeeze_next_block_pre x0) + (fun result -> f_squeeze_next_block_post x0 result) +} + +class t_XofX4 (v_Self: Type0) = { + f_init_absorb_x4_pre:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> Type0; + f_init_absorb_x4_post:t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> t_Slice u8 -> v_Self -> Type0; + f_init_absorb_x4:x0: t_Slice u8 -> x1: t_Slice u8 -> x2: t_Slice u8 -> x3: t_Slice u8 + -> Prims.Pure v_Self + (f_init_absorb_x4_pre x0 x1 x2 x3) + (fun result -> f_init_absorb_x4_post x0 x1 x2 x3 result); + f_squeeze_first_block_x4_pre:v_Self -> Type0; + f_squeeze_first_block_x4_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_first_block_x4:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_first_block_x4_pre x0) + (fun result -> f_squeeze_first_block_x4_post x0 result); + f_squeeze_next_block_x4_pre:v_Self -> Type0; + f_squeeze_next_block_x4_post: + v_Self -> + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + -> Type0; + f_squeeze_next_block_x4:x0: v_Self + -> Prims.Pure + (v_Self & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + (f_squeeze_next_block_x4_pre x0) + (fun result -> f_squeeze_next_block_x4_post x0 result); + f_shake256_x4_pre: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN + -> Type0; + f_shake256_x4_post: + v_OUT_LEN: usize -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Slice u8 -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + t_Array u8 v_OUT_LEN -> + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + -> Type0; + f_shake256_x4: + v_OUT_LEN: usize -> + x0: t_Slice u8 -> + x1: t_Slice u8 -> + x2: t_Slice u8 -> + x3: t_Slice u8 -> + x4: t_Array u8 v_OUT_LEN -> + x5: t_Array u8 v_OUT_LEN -> + x6: t_Array u8 v_OUT_LEN -> + x7: t_Array u8 v_OUT_LEN + -> Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + (f_shake256_x4_pre v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7) + (fun result -> f_shake256_x4_post v_OUT_LEN x0 x1 x2 x3 x4 x5 x6 x7 result) +} + +let v_BLOCK_SIZE: usize = sz 136 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti new file mode 100644 index 000000000..a9b24b26a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Hash_functions.Simd256.fsti @@ -0,0 +1,284 @@ +module Libcrux_ml_dsa.Hash_functions.Simd256 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// AVX2 SHAKE 128 state +/// This only implements the XofX4 API. For the single Xof, the portable +/// version is used. +val t_Shake128x4:Type0 + +/// AVX2 SHAKE 256 x4 state. +val t_Shake256x4:Type0 + +/// Init the state and absorb 4 blocks in parallel. +val init_absorb (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake128x4 Prims.l_True (fun _ -> Prims.l_True) + +val init_absorb_x4 (input0 input1 input2 input3: t_Slice u8) + : Prims.Pure t_Shake256x4 Prims.l_True (fun _ -> Prims.l_True) + +val shake256_x4 + (v_OUT_LEN: usize) + (input0 input1 input2 input3: t_Slice u8) + (out0 out1 out2 out3: t_Array u8 v_OUT_LEN) + : Prims.Pure + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +val squeeze_first_five_blocks (state: t_Shake128x4) (out0 out1 out2 out3: t_Array u8 (sz 840)) + : Prims.Pure + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840)) Prims.l_True (fun _ -> Prims.l_True) + +val squeeze_next_block (state: t_Shake128x4) + : Prims.Pure + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 t_Shake128x4 = + { + f_init_absorb_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake128x4) + -> + true); + f_init_absorb + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb input0 input1 input2 input3); + f_squeeze_first_five_blocks_pre + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + true); + f_squeeze_first_five_blocks_post + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + (out4: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))) + -> + true); + f_squeeze_first_five_blocks + = + (fun + (self: t_Shake128x4) + (out0: t_Array u8 (sz 840)) + (out1: t_Array u8 (sz 840)) + (out2: t_Array u8 (sz 840)) + (out3: t_Array u8 (sz 840)) + -> + let tmp0, tmp1, tmp2, tmp3, tmp4:(t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + squeeze_first_five_blocks self out0 out1 out2 out3 + in + let self:t_Shake128x4 = tmp0 in + let out0:t_Array u8 (sz 840) = tmp1 in + let out1:t_Array u8 (sz 840) = tmp2 in + let out2:t_Array u8 (sz 840) = tmp3 in + let out3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + self, out0, out1, out2, out3 + <: + (t_Shake128x4 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840))); + f_squeeze_next_block_pre = (fun (self: t_Shake128x4) -> true); + f_squeeze_next_block_post + = + (fun + (self: t_Shake128x4) + (out5: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + ) + -> + true); + f_squeeze_next_block + = + fun (self: t_Shake128x4) -> + let tmp0, out4:(t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) = + squeeze_next_block self + in + let self:t_Shake128x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out4 + in + self, hax_temp_output + <: + (t_Shake128x4 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + } + +val squeeze_next_block_x4 (state: t_Shake256x4) + : Prims.Pure + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + Prims.l_True + (fun _ -> Prims.l_True) + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_1: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 t_Shake256x4 = + { + f_init_absorb_x4_pre + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> true + ); + f_init_absorb_x4_post + = + (fun + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out: t_Shake256x4) + -> + true); + f_init_absorb_x4 + = + (fun (input0: t_Slice u8) (input1: t_Slice u8) (input2: t_Slice u8) (input3: t_Slice u8) -> + init_absorb_x4 input0 input1 input2 input3); + f_squeeze_first_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_first_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_first_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_first_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_squeeze_next_block_x4_pre = (fun (self: t_Shake256x4) -> true); + f_squeeze_next_block_x4_post + = + (fun + (self: t_Shake256x4) + (out5: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + ) + -> + true); + f_squeeze_next_block_x4 + = + (fun (self: t_Shake256x4) -> + let tmp0, out4:(t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + squeeze_next_block_x4 self + in + let self:t_Shake256x4 = tmp0 in + let hax_temp_output:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + self, hax_temp_output + <: + (t_Shake256x4 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136)))); + f_shake256_x4_pre + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + true); + f_shake256_x4_post + = + (fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + (out4: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN + )) + -> + true); + f_shake256_x4 + = + fun + (v_OUT_LEN: usize) + (input0: t_Slice u8) + (input1: t_Slice u8) + (input2: t_Slice u8) + (input3: t_Slice u8) + (out0: t_Array u8 v_OUT_LEN) + (out1: t_Array u8 v_OUT_LEN) + (out2: t_Array u8 v_OUT_LEN) + (out3: t_Array u8 v_OUT_LEN) + -> + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & + t_Array u8 v_OUT_LEN) = + shake256_x4 v_OUT_LEN input0 input1 input2 input3 out0 out1 out2 out3 + in + let out0:t_Array u8 v_OUT_LEN = tmp0 in + let out1:t_Array u8 v_OUT_LEN = tmp1 in + let out2:t_Array u8 v_OUT_LEN = tmp2 in + let out3:t_Array u8 v_OUT_LEN = tmp3 in + let _:Prims.unit = () in + out0, out1, out2, out3 + <: + (t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN & t_Array u8 v_OUT_LEN) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst new file mode 100644 index 000000000..0f4339ffb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fst @@ -0,0 +1,473 @@ +module Libcrux_ml_dsa.Matrix +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let vector_times_ring_element + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_enumerated_slice (vector + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i, vector_ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + vector_ring_element + ring_element + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result + +let add_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result + +let compute_A_times_mask + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (mask.[ j ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let compute_As1_plus_s2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (s1.[ j ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (s2.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let compute_w_approx + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (signer_response: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (v_A_as_ntt + <: + t_Slice + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let i, row:(usize & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + temp_1_ + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Folds.fold_enumerated_slice (row + <: + t_Slice (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit)) + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + result + in + let j, ring_element:(usize & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + temp_1_ + in + let product:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + ring_element + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (signer_response.[ j ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__add #v_SIMDUnit + (result.[ i ] + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + product + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + let t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Arithmetic.shift_left_then_reduce #v_SIMDUnit + 13l + (t1.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let challenge_times_t1_shifted:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement + v_SIMDUnit = + Libcrux_ml_dsa.Ntt.ntt_multiply_montgomery #v_SIMDUnit + verifier_challenge_as_ntt + (Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit t1_shifted + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Ntt.invert_ntt_montgomery #v_SIMDUnit + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (result.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + challenge_times_t1_shifted + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + result) + in + result + +let subtract_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + = + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Folds.fold_range (sz 0) + v_DIMENSION + (fun result temp_1_ -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + result + in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + i + (Libcrux_ml_dsa.Polynomial.impl__subtract #v_SIMDUnit + (lhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (rhs.[ i ] <: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + <: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti new file mode 100644 index 000000000..7db4128e6 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Matrix.fsti @@ -0,0 +1,90 @@ +module Libcrux_ml_dsa.Matrix +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +val vector_times_ring_element + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (vector: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + (ring_element: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val add_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ŷ) +val compute_A_times_mask + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (mask: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ŝ₁) + s₂ +val compute_As1_plus_s2 + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (s1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (s2: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Compute InvertNTT(Â ◦ ẑ - ĉ ◦ NTT(t₁2ᵈ)) +val compute_w_approx + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (v_A_as_ntt: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (signer_response: + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + (verifier_challenge_as_ntt: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + (t1: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract_vectors + (#v_SIMDUnit: Type0) + (v_DIMENSION: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst new file mode 100644 index 000000000..e68b8fe9b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti new file mode 100644 index 000000000..2cc5f13c7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Avx2.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst new file mode 100644 index 000000000..f27fbeff4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) + (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti new file mode 100644 index 000000000..58227663f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Neon.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst new file mode 100644 index 000000000..b28affb1d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) + 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2) (sz 96) (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) + (sz 2420) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 4) (sz 4) (sz 2420) (sz 1312) + (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 4) (sz 4) + (sz 2420) (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti new file mode 100644 index 000000000..1e6653b8a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.Portable.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_44_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-44 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst new file mode 100644 index 000000000..4eff956f5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 2560) & t_Array u8 (sz 1312)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 4) + (sz 4) + (sz 2) + (sz 96) + (sz 2560) + (sz 1312) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 4) (sz 4) (sz 2) (sz 96) (sz 17) 95232l + (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 4) (sz 4) (sz 2) (sz 96) + (sz 17) 95232l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) (sz 576) (sz 2560) (sz 2420) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 4) (sz 4) (sz 2420) (sz 1312) (sz 17) + (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 4) (sz 4) (sz 2420) + (sz 1312) (sz 17) (sz 576) 95232l 78l (sz 192) (sz 768) (sz 32) (sz 39) (sz 80) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti new file mode 100644 index 000000000..a677e8e9a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_44_.fsti @@ -0,0 +1,143 @@ +module Libcrux_ml_dsa.Ml_dsa_44_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 6 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 18 + +let v_COLUMNS_IN_A: usize = sz 4 + +let v_COMMITMENT_HASH_SIZE: usize = sz 32 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 2 + +let v_GAMMA1_EXPONENT: usize = sz 17 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 88l + +let v_MAX_ONES_IN_HINT: usize = sz 80 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 39 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 4 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Generate an ML-DSA 44 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA44KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1312) (sz 2560)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign with ML-DSA 44 +/// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA44Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 44, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA44Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 2560)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-44 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-44 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1312)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 2420)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst new file mode 100644 index 000000000..4dcf80489 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti new file mode 100644 index 000000000..bfcb87df8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Avx2.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst new file mode 100644 index 000000000..b54a04df2 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) + (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti new file mode 100644 index 000000000..ff39c5e48 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Neon.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst new file mode 100644 index 000000000..eaf1e627f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) + 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 6) (sz 5) + (sz 4) (sz 128) (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) + (sz 3309) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 6) (sz 5) (sz 3309) (sz 1952) + (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 6) (sz 5) + (sz 3309) (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti new file mode 100644 index 000000000..7568a9a1c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.Portable.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_65_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-65 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst new file mode 100644 index 000000000..d75500055 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4032) & t_Array u8 (sz 1952)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 6) + (sz 5) + (sz 4) + (sz 128) + (sz 4032) + (sz 1952) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 6) (sz 5) (sz 4) (sz 128) (sz 19) 261888l + (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 6) (sz 5) (sz 4) (sz 128) + (sz 19) 261888l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) (sz 640) (sz 4032) (sz 3309) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 6) (sz 5) (sz 3309) (sz 1952) (sz 19) + (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 6) (sz 5) (sz 3309) + (sz 1952) (sz 19) (sz 640) 261888l 196l (sz 128) (sz 768) (sz 48) (sz 49) (sz 55) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti new file mode 100644 index 000000000..47735a500 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_65_.fsti @@ -0,0 +1,143 @@ +module Libcrux_ml_dsa.Ml_dsa_65_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 5 + +let v_COMMITMENT_HASH_SIZE: usize = sz 48 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 4 + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_MAX_ONES_IN_HINT: usize = sz 55 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 49 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 6 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Generate an ML-DSA 65 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA65KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 1952) (sz 4032)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign with ML-DSA 65 +/// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA65Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 65, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA65Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4032)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-65 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-65 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 1952)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 3309)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst new file mode 100644 index 000000000..27eb5b514 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti new file mode 100644 index 000000000..2b2ba04ee --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Avx2.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst new file mode 100644 index 000000000..e89d61679 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) + (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti new file mode 100644 index 000000000..499342491 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Neon.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst new file mode 100644 index 000000000..8ff301da4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) + 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 (sz 8) (sz 7) + (sz 2) (sz 96) (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) + (sz 4627) signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify (sz 8) (sz 7) (sz 4627) (sz 2592) + (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 (sz 8) (sz 7) + (sz 4627) (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti new file mode 100644 index 000000000..5825b758b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.Portable.fsti @@ -0,0 +1,58 @@ +module Libcrux_ml_dsa.Ml_dsa_87_.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Generate an ML-DSA-87 Key Pair +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst new file mode 100644 index 000000000..7628dbe10 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fst @@ -0,0 +1,65 @@ +module Libcrux_ml_dsa.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair (randomness: t_Array u8 (sz 32)) = + let signing_key, verification_key:(t_Array u8 (sz 4896) & t_Array u8 (sz 2592)) = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.generate_key_pair (sz 8) + (sz 7) + (sz 2) + (sz 96) + (sz 4896) + (sz 2592) + randomness + in + { + Libcrux_ml_dsa.Types.f_signing_key + = + Libcrux_ml_dsa.Types.MLDSASigningKey signing_key + <: + Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896); + Libcrux_ml_dsa.Types.f_verification_key + = + Libcrux_ml_dsa.Types.MLDSAVerificationKey verification_key + <: + Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592) + } + <: + Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896) + +let sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign (sz 8) (sz 7) (sz 2) (sz 96) (sz 19) 261888l + (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.sign_pre_hashed_shake128 (sz 8) (sz 7) (sz 2) (sz 96) + (sz 19) 261888l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) (sz 640) (sz 4896) (sz 4627) + signing_key.Libcrux_ml_dsa.Types._0 message context randomness + +let verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify (sz 8) (sz 7) (sz 4627) (sz 2592) (sz 19) + (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 + +let verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + = + Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.verify_pre_hashed_shake128 (sz 8) (sz 7) (sz 4627) + (sz 2592) (sz 19) (sz 640) 261888l 120l (sz 128) (sz 1024) (sz 64) (sz 60) (sz 75) + verification_key.Libcrux_ml_dsa.Types._0 message context signature.Libcrux_ml_dsa.Types._0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti new file mode 100644 index 000000000..f5eb82a25 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_87_.fsti @@ -0,0 +1,143 @@ +module Libcrux_ml_dsa.Ml_dsa_87_ +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_BITS_PER_COMMITMENT_COEFFICIENT: usize = sz 4 + +let v_BITS_PER_ERROR_COEFFICIENT: usize = sz 3 + +let v_BITS_PER_GAMMA1_COEFFICIENT: usize = sz 20 + +let v_COLUMNS_IN_A: usize = sz 7 + +let v_COMMITMENT_HASH_SIZE: usize = sz 64 + +let v_COMMITMENT_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_COMMITMENT_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + <: + usize) /! + sz 8 + +let v_ERROR_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_ERROR_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) /! + sz 8 + +let v_ETA: usize = sz 2 + +let v_GAMMA1_EXPONENT: usize = sz 19 + +let v_GAMMA1_RING_ELEMENT_SIZE: usize = + (v_BITS_PER_GAMMA1_COEFFICIENT *! Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize + ) /! + sz 8 + +let v_GAMMA2: i32 = (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS -! 1l <: i32) /! 32l + +let v_MAX_ONES_IN_HINT: usize = sz 75 + +let v_ONES_IN_VERIFIER_CHALLENGE: usize = sz 60 + +let v_BETA: i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 + +let v_ROWS_IN_A: usize = sz 8 + +let v_COMMITMENT_VECTOR_SIZE: usize = v_COMMITMENT_RING_ELEMENT_SIZE *! v_ROWS_IN_A + +let v_SIGNATURE_SIZE: usize = + ((v_COMMITMENT_HASH_SIZE +! (v_COLUMNS_IN_A *! v_GAMMA1_RING_ELEMENT_SIZE <: usize) <: usize) +! + v_MAX_ONES_IN_HINT + <: + usize) +! + v_ROWS_IN_A + +let v_SIGNING_KEY_SIZE: usize = + (((Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! Libcrux_ml_dsa.Constants.v_SEED_FOR_SIGNING_SIZE + <: + usize) +! + Libcrux_ml_dsa.Constants.v_BYTES_FOR_VERIFICATION_KEY_HASH + <: + usize) +! + ((v_ROWS_IN_A +! v_COLUMNS_IN_A <: usize) *! v_ERROR_RING_ELEMENT_SIZE <: usize) + <: + usize) +! + (v_ROWS_IN_A *! Libcrux_ml_dsa.Constants.v_RING_ELEMENT_OF_T0S_SIZE <: usize) + +let v_VERIFICATION_KEY_SIZE: usize = + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE +! + (((Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_ROWS_IN_A <: usize) *! + (Libcrux_ml_dsa.Constants.v_FIELD_MODULUS_MINUS_ONE_BIT_LENGTH -! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + <: + usize) + <: + usize) /! + sz 8 + <: + usize) + +/// Generate an ML-DSA 87 Key Pair +/// Generate an ML-DSA key pair. The input is a byte array of size +/// [`KEY_GENERATION_RANDOMNESS_SIZE`]. +/// This function returns an [`MLDSA87KeyPair`]. +val generate_key_pair (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_dsa.Types.t_MLDSAKeyPair (sz 2592) (sz 4896)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign with ML-DSA 87 +/// Sign a `message` with the ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA87Signature`]. +val sign + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign with HashML-DSA 87, with a SHAKE128 pre-hashing +/// Sign a digest of `message` derived using `pre_hash` with the +/// ML-DSA `signing_key`. +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// This function returns an [`MLDSA87Signature`]. +val sign_pre_hashed_shake128 + (signing_key: Libcrux_ml_dsa.Types.t_MLDSASigningKey (sz 4896)) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify an ML-DSA-87 Signature +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify a HashML-DSA-87 Signature, with a SHAKE128 pre-hashing +/// The parameter `context` is used for domain separation +/// and is a byte string of length at most 255 bytes. It +/// may also be empty. +/// Returns `Ok` when the `signature` is valid for the `message` and +/// `verification_key`, and a [`VerificationError`] otherwise. +val verify_pre_hashed_shake128 + (verification_key: Libcrux_ml_dsa.Types.t_MLDSAVerificationKey (sz 2592)) + (message context: t_Slice u8) + (signature: Libcrux_ml_dsa.Types.t_MLDSASignature (sz 4627)) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst new file mode 100644 index 000000000..7aab62832 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fst @@ -0,0 +1,98 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #Libcrux_ml_dsa.Hash_functions.Simd256.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti new file mode 100644 index 000000000..c244ca0d5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.fsti @@ -0,0 +1,79 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Hash_functions.Simd256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Avx2 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst new file mode 100644 index 000000000..9e12c192d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fst @@ -0,0 +1,98 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake256x4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH (sz 256) + v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Neon.t_Shake128x4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti new file mode 100644 index 000000000..93c40dc34 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.fsti @@ -0,0 +1,79 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Neon in + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst new file mode 100644 index 000000000..3ed0bdc8f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fst @@ -0,0 +1,97 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.generate_key_pair #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context + randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_dsa.Ml_dsa_generic.sign_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256X4 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE + v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key message context signature + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + = + Libcrux_ml_dsa.Ml_dsa_generic.verify_pre_hashed #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128X4 + #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256 #Libcrux_ml_dsa.Pre_hash.t_SHAKE128_PH + (sz 256) v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key message context signature diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti new file mode 100644 index 000000000..1e4399d64 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.fsti @@ -0,0 +1,78 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Portable in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// Generate key pair. +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Sign. +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Sign (pre-hashed). +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// Verify. +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Verify (pre-hashed with SHAKE-128). +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst new file mode 100644 index 000000000..69d507f61 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fst @@ -0,0 +1,163 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.generate_key_pair v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + v_VERIFICATION_KEY_SIZE + randomness + +let sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key + message context randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key message context randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign v_ROWS_IN_A v_COLUMNS_IN_A v_ETA + v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key message context randomness + +let sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE + v_SIGNATURE_SIZE signing_key message context randomness + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.sign_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 + v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key message context randomness + +let verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message context + signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key_serialized message context signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE + v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE + v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT + verification_key_serialized message context signature_serialized + +let verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + if Libcrux_platform.Platform.simd256_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Avx2.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized + else + if Libcrux_platform.Platform.simd128_support () + then + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Neon.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized + else + Libcrux_ml_dsa.Ml_dsa_generic.Instantiations.Portable.verify_pre_hashed_shake128 v_ROWS_IN_A + v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 v_BETA v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT verification_key_serialized message context signature_serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti new file mode 100644 index 000000000..c617ed3c3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing.fsti @@ -0,0 +1,62 @@ +module Libcrux_ml_dsa.Ml_dsa_generic.Multiplexing +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val generate_key_pair + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) + +val sign + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val verify + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed_shake128 + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst new file mode 100644 index 000000000..878dd2cb5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fst @@ -0,0 +1,958 @@ +module Libcrux_ml_dsa.Ml_dsa_generic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let derive_message_representative + (verification_key_hash: t_Array u8 (sz 64)) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (message: t_Slice u8) + (message_representative: t_Array u8 (sz 64)) + = + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + (verification_key_hash <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + match domain_separation_context with + | Core.Option.Option_Some domain_separation_context -> + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + ((let list = + [ + cast (Core.Option.impl__is_some #(t_Array u8 (sz 11)) + (Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + <: + bool) + <: + u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + ((let list = + [ + cast (Core.Slice.impl__len #u8 + (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context + <: + t_Slice u8) + <: + usize) + <: + u8 + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 1); + Rust_primitives.Hax.array_of_list 1 list) + <: + t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + (Libcrux_ml_dsa.Pre_hash.impl_1__context domain_separation_context <: t_Slice u8) + in + (match Libcrux_ml_dsa.Pre_hash.impl_1__pre_hash_oid domain_separation_context with + | Core.Option.Option_Some pre_hash_oid -> + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (pre_hash_oid <: t_Slice u8) + | _ -> shake) + | _ -> shake + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake message + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake message_representative + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let message_representative:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + message_representative + +let sign_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + = + let seed_for_A, seed_for_signing, verification_key_hash, s1_as_ntt, s2_as_ntt, t0_as_ntt:(t_Array + u8 (sz 32) & + t_Array u8 (sz 32) & + t_Array u8 (sz 64) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Signing_key.deserialize_then_ntt #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + v_ETA + v_ERROR_RING_ELEMENT_SIZE + v_SIGNING_KEY_SIZE + signing_key + in + let v_A_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) (seed_for_A <: t_Slice u8) + <: + t_Array u8 (sz 34)) + in + let message_representative:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let message_representative:t_Array u8 (sz 64) = + derive_message_representative verification_key_hash + domain_separation_context + message + message_representative + in + let mask_seed:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (seed_for_signing <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + (message_representative <: t_Slice u8) + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 64)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake mask_seed + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let mask_seed:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let (domain_separator_for_mask: u16):u16 = 0us in + let v_BETA:i32 = cast (v_ONES_IN_VERIFIER_CHALLENGE *! v_ETA <: usize) <: i32 in + let attempt:usize = sz 0 in + let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + Core.Option.Option_None + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_None <: Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + in + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + = + temp_0_ + in + attempt <. Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN <: bool) + (attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A))) + (fun temp_0_ -> + let attempt, commitment_hash, domain_separator_for_mask, hint, signer_response:(usize & + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & + u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A)) + = + temp_0_ + in + let attempt:usize = attempt +! sz 1 in + let tmp0, out:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) = + Libcrux_ml_dsa.Sample.sample_mask_vector #v_SIMDUnit + #v_Shake256 + #v_Shake256X4 + v_COLUMNS_IN_A + v_GAMMA1_EXPONENT + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) (mask_seed <: t_Slice u8) + <: + t_Array u8 (sz 66)) + domain_separator_for_mask + in + let domain_separator_for_mask:u16 = tmp0 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A = + out + in + let v_A_times_mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_A_times_mask #v_SIMDUnit + v_ROWS_IN_A + v_COLUMNS_IN_A + v_A_as_ntt + mask + in + let w0, commitment:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.decompose_vector #v_SIMDUnit + v_ROWS_IN_A + v_GAMMA2 + v_A_times_mask + in + let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = + Rust_primitives.Hax.repeat 0uy v_COMMITMENT_HASH_SIZE + in + let commitment_serialized:t_Array u8 v_COMMITMENT_VECTOR_SIZE = + Libcrux_ml_dsa.Encoding.Commitment.serialize_vector #v_SIMDUnit + v_ROWS_IN_A + v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE + commitment + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake + (message_representative <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + (commitment_serialized <: t_Slice u8) + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & + t_Array u8 v_COMMITMENT_HASH_SIZE) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake commitment_hash_candidate + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let commitment_hash_candidate:t_Array u8 v_COMMITMENT_HASH_SIZE = tmp1 in + let _:Prims.unit = () in + let _:Prims.unit = () in + let verifier_challenge_as_ntt:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + = + Libcrux_ml_dsa.Ntt.ntt #v_SIMDUnit + (Libcrux_ml_dsa.Sample.sample_challenge_ring_element #v_SIMDUnit + #v_Shake256 + v_ONES_IN_VERIFIER_CHALLENGE + v_COMMITMENT_HASH_SIZE + commitment_hash_candidate + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let challenge_times_s1:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + v_COLUMNS_IN_A + s1_as_ntt + verifier_challenge_as_ntt + in + let challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.vector_times_ring_element #v_SIMDUnit + v_ROWS_IN_A + s2_as_ntt + verifier_challenge_as_ntt + in + let signer_response_candidate:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A = + Libcrux_ml_dsa.Matrix.add_vectors #v_SIMDUnit v_COLUMNS_IN_A mask challenge_times_s1 + in + let w0_minus_challenge_times_s2:t_Array + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.subtract_vectors #v_SIMDUnit v_ROWS_IN_A w0 challenge_times_s2 + in + if + Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signer_response_candidate + ((1l <. v_MAX_ONES_IN_HINT + then + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A)) + else + let attempt:usize = Libcrux_ml_dsa.Constants.v_REJECTION_SAMPLE_BOUND_SIGN in + let commitment_hash:Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) = + Core.Option.Option_Some commitment_hash_candidate + <: + Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) + in + let signer_response:Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) = + Core.Option.Option_Some signer_response_candidate + <: + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A) + in + let hint:Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) = + Core.Option.Option_Some hint_candidate + <: + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + in + attempt, commitment_hash, domain_separator_for_mask, hint, signer_response + <: + (usize & Core.Option.t_Option (t_Array u8 v_COMMITMENT_HASH_SIZE) & u16 & + Core.Option.t_Option (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) & + Core.Option.t_Option + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A))) + in + match + match commitment_hash with + | Core.Option.Option_Some commitment_hash -> + Core.Result.Result_Ok commitment_hash + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (t_Array u8 v_COMMITMENT_HASH_SIZE) Libcrux_ml_dsa.Types.t_SigningError + with + | Core.Result.Result_Ok commitment_hash -> + (match + match signer_response with + | Core.Option.Option_Some signer_response -> + Core.Result.Result_Ok signer_response + <: + Core.Result.t_Result + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + with + | Core.Result.Result_Ok signer_response -> + (match + match hint with + | Core.Option.Option_Some hint -> + Core.Result.Result_Ok hint + <: + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Option.Option_None -> + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_RejectionSamplingError + <: + Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A) + Libcrux_ml_dsa.Types.t_SigningError + with + | Core.Result.Result_Ok hint -> + let signature:t_Array u8 v_SIGNATURE_SIZE = + Libcrux_ml_dsa.Encoding.Signature.impl__serialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + ({ + Libcrux_ml_dsa.Types.f_commitment_hash = commitment_hash; + Libcrux_ml_dsa.Types.f_signer_response = signer_response; + Libcrux_ml_dsa.Types.f_hint = hint + } + <: + Libcrux_ml_dsa.Types.t_Signature v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A) + in + Core.Result.Result_Ok + (Libcrux_ml_dsa.Types.MLDSASignature signature + <: + Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + +let sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist36 -> + sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE signing_key + message + (Core.Option.Option_Some hoist36 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + +let sign_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i8: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i9: + Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + else + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist39 -> + sign_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 v_ROWS_IN_A v_COLUMNS_IN_A + v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT v_GAMMA2 v_COMMITMENT_RING_ELEMENT_SIZE + v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE + v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE + signing_key (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some hoist39 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) randomness + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_SigningError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError + +let verify_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let seed_for_A, t1:(t_Array u8 (sz 32) & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Encoding.Verification_key.deserialize #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + verification_key_serialized + in + match + Libcrux_ml_dsa.Encoding.Signature.impl__deserialize #v_SIMDUnit + v_COMMITMENT_HASH_SIZE + v_COLUMNS_IN_A + v_ROWS_IN_A + v_GAMMA1_EXPONENT + v_GAMMA1_RING_ELEMENT_SIZE + v_MAX_ONES_IN_HINT + v_SIGNATURE_SIZE + signature_serialized + with + | Core.Result.Result_Ok signature -> + if + ~.(Libcrux_ml_dsa.Arithmetic.vector_infinity_norm_exceeds #v_SIMDUnit + v_COLUMNS_IN_A + signature.Libcrux_ml_dsa.Types.f_signer_response + ((2l <. commitment_hash + then + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_CommitmentHashesDontMatchError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Ok (() <: Prims.unit) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + else + Core.Result.Result_Err + (Libcrux_ml_dsa.Types.VerificationError_SignerResponseExceedsBoundError + <: + Libcrux_ml_dsa.Types.t_VerificationError) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + | Core.Result.Result_Err err -> + Core.Result.Result_Err err + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_None <: Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist41 -> + verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized message + (Core.Option.Option_Some hoist41 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let verify_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN) + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + = + let pre_hashed_message:t_Array u8 v_PH_DIGEST_LEN = + Libcrux_ml_dsa.Pre_hash.f_hash #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve message + in + match + Libcrux_ml_dsa.Pre_hash.impl_1__new context + (Core.Option.Option_Some + (Libcrux_ml_dsa.Pre_hash.f_oid #v_PH #v_PH_DIGEST_LEN #FStar.Tactics.Typeclasses.solve () + <: + t_Array u8 (sz 11)) + <: + Core.Option.t_Option (t_Array u8 (sz 11))) + with + | Core.Result.Result_Ok hoist43 -> + verify_internal #v_SIMDUnit #v_Shake128X4 #v_Shake256 v_ROWS_IN_A v_COLUMNS_IN_A + v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE v_GAMMA2 + v_BETA v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE + v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT verification_key_serialized + (pre_hashed_message <: t_Slice u8) + (Core.Option.Option_Some hoist43 + <: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) signature_serialized + | Core.Result.Result_Err err -> + Core.Result.Result_Err + (Core.Convert.f_from #Libcrux_ml_dsa.Types.t_VerificationError + #Libcrux_ml_dsa.Pre_hash.t_DomainSeparationError + #FStar.Tactics.Typeclasses.solve + err) + <: + Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError + +let generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i6: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i7: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (randomness: t_Array u8 (sz 32)) + = + let seed_expanded:t_Array u8 (sz 128) = Rust_primitives.Hax.repeat 0uy (sz 128) in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_init () + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Absorb = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb shake (randomness <: t_Slice u8) + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_absorb_final shake + ((let list = [cast (v_ROWS_IN_A <: usize) <: u8; cast (v_COLUMNS_IN_A <: usize) <: u8] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); + Rust_primitives.Hax.array_of_list 2 list) + <: + t_Slice u8) + in + let tmp0, tmp1:(Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze & t_Array u8 (sz 128)) = + Libcrux_ml_dsa.Hash_functions.Portable.shake256_squeeze shake seed_expanded + in + let shake:Libcrux_ml_dsa.Hash_functions.Portable.t_Shake256Squeeze = tmp0 in + let seed_expanded:t_Array u8 (sz 128) = tmp1 in + let _:Prims.unit = () in + let seed_for_a, seed_expanded:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + (seed_expanded <: t_Slice u8) + Libcrux_ml_dsa.Constants.v_SEED_FOR_A_SIZE + in + let seed_for_error_vectors, seed_for_signing:(t_Slice u8 & t_Slice u8) = + Core.Slice.impl__split_at #u8 + seed_expanded + Libcrux_ml_dsa.Constants.v_SEED_FOR_ERROR_VECTORS_SIZE + in + let a_as_ntt:t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A = + Libcrux_ml_dsa.Samplex4.matrix_A #v_SIMDUnit + #v_Shake128X4 + v_ROWS_IN_A + v_COLUMNS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 34) seed_for_a <: t_Array u8 (sz 34)) + in + let s1, s2:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Samplex4.sample_s1_and_s2 #v_SIMDUnit + #v_Shake256X4 + v_ETA + v_COLUMNS_IN_A + v_ROWS_IN_A + (Libcrux_ml_dsa.Utils.into_padded_array (sz 66) seed_for_error_vectors <: t_Array u8 (sz 66)) + in + let t:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A = + Libcrux_ml_dsa.Matrix.compute_As1_plus_s2 #v_SIMDUnit v_ROWS_IN_A v_COLUMNS_IN_A a_as_ntt s1 s2 + in + let t0, t1:(t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_ROWS_IN_A) = + Libcrux_ml_dsa.Arithmetic.power2round_vector #v_SIMDUnit v_ROWS_IN_A t + in + let verification_key_serialized:t_Array u8 v_VERIFICATION_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Verification_key.generate_serialized #v_SIMDUnit + v_ROWS_IN_A + v_VERIFICATION_KEY_SIZE + seed_for_a + t1 + in + let signing_key_serialized:t_Array u8 v_SIGNING_KEY_SIZE = + Libcrux_ml_dsa.Encoding.Signing_key.generate_serialized #v_SIMDUnit #v_Shake256 v_ROWS_IN_A + v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE seed_for_a seed_for_signing + (verification_key_serialized <: t_Slice u8) s1 s2 t0 + in + signing_key_serialized, verification_key_serialized + <: + (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti new file mode 100644 index 000000000..abf9c8d7c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ml_dsa_generic.fsti @@ -0,0 +1,167 @@ +module Libcrux_ml_dsa.Ml_dsa_generic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Pre_hash in + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// This corresponds to line 6 in algorithm 7 in FIPS 204 (line 7 in algorithm +/// 8, resp.). +/// If `domain_separation_context` is supplied, applies domain +/// separation and length encoding to the context string, +/// before appending the message (in the regular variant) or the +/// pre-hash OID as well as the pre-hashed message digest. Otherwise, +/// it is assumed that `message` already contains domain separation +/// information. +/// In FIPS 204 M' is the concatenation of the domain separated context, any +/// potential pre-hash OID and the message (or the message pre-hash). We do not +/// explicitely construct the concatenation in memory since it is of statically unknown +/// length, but feed its components directly into the incremental XOF. +/// Refer to line 10 of Algorithm 2 (and line 5 of Algorithm 3, resp.) in [FIPS +/// 204](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#section.5) +/// for details on the domain separation for regular ML-DSA. Line +/// 23 of Algorithm 4 (and line 18 of Algorithm 5,resp.) describe domain separation for the HashMl-DSA +/// variant. +val derive_message_representative + (verification_key_hash: t_Array u8 (sz 64)) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (message: t_Slice u8) + (message_representative: t_Array u8 (sz 64)) + : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal signing API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val sign_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +val sign_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_GAMMA1_EXPONENT: + usize) + (v_GAMMA2: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT v_GAMMA1_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_SIGNATURE_SIZE: + usize) + {| i5: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i8: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + {| i9: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (signing_key: t_Array u8 v_SIGNING_KEY_SIZE) + (message context: t_Slice u8) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure + (Core.Result.t_Result (Libcrux_ml_dsa.Types.t_MLDSASignature v_SIGNATURE_SIZE) + Libcrux_ml_dsa.Types.t_SigningError) Prims.l_True (fun _ -> Prims.l_True) + +/// The internal verification API. +/// If no `domain_separation_context` is supplied, it is assumed that +/// `message` already contains the domain separation. +val verify_internal + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message: t_Slice u8) + (domain_separation_context: + Core.Option.t_Option Libcrux_ml_dsa.Pre_hash.t_DomainSeparationContext) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify + (#v_SIMDUnit #v_Shake128X4 #v_Shake256: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val verify_pre_hashed + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_PH: Type0) + (v_PH_DIGEST_LEN v_ROWS_IN_A v_COLUMNS_IN_A v_SIGNATURE_SIZE v_VERIFICATION_KEY_SIZE v_GAMMA1_EXPONENT v_GAMMA1_RING_ELEMENT_SIZE: + usize) + (v_GAMMA2 v_BETA: i32) + (v_COMMITMENT_RING_ELEMENT_SIZE v_COMMITMENT_VECTOR_SIZE v_COMMITMENT_HASH_SIZE v_ONES_IN_VERIFIER_CHALLENGE v_MAX_ONES_IN_HINT: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Pre_hash.t_PreHash v_PH v_PH_DIGEST_LEN |} + (verification_key_serialized: t_Array u8 v_VERIFICATION_KEY_SIZE) + (message context: t_Slice u8) + (signature_serialized: t_Array u8 v_SIGNATURE_SIZE) + : Prims.Pure (Core.Result.t_Result Prims.unit Libcrux_ml_dsa.Types.t_VerificationError) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate a key pair. +val generate_key_pair + (#v_SIMDUnit #v_Shake128X4 #v_Shake256 #v_Shake256X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A v_ETA v_ERROR_RING_ELEMENT_SIZE v_SIGNING_KEY_SIZE v_VERIFICATION_KEY_SIZE: + usize) + {| i4: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + {| i6: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i7: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 v_SIGNING_KEY_SIZE & t_Array u8 v_VERIFICATION_KEY_SIZE) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst new file mode 100644 index 000000000..b36669c58 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fst @@ -0,0 +1,407 @@ +module Libcrux_ml_dsa.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let ntt + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + { + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Libcrux_ml_dsa.Simd.Traits.f_ntt #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + re.Libcrux_ml_dsa.Polynomial.f_simd_units + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + +let invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i -! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_1_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i -! sz 2 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i +! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 256 /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_at_layer_3_plus + (#v_SIMDUnit: Type0) + (v_LAYER: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let step:usize = sz 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i -! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let j:usize = j in + let a_minus_b:v_SIMDUnit = + Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] + <: + v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + j + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j ] <: v_SIMDUnit) + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ j +! step_by <: usize ] + <: + v_SIMDUnit) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Traits.montgomery_multiply_by_fer #v_SIMDUnit + a_minus_b + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + re) + in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = zeta_i -! sz 1 in + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + (fun temp_0_ round -> + let re, zeta_i:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize) = + temp_0_ + in + let round:usize = round in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + round + (Libcrux_ml_dsa.Simd.Traits.f_invert_ntt_at_layer_0_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ round ] <: v_SIMDUnit) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize ] <: i32) + (v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize ] <: i32) + <: + v_SIMDUnit) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit + in + let zeta_i:usize = zeta_i -! sz 4 in + re, zeta_i <: (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & usize)) + in + let zeta_i:usize = zeta_i +! sz 1 in + zeta_i, re <: (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let invert_ntt_montgomery + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let zeta_i:usize = Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_0_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_1_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_2_ #v_SIMDUnit zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 3) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 4) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 5) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 6) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + invert_ntt_at_layer_3_plus #v_SIMDUnit (sz 7) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = tmp1 in + let _:Prims.unit = () in + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (re.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun re temp_1_ -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let _:usize = temp_1_ in + true) + re + (fun re i -> + let re:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = re in + let i:usize = i in + { + re with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply_by_constant #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (re.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + 41978l + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + re + +let ntt_multiply_montgomery + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + = + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + in + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit + (out.Libcrux_ml_dsa.Polynomial.f_simd_units <: t_Slice v_SIMDUnit) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Polynomial.f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Polynomial.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_montgomery_multiply #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (lhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.Libcrux_ml_dsa.Polynomial.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti new file mode 100644 index 000000000..d15c500f9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Ntt.fsti @@ -0,0 +1,111 @@ +module Libcrux_ml_dsa.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = + let list = + [ + 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; + 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; + 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); + (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; + 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); + (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); + (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; + 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); + (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); + (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); + 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); + (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; + (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; + (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); + 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; + 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); + 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); + (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); + (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); + (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); + 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; + 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; + 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; + (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; + (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); + (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); + 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; + 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; + 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); + 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); + (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; + (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); + Rust_primitives.Hax.array_of_list 256 list + +val ntt + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_3_plus + (#v_SIMDUnit: Type0) + (v_LAYER: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (zeta_i: usize) + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_montgomery + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (re: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_multiply_montgomery + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (lhs rhs: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst new file mode 100644 index 000000000..d92cb4d77 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fst @@ -0,0 +1,258 @@ +module Libcrux_ml_dsa.Polynomial +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Array v_SIMDUnit + (sz 32)) + #FStar.Tactics.Typeclasses.solve + self.f_simd_units + <: + Core.Array.Iter.t_IntoIter v_SIMDUnit (sz 32)) + exceeds + (fun exceeds simd_unit -> + let exceeds:bool = exceeds in + let simd_unit:v_SIMDUnit = simd_unit in + exceeds || + (Libcrux_ml_dsa.Simd.Traits.f_infinity_norm_exceeds #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + bound + <: + bool)) + in + exceeds + +let impl__ZERO + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (_: Prims.unit) + = + { + f_simd_units + = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Simd.Traits.f_ZERO #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + () + <: + v_SIMDUnit) + (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit + +let impl__from_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (array: t_Slice i32) + = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #i32 array <: usize) >=. sz 256 <: bool) + in + () + in + let array_chunks:Core.Slice.Iter.t_Chunks i32 = + Core.Slice.impl__chunks #i32 array Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let result:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + Libcrux_ml_dsa.Simd.Traits.v_SIMD_UNITS_IN_RING_ELEMENT + (fun temp_0_ temp_1_ -> + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & + t_PolynomialRingElement v_SIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (array_chunks, result <: (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + (fun temp_0_ i -> + let array_chunks, result:(Core.Slice.Iter.t_Chunks i32 & + t_PolynomialRingElement v_SIMDUnit) = + temp_0_ + in + let i:usize = i in + let tmp0, out:(Core.Slice.Iter.t_Chunks i32 & Core.Option.t_Option (t_Slice i32)) = + Core.Iter.Traits.Iterator.f_next #(Core.Slice.Iter.t_Chunks i32) + #FStar.Tactics.Typeclasses.solve + array_chunks + in + let array_chunks:Core.Slice.Iter.t_Chunks i32 = tmp0 in + array_chunks, + ({ + result with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_from_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Core.Option.impl__unwrap #(t_Slice i32) out <: t_Slice i32) + <: + v_SIMDUnit) + } + <: + t_PolynomialRingElement v_SIMDUnit) + <: + (Core.Slice.Iter.t_Chunks i32 & t_PolynomialRingElement v_SIMDUnit)) + in + result + +let impl__add + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let sum:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let sum:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (sum.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun sum temp_1_ -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:t_PolynomialRingElement v_SIMDUnit = sum in + let i:usize = i in + { + sum with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_add #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + sum + +let impl__subtract + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self rhs: t_PolynomialRingElement v_SIMDUnit) + = + let difference:t_PolynomialRingElement v_SIMDUnit = impl__ZERO #v_SIMDUnit () in + let difference:t_PolynomialRingElement v_SIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #v_SIMDUnit (difference.f_simd_units <: t_Slice v_SIMDUnit) <: usize) + (fun difference temp_1_ -> + let difference:t_PolynomialRingElement v_SIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:t_PolynomialRingElement v_SIMDUnit = difference in + let i:usize = i in + { + difference with + f_simd_units + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference.f_simd_units + i + (Libcrux_ml_dsa.Simd.Traits.f_subtract #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + (self.f_simd_units.[ i ] <: v_SIMDUnit) + (rhs.f_simd_units.[ i ] <: v_SIMDUnit) + <: + v_SIMDUnit) + <: + t_Array v_SIMDUnit (sz 32) + } + <: + t_PolynomialRingElement v_SIMDUnit) + in + difference + +let impl__to_i32_array + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (self: t_PolynomialRingElement v_SIMDUnit) + = + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Folds.fold_enumerated_slice (self.f_simd_units <: t_Slice v_SIMDUnit) + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let _:usize = temp_1_ in + true) + result + (fun result temp_1_ -> + let result:t_Array i32 (sz 256) = result in + let i, simd_unit:(usize & v_SIMDUnit) = temp_1_ in + Rust_primitives.Hax.Monomorphized_update_at.update_at_range result + ({ + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #i32 + (result.[ { + Core.Ops.Range.f_start + = + i *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT <: usize; + Core.Ops.Range.f_end + = + (i +! sz 1 <: usize) *! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + <: + usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + (Libcrux_ml_dsa.Simd.Traits.f_to_coefficient_array #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + simd_unit + <: + t_Slice i32) + <: + t_Slice i32) + <: + t_Array i32 (sz 256)) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti new file mode 100644 index 000000000..918eb2620 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Polynomial.fsti @@ -0,0 +1,51 @@ +module Libcrux_ml_dsa.Polynomial +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +type t_PolynomialRingElement + (v_SIMDUnit: Type0) {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { f_simd_units:t_Array v_SIMDUnit (sz 32) } + +val impl__infinity_norm_exceeds + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val impl__ZERO: + #v_SIMDUnit: Type0 -> + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} -> + Prims.unit + -> Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__from_i32_array + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (array: t_Slice i32) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__add + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__subtract + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self rhs: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_PolynomialRingElement v_SIMDUnit) Prims.l_True (fun _ -> Prims.l_True) + +val impl__to_i32_array + (#v_SIMDUnit: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (self: t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure (t_Array i32 (sz 256)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst new file mode 100644 index 000000000..c8f3084d4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fst @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Pre_hash +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + () + +let impl_1__context (self: t_DomainSeparationContext) = self.f_context + +let impl_1__pre_hash_oid (self: t_DomainSeparationContext) = self.f_pre_hash_oid + +let impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) = + if (Core.Slice.impl__len #u8 context <: usize) >. Libcrux_ml_dsa.Constants.v_CONTEXT_MAX_LEN + then + Core.Result.Result_Err (DomainSeparationError_ContextTooLongError <: t_DomainSeparationError) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + else + Core.Result.Result_Ok + ({ f_context = context; f_pre_hash_oid = pre_hash_oid } <: t_DomainSeparationContext) + <: + Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError + +let t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) = + match x with | DomainSeparationError_ContextTooLongError -> isz 0 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti new file mode 100644 index 000000000..2e097f642 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Pre_hash.fsti @@ -0,0 +1,113 @@ +module Libcrux_ml_dsa.Pre_hash +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Portable in + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + () + +/// Binds the context string to an optional pre-hash OID identifying +/// the hash function or XOF used for pre-hashing. +type t_DomainSeparationContext = { + f_context:t_Slice u8; + f_pre_hash_oid:Core.Option.t_Option (t_Array u8 (sz 11)) +} + +/// Returns the context, guaranteed to be at most 255 bytes long. +val impl_1__context (self: t_DomainSeparationContext) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// Returns the pre-hash OID, if any. +val impl_1__pre_hash_oid (self: t_DomainSeparationContext) + : Prims.Pure (Core.Option.t_Option (t_Array u8 (sz 11))) Prims.l_True (fun _ -> Prims.l_True) + +type t_DomainSeparationError = | DomainSeparationError_ContextTooLongError : t_DomainSeparationError + +/// `context` must be at most 255 bytes long. +val impl_1__new (context: t_Slice u8) (pre_hash_oid: Core.Option.t_Option (t_Array u8 (sz 11))) + : Prims.Pure (Core.Result.t_Result t_DomainSeparationContext t_DomainSeparationError) + Prims.l_True + (fun _ -> Prims.l_True) + +val t_DomainSeparationError_cast_to_repr (x: t_DomainSeparationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +class t_PreHash (v_Self: Type0) (v_DIGEST_LEN: usize) = { + f_oid_pre:Prims.unit -> Type0; + f_oid_post:Prims.unit -> t_Array u8 (sz 11) -> Type0; + f_oid:x0: Prims.unit + -> Prims.Pure (t_Array u8 (sz 11)) (f_oid_pre x0) (fun result -> f_oid_post x0 result); + f_hash_pre:t_Slice u8 -> Type0; + f_hash_post:t_Slice u8 -> t_Array u8 v_DIGEST_LEN -> Type0; + f_hash:x0: t_Slice u8 + -> Prims.Pure (t_Array u8 v_DIGEST_LEN) (f_hash_pre x0) (fun result -> f_hash_post x0 result) +} + +/// An implementation of the pre-hash trait for the SHAKE-128 XOF with +/// digest length 256 bytes. +type t_SHAKE128_PH = | SHAKE128_PH : t_SHAKE128_PH + +let v_PRE_HASH_OID_LEN: usize = sz 11 + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_2: Core.Convert.t_From Libcrux_ml_dsa.Types.t_SigningError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_SigningError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.SigningError_ContextTooLongError <: Libcrux_ml_dsa.Types.t_SigningError + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl_3: Core.Convert.t_From Libcrux_ml_dsa.Types.t_VerificationError t_DomainSeparationError = + { + f_from_pre = (fun (e: t_DomainSeparationError) -> true); + f_from_post + = + (fun (e: t_DomainSeparationError) (out: Libcrux_ml_dsa.Types.t_VerificationError) -> true); + f_from + = + fun (e: t_DomainSeparationError) -> + match e with + | DomainSeparationError_ContextTooLongError -> + Libcrux_ml_dsa.Types.VerificationError_ContextTooLongError + <: + Libcrux_ml_dsa.Types.t_VerificationError + } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: t_PreHash t_SHAKE128_PH (sz 256) = + { + f_oid_pre = (fun (_: Prims.unit) -> true); + f_oid_post = (fun (_: Prims.unit) (out: t_Array u8 (sz 11)) -> true); + f_oid + = + (fun (_: Prims.unit) -> + let list = [6uy; 9uy; 96uy; 134uy; 72uy; 1uy; 101uy; 3uy; 4uy; 2uy; 11uy] in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 11); + Rust_primitives.Hax.array_of_list 11 list); + f_hash_pre = (fun (message: t_Slice u8) -> true); + f_hash_post = (fun (message: t_Slice u8) (out: t_Array u8 (sz 256)) -> true); + f_hash + = + fun (message: t_Slice u8) -> + let output:t_Array u8 (sz 256) = Rust_primitives.Hax.repeat 0uy (sz 256) in + let output:t_Array u8 (sz 256) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_shake128 #Libcrux_ml_dsa.Hash_functions.Portable.t_Shake128 + #FStar.Tactics.Typeclasses.solve + (sz 256) + message + output + in + output + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst new file mode 100644 index 000000000..f2d7ff6c7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fst @@ -0,0 +1,1286 @@ +module Libcrux_ml_dsa.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) = + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + let domain_separator:u16 = domain_separator +! 1us in + let hax_temp_output:t_Array u8 (sz 66) = seed in + domain_separator, hax_temp_output <: (u16 & t_Array u8 (sz 66)) + +let rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 4) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + = + let (out, sampled), hax_temp_output:((t_Array i32 (sz 263) & usize) & bool) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_2_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | 4uy -> + let tmp0, tmp1, out1:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta_equals_4_ #v_SIMDUnit randomness sampled out + in + let sampled:usize = tmp0 in + let out:t_Array i32 (sz 263) = tmp1 in + (out, sampled <: (t_Array i32 (sz 263) & usize)), out1 + <: + ((t_Array i32 (sz 263) & usize) & bool) + | _ -> + (out, sampled <: (t_Array i32 (sz 263) & usize)), + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + <: + ((t_Array i32 (sz 263) & usize) & bool) + in + sampled, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + = + let done:bool = false in + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 24) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + (fun temp_0_ random_bytes -> + let done, out, sampled_coefficients:(bool & t_Array i32 (sz 263) & usize) = temp_0_ in + let random_bytes:t_Slice u8 = random_bytes in + if ~.done <: bool + then + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Traits.f_rejection_sample_less_than_field_modulus #v_SIMDUnit + #FStar.Tactics.Typeclasses.solve + random_bytes + (out.[ { Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice i32) + in + let out:t_Array i32 (sz 263) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from out + ({ Core.Ops.Range.f_start = sampled_coefficients } + <: + Core.Ops.Range.t_RangeFrom usize) + tmp0 + in + let sampled:usize = out1 in + let sampled_coefficients:usize = sampled_coefficients +! sampled in + if sampled_coefficients >=. Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT + then + let done:bool = true in + done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize) + else done, out, sampled_coefficients <: (bool & t_Array i32 (sz 263) & usize)) + in + let hax_temp_output:bool = done in + sampled_coefficients, out, hax_temp_output <: (usize & t_Array i32 (sz 263) & bool) + +let inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + = + let done:bool = false in + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + (fun temp_0_ byte -> + let done, out_index, result, signs:(bool & usize & t_Array i32 (sz 256) & u64) = + temp_0_ + in + let byte:u8 = byte in + if ~.done <: bool + then + let sample_at:usize = cast (byte <: u8) <: usize in + let out_index, result, signs:(usize & t_Array i32 (sz 256) & u64) = + if sample_at <=. out_index + then + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + out_index + (result.[ sample_at ] <: i32) + in + let out_index:usize = out_index +! sz 1 in + let result:t_Array i32 (sz 256) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + sample_at + (1l -! (2l *! (cast (signs &. 1uL <: u64) <: i32) <: i32) <: i32) + in + let signs:u64 = signs >>! 1l in + out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + else out_index, result, signs <: (usize & t_Array i32 (sz 256) & u64) + in + let done:bool = + out_index =. (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) + in + done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64) + else done, out_index, result, signs <: (bool & usize & t_Array i32 (sz 256) & u64)) + in + let hax_temp_output:bool = done in + out_index, signs, result, hax_temp_output <: (usize & u64 & t_Array i32 (sz 256) & bool) + +let sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_NUMBER_OF_ONES v_SEED_SIZE: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed: t_Array u8 v_SEED_SIZE) + = + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed <: t_Slice u8) + in + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let signs:u64 = + Core.Num.impl__u64__from_le_bytes (Core.Result.impl__unwrap #(t_Array u8 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (randomness.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) + <: + t_Array u8 (sz 8)) + in + let result:t_Array i32 (sz 256) = Rust_primitives.Hax.repeat 0l (sz 256) in + let out_index:usize = + (Core.Slice.impl__len #i32 (result <: t_Slice i32) <: usize) -! v_NUMBER_OF_ONES + in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness.[ { Core.Ops.Range.f_start = sz 8 } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + out_index + signs + result + in + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256) + = + Rust_primitives.f_while_loop (fun temp_0_ -> + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = + temp_0_ + in + ~.done <: bool) + (done, out_index, result, signs, state + <: + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + (fun temp_0_ -> + let done, out_index, result, signs, state:(bool & usize & t_Array i32 (sz 256) & u64 & + v_Shake256) = + temp_0_ + in + let tmp0, out:(v_Shake256 & t_Array u8 (sz 136)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomness:t_Array u8 (sz 136) = out in + let tmp0, tmp1, tmp2, out:(usize & u64 & t_Array i32 (sz 256) & bool) = + inside_out_shuffle (randomness <: t_Slice u8) out_index signs result + in + let out_index:usize = tmp0 in + let signs:u64 = tmp1 in + let result:t_Array i32 (sz 256) = tmp2 in + let done:bool = out in + done, out_index, result, signs, state + <: + (bool & usize & t_Array i32 (sz 256) & u64 & v_Shake256)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (result <: t_Slice i32) + +let sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (v_ETA: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256) + (seed_base: t_Array u8 (sz 66)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + = + let seed0:t_Array u8 (sz 66) = seed_base in + let seed0:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 64) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 65) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 66) = seed0 in + let seed1:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 64) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 65) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 66) = seed0 in + let seed2:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 64) + (cast (domain_seperator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 65) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 66) = seed0 in + let seed3:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 64) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 65) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake256 = + Libcrux_ml_dsa.Hash_functions.Shake256.f_init_absorb_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let tmp0, out4:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_first_block_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + let out0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let out3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._1 <: t_Slice u8) sampled0 out0 + in + let sampled0:usize = tmp0 in + let out0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._2 <: t_Slice u8) sampled1 out1 + in + let sampled1:usize = tmp0 in + let out1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._3 <: t_Slice u8) sampled2 out2 + in + let sampled2:usize = tmp0 in + let out2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out4 in + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit v_ETA (randomnesses._4 <: t_Slice u8) sampled3 out3 + in + let sampled3:usize = tmp0 in + let out3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out4 in + let + done0, done1, done2, done3, out0, out1, out2, out3, sampled0, sampled1, sampled2, sampled3, state:( + bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256)) + (fun temp_0_ -> + let + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) = + temp_0_ + in + let tmp0, out4:(v_Shake256 & + (t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136))) + = + Libcrux_ml_dsa.Hash_functions.Shake256.f_squeeze_next_block_x4 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake256 = tmp0 in + let randomnesses:(t_Array u8 (sz 136) & t_Array u8 (sz 136) & t_Array u8 (sz 136) & + t_Array u8 (sz 136)) = + out4 + in + let done0, out0, sampled0:(bool & t_Array i32 (sz 263) & usize) = + if ~.done0 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._1 <: t_Slice u8) + sampled0 + out0 + in + let sampled0:usize = tmp0 in + let out0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out4 in + done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + else done0, out0, sampled0 <: (bool & t_Array i32 (sz 263) & usize) + in + let done1, out1, sampled1:(bool & t_Array i32 (sz 263) & usize) = + if ~.done1 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._2 <: t_Slice u8) + sampled1 + out1 + in + let sampled1:usize = tmp0 in + let out1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out4 in + done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + else done1, out1, sampled1 <: (bool & t_Array i32 (sz 263) & usize) + in + let done2, out2, sampled2:(bool & t_Array i32 (sz 263) & usize) = + if ~.done2 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._3 <: t_Slice u8) + sampled2 + out2 + in + let sampled2:usize = tmp0 in + let out2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out4 in + done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + else done2, out2, sampled2 <: (bool & t_Array i32 (sz 263) & usize) + in + if ~.done3 + then + let tmp0, tmp1, out4:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_eta #v_SIMDUnit + v_ETA + (randomnesses._4 <: t_Slice u8) + sampled3 + out3 + in + let sampled3:usize = tmp0 in + let out3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out4 in + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256) + else + done0, + done1, + done2, + done3, + out0, + out1, + out2, + out3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (bool & bool & bool & bool & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + usize & + usize & + usize & + usize & + v_Shake256)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out0 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out1 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out2 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (out3 <: t_Slice i32) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let sample_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128) + (seed0: t_Array u8 (sz 34)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + = + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 32) + (cast (domain_separator0 <: u16) <: u8) + in + let seed0:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed0 + (sz 33) + (cast (domain_separator0 >>! 8l <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = seed0 in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 32) + (cast (domain_separator1 <: u16) <: u8) + in + let seed1:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed1 + (sz 33) + (cast (domain_separator1 >>! 8l <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = seed0 in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 32) + (cast (domain_seperator2 <: u16) <: u8) + in + let seed2:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed2 + (sz 33) + (cast (domain_seperator2 >>! 8l <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = seed0 in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 32) + (cast (domain_separator3 <: u16) <: u8) + in + let seed3:t_Array u8 (sz 34) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed3 + (sz 33) + (cast (domain_separator3 >>! 8l <: u16) <: u8) + in + let state:v_Shake128 = + Libcrux_ml_dsa.Hash_functions.Shake128.f_init_absorb #v_Shake128 + #FStar.Tactics.Typeclasses.solve + (seed0 <: t_Slice u8) + (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) + (seed3 <: t_Slice u8) + in + let randomness0:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness1:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness2:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let randomness3:t_Array u8 (sz 840) = Rust_primitives.Hax.repeat 0uy (sz 840) in + let tmp0, tmp1, tmp2, tmp3, tmp4:(v_Shake128 & t_Array u8 (sz 840) & t_Array u8 (sz 840) & + t_Array u8 (sz 840) & + t_Array u8 (sz 840)) = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_first_five_blocks #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + randomness0 + randomness1 + randomness2 + randomness3 + in + let state:v_Shake128 = tmp0 in + let randomness0:t_Array u8 (sz 840) = tmp1 in + let randomness1:t_Array u8 (sz 840) = tmp2 in + let randomness2:t_Array u8 (sz 840) = tmp3 in + let randomness3:t_Array u8 (sz 840) = tmp4 in + let _:Prims.unit = () in + let coefficients0:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients1:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients2:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let coefficients3:t_Array i32 (sz 263) = Rust_primitives.Hax.repeat 0l (sz 263) in + let sampled0:usize = sz 0 in + let sampled1:usize = sz 0 in + let sampled2:usize = sz 0 in + let sampled3:usize = sz 0 in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness0 <: t_Slice u8) + sampled0 + coefficients0 + in + let sampled0:usize = tmp0 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness1 <: t_Slice u8) + sampled1 + coefficients1 + in + let sampled1:usize = tmp0 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness2 <: t_Slice u8) + sampled2 + coefficients2 + in + let sampled2:usize = tmp0 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out in + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomness3 <: t_Slice u8) + sampled3 + coefficients3 + in + let sampled3:usize = tmp0 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out in + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + Rust_primitives.f_while_loop (fun temp_0_ -> + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + temp_0_ + in + (~.done0 <: bool) || (~.done1 <: bool) || (~.done2 <: bool) || (~.done3 <: bool)) + (coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128)) + (fun temp_0_ -> + let + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state:(t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) = + temp_0_ + in + let tmp0, out:(v_Shake128 & + (t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168))) + = + Libcrux_ml_dsa.Hash_functions.Shake128.f_squeeze_next_block #v_Shake128 + #FStar.Tactics.Typeclasses.solve + state + in + let state:v_Shake128 = tmp0 in + let randomnesses:(t_Array u8 (sz 168) & t_Array u8 (sz 168) & t_Array u8 (sz 168) & + t_Array u8 (sz 168)) = + out + in + let coefficients0, done0, sampled0:(t_Array i32 (sz 263) & bool & usize) = + if ~.done0 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._1 <: t_Slice u8) + sampled0 + coefficients0 + in + let sampled0:usize = tmp0 in + let coefficients0:t_Array i32 (sz 263) = tmp1 in + let done0:bool = out in + coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients0, done0, sampled0 <: (t_Array i32 (sz 263) & bool & usize) + in + let coefficients1, done1, sampled1:(t_Array i32 (sz 263) & bool & usize) = + if ~.done1 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._2 <: t_Slice u8) + sampled1 + coefficients1 + in + let sampled1:usize = tmp0 in + let coefficients1:t_Array i32 (sz 263) = tmp1 in + let done1:bool = out in + coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients1, done1, sampled1 <: (t_Array i32 (sz 263) & bool & usize) + in + let coefficients2, done2, sampled2:(t_Array i32 (sz 263) & bool & usize) = + if ~.done2 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._3 <: t_Slice u8) + sampled2 + coefficients2 + in + let sampled2:usize = tmp0 in + let coefficients2:t_Array i32 (sz 263) = tmp1 in + let done2:bool = out in + coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + else coefficients2, done2, sampled2 <: (t_Array i32 (sz 263) & bool & usize) + in + if ~.done3 + then + let tmp0, tmp1, out:(usize & t_Array i32 (sz 263) & bool) = + rejection_sample_less_than_field_modulus #v_SIMDUnit + (randomnesses._4 <: t_Slice u8) + sampled3 + coefficients3 + in + let sampled3:usize = tmp0 in + let coefficients3:t_Array i32 (sz 263) = tmp1 in + let done3:bool = out in + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128) + else + coefficients0, + coefficients1, + coefficients2, + coefficients3, + done0, + done1, + done2, + done3, + sampled0, + sampled1, + sampled2, + sampled3, + state + <: + (t_Array i32 (sz 263) & t_Array i32 (sz 263) & t_Array i32 (sz 263) & + t_Array i32 (sz 263) & + bool & + bool & + bool & + bool & + usize & + usize & + usize & + usize & + v_Shake128)) + in + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients0 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients1 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients2 <: t_Slice i32), + Libcrux_ml_dsa.Polynomial.impl__from_i32_array #v_SIMDUnit (coefficients3 <: t_Slice i32) + <: + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + +let sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (seed: t_Array u8 (sz 66)) + = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out:t_Array u8 (sz 576) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 576) + (seed <: t_Slice u8) + out + in + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) + | 19uy -> + let out:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out:t_Array u8 (sz 640) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256 #v_Shake256 + #FStar.Tactics.Typeclasses.solve + (sz 640) + (seed <: t_Slice u8) + out + in + Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit v_GAMMA1_EXPONENT (out <: t_Slice u8) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (v_DIMENSION v_GAMMA1_EXPONENT: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i4: + Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i5: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed: t_Array u8 (sz 66)) + (domain_separator: u16) + = + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION + in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((v_DIMENSION =. sz 4 <: bool) || (v_DIMENSION =. sz 5 <: bool) || + (v_DIMENSION =. sz 7 <: bool)) + in + () + in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed0:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed1:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed2:t_Array u8 (sz 66) = out4 in + let tmp0, out4:(u16 & t_Array u8 (sz 66)) = update_seed seed domain_separator in + let domain_separator:u16 = tmp0 in + let seed3:t_Array u8 (sz 66) = out4 in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> + let out0:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out1:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out2:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let out3:t_Array u8 (sz 576) = Rust_primitives.Hax.repeat 0uy (sz 576) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 576) & t_Array u8 (sz 576) & t_Array u8 (sz 576) & + t_Array u8 (sz 576)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4 + #FStar.Tactics.Typeclasses.solve (sz 576) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + in + let out0:t_Array u8 (sz 576) = tmp0 in + let out1:t_Array u8 (sz 576) = tmp1 in + let out2:t_Array u8 (sz 576) = tmp2 in + let out3:t_Array u8 (sz 576) = tmp3 in + let _:Prims.unit = () in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 0) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out0 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 1) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out1 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 2) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out2 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 3) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out3 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + mask + | 19uy -> + let out0:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out1:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out2:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let out3:t_Array u8 (sz 640) = Rust_primitives.Hax.repeat 0uy (sz 640) in + let tmp0, tmp1, tmp2, tmp3:(t_Array u8 (sz 640) & t_Array u8 (sz 640) & t_Array u8 (sz 640) & + t_Array u8 (sz 640)) = + Libcrux_ml_dsa.Hash_functions.Shake256.f_shake256_x4 #v_Shake256X4 + #FStar.Tactics.Typeclasses.solve (sz 640) (seed0 <: t_Slice u8) (seed1 <: t_Slice u8) + (seed2 <: t_Slice u8) (seed3 <: t_Slice u8) out0 out1 out2 out3 + in + let out0:t_Array u8 (sz 640) = tmp0 in + let out1:t_Array u8 (sz 640) = tmp1 in + let out2:t_Array u8 (sz 640) = tmp2 in + let out3:t_Array u8 (sz 640) = tmp3 in + let _:Prims.unit = () in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 0) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out0 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 1) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out1 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 2) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out2 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + (sz 3) + (Libcrux_ml_dsa.Encoding.Gamma1.deserialize #v_SIMDUnit + v_GAMMA1_EXPONENT + (out3 <: t_Slice u8) + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + mask + | _ -> mask + in + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + Rust_primitives.Hax.Folds.fold_range (sz 4) + v_DIMENSION + (fun temp_0_ temp_1_ -> + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (domain_separator, mask, seed + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66))) + (fun temp_0_ i -> + let domain_separator, mask, seed:(u16 & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66)) = + temp_0_ + in + let i:usize = i in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 64) + (cast (domain_separator <: u16) <: u8) + in + let seed:t_Array u8 (sz 66) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize seed + (sz 65) + (cast (domain_separator >>! 8l <: u16) <: u8) + in + let domain_separator:u16 = domain_separator +! 1us in + let mask:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize mask + i + (sample_mask_ring_element #v_SIMDUnit #v_Shake256 v_GAMMA1_EXPONENT seed + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + in + domain_separator, mask, seed + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION & + t_Array u8 (sz 66))) + in + let hax_temp_output:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_DIMENSION = + mask + in + domain_separator, hax_temp_output + <: + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti new file mode 100644 index 000000000..a742ab51f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Sample.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_dsa.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val update_seed (seed: t_Array u8 (sz 66)) (domain_separator: u16) + : Prims.Pure (u16 & t_Array u8 (sz 66)) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_2_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta_equals_4_ + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_eta + (#v_SIMDUnit: Type0) + (v_ETA: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus + (#v_SIMDUnit: Type0) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (randomness: t_Slice u8) + (sampled_coefficients: usize) + (out: t_Array i32 (sz 263)) + : Prims.Pure (usize & t_Array i32 (sz 263) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val inside_out_shuffle + (randomness: t_Slice u8) + (out_index: usize) + (signs: u64) + (result: t_Array i32 (sz 256)) + : Prims.Pure (usize & u64 & t_Array i32 (sz 256) & bool) Prims.l_True (fun _ -> Prims.l_True) + +val sample_challenge_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_NUMBER_OF_ONES v_SEED_SIZE: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed: t_Array u8 v_SEED_SIZE) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_four_error_ring_elements + (#v_SIMDUnit #v_Shake256: Type0) + (v_ETA: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256 |} + (seed_base: t_Array u8 (sz 66)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + : Prims.Pure + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_four_ring_elements + (#v_SIMDUnit #v_Shake128: Type0) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128 |} + (seed0: t_Array u8 (sz 34)) + (domain_separator0 domain_separator1 domain_seperator2 domain_separator3: u16) + : Prims.Pure + (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_mask_ring_element + (#v_SIMDUnit #v_Shake256: Type0) + (v_GAMMA1_EXPONENT: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + (seed: t_Array u8 (sz 66)) + : Prims.Pure (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_mask_vector + (#v_SIMDUnit #v_Shake256 #v_Shake256X4: Type0) + (v_DIMENSION v_GAMMA1_EXPONENT: usize) + {| i3: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i4: Libcrux_ml_dsa.Hash_functions.Shake256.t_Xof v_Shake256 |} + {| i5: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed: t_Array u8 (sz 66)) + (domain_separator: u16) + : Prims.Pure + (u16 & t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst new file mode 100644 index 000000000..ac648b477 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fst @@ -0,0 +1,1295 @@ +module Libcrux_ml_dsa.Samplex4 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +let generate_domain_separator (row column: u8) = + (cast (column <: u8) <: u16) |. ((cast (row <: u8) <: u16) < matrix_A_4_by_4_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 6uy, 5uy -> matrix_A_6_by_5_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | 8uy, 7uy -> matrix_A_8_by_7_ #v_SIMDUnit #v_Shake128X4 v_ROWS_IN_A v_COLUMNS_IN_A seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample_s1_and_s2_4_by_4_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._4 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2_5_by_6_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 8us + 9us + 10us + 11us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._3 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2_7_by_8_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed_base: t_Array u8 (sz 66)) + = + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S1_DIMENSION + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.repeat (Libcrux_ml_dsa.Polynomial.impl__ZERO #v_SIMDUnit () + <: + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_S2_DIMENSION + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 0us + 1us + 2us + 3us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 0) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 1) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 2) four._3 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 3) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 4us + 5us + 6us + 7us + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 4) four._1 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 5) four._2 + in + let s1:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s1 (sz 6) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 0) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 8us + 9us + 10us + 11us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 1) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 2) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 3) four._3 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 4) four._4 + in + let four:(Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit & + Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) = + Libcrux_ml_dsa.Sample.sample_four_error_ring_elements #v_SIMDUnit + #v_Shake256X4 + v_ETA + seed_base + 12us + 13us + 14us + 15us + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 5) four._1 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 6) four._2 + in + let s2:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize s2 (sz 7) four._3 + in + s1, s2 + <: + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + +let sample_s1_and_s2 + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i2: + Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i3: + Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4) + (seed: t_Array u8 (sz 66)) + = + match + (cast (v_S1_DIMENSION <: usize) <: u8), (cast (v_S2_DIMENSION <: usize) <: u8) <: (u8 & u8) + with + | 4uy, 4uy -> + sample_s1_and_s2_4_by_4_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | 5uy, 6uy -> + sample_s1_and_s2_5_by_6_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | 7uy, 8uy -> + sample_s1_and_s2_7_by_8_ #v_SIMDUnit #v_Shake256X4 v_ETA v_S1_DIMENSION v_S2_DIMENSION seed + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti new file mode 100644 index 000000000..a914aec27 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Samplex4.fsti @@ -0,0 +1,121 @@ +module Libcrux_ml_dsa.Samplex4 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Hash_functions.Shake128 in + let open Libcrux_ml_dsa.Hash_functions.Shake256 in + let open Libcrux_ml_dsa.Simd.Traits in + () + +val generate_domain_separator (row column: u8) : Prims.Pure u16 Prims.l_True (fun _ -> Prims.l_True) + +val update_matrix + (#v_SIMDUnit: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + (m: + t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) + (i j: usize) + (v: Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_4_by_4_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_6_by_5_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A_8_by_7_ + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val matrix_A + (#v_SIMDUnit #v_Shake128X4: Type0) + (v_ROWS_IN_A v_COLUMNS_IN_A: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake128.t_XofX4 v_Shake128X4 |} + (seed: t_Array u8 (sz 34)) + : Prims.Pure + (t_Array + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_COLUMNS_IN_A) + v_ROWS_IN_A) Prims.l_True (fun _ -> Prims.l_True) + +val sample_s1_and_s2_4_by_4_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2_5_by_6_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2_7_by_8_ + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed_base: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) + +val sample_s1_and_s2 + (#v_SIMDUnit #v_Shake256X4: Type0) + (v_ETA v_S1_DIMENSION v_S2_DIMENSION: usize) + {| i2: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + {| i3: Libcrux_ml_dsa.Hash_functions.Shake256.t_XofX4 v_Shake256X4 |} + (seed: t_Array u8 (sz 66)) + : Prims.Pure + (t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S1_DIMENSION & + t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) v_S2_DIMENSION) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst new file mode 100644 index 000000000..6c88f5ff3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fst @@ -0,0 +1,267 @@ +module Libcrux_ml_dsa.Simd.Avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 lhs rhs + +let compute_hint (v_GAMMA2: i32) (low high: u8) = + let gamma2:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_GAMMA2 in + let minus_gamma2:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) + in + let low_within_bound:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 + low + <: + u8) + gamma2 + in + let low_equals_minus_gamma2:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpeq_epi32 low minus_gamma2 + in + let low_equals_minus_gamma2_and_high_is_nonzero:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sign_epi32 low_equals_minus_gamma2 high + in + let hints:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_or_si256 low_within_bound + low_equals_minus_gamma2_and_high_is_nonzero + in + let hints_mask:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + hints + <: + u8) + in + (cast (Core.Num.impl__i32__count_ones hints_mask <: u32) <: usize), + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1l <: u8) + <: + (usize & u8) + +let infinity_norm_exceeds (simd_unit: u8) (bound: i32) = + let absolute_values:u8 = Libcrux_intrinsics.Avx2_extract.mm256_abs_epi32 simd_unit in + let bound:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (bound -! 1l <: i32) in + let compare_with_bound:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 absolute_values bound + in + let result:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_testz_si256 compare_with_bound compare_with_bound + in + if result =. 1l then false else true + +let subtract (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 lhs rhs + +let shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) = + let shifted:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 v_SHIFT_BY simd_unit in + let quotient:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 11275l <: u8) + in + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 ceil_of_r_by_128_ + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 1025l <: u8) + in + let result:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 result + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 r1 + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 v_ALPHA <: u8) + in + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r r0 in + let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 field_modulus_halved r0 in + let mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 31l mask in + let field_modulus_and_mask:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 mask + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + u8) + in + let r0:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 r0 field_modulus_and_mask in + r0, r1 <: (u8 & u8) + +let use_hint (v_GAMMA2: i32) (r hint: u8) = + let r0, r1:(u8 & u8) = decompose v_GAMMA2 r in + let all_zeros:u8 = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () in + let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 all_zeros hint r0 in + let negate_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 1l negate_hints in + let hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 hint negate_hints in + let r1_plus_hints:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 r1 hints in + match v_GAMMA2 with + | 95232l -> + let max:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 43l in + let r1_plus_hints:u8 = + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints max r1_plus_hints + in + let greater_than_or_equal_to_max:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 r1_plus_hints max + in + Libcrux_intrinsics.Avx2_extract.vec256_blendv_epi32 r1_plus_hints + all_zeros + greater_than_or_equal_to_max + | 261888l -> + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 r1_plus_hints + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 15l <: u8) + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti new file mode 100644 index 000000000..e11e02fab --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Arithmetic.fsti @@ -0,0 +1,30 @@ +module Libcrux_ml_dsa.Simd.Avx2.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val compute_hint (v_GAMMA2: i32) (low high: u8) + : Prims.Pure (usize & u8) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds (simd_unit: u8) (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val subtract (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val shift_left_then_reduce (v_SHIFT_BY: i32) (simd_unit: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val to_unsigned_representatives (t: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val power2round (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant (lhs: u8) (constant: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val decompose (v_GAMMA2: i32) (r: u8) : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val use_hint (v_GAMMA2: i32) (r hint: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst new file mode 100644 index 000000000..fba456933 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 19) = Rust_primitives.Hax.repeat 0uy (sz 19) in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 4uy -> + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 28l 0l 28l 0l 28l 0l 28l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 28l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 2l 4l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 240uy 240uy 240uy 240uy 240uy 240uy 240uy 240uy + 240uy 240uy 240uy 240uy 12uy 4uy 8uy 0uy + <: + u8) + in + let serialized:t_Array u8 (sz 19) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + adjacent_4_combined + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + | 6uy -> + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 26l 0l 26l 0l 26l 0l 26l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 26l adjacent_2_combined + in + let adjacent_3_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) 9y 8y 1y 0y + <: + u8) + in + let adjacent_3_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 adjacent_3_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 1s 1s 1s 1s 1s 1s 1s (1s < + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti new file mode 100644 index 000000000..74c8d9c15 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.fsti @@ -0,0 +1,7 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst new file mode 100644 index 000000000..be78d6aba --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fst @@ -0,0 +1,229 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_to_unsigned_when_eta_is_2_ (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 bytes <: usize) =. sz 3 <: bool) + in + () + in + let bytes_in_simd_unit:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (cast (bytes.[ sz 2 ] <: u8) <: i32) + (cast (bytes.[ sz 2 ] <: u8) <: i32) + (((cast (bytes.[ sz 2 ] <: u8) <: i32) < deserialize_to_unsigned_when_eta_is_2_ serialized + | 4uy -> deserialize_to_unsigned_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + let unsigned:u8 = deserialize_to_unsigned v_ETA serialized in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ( + cast (v_ETA <: usize) <: i32) + <: + u8) + unsigned + +let serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let simd_unit_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_eta_is_2___ETA + <: + u8) + simd_unit + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 29l 0l 29l 0l 29l 0l 29l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 29l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) + (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 8y (-1y) 0y + <: + u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 0s 0s 0s 0s 0s 0s (1s < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti new file mode 100644 index 000000000..45782f6dc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.fsti @@ -0,0 +1,33 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_to_unsigned_when_eta_is_2___COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val deserialize_to_unsigned_when_eta_is_4_ (bytes: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_to_unsigned (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_2_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst new file mode 100644 index 000000000..929fa141e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fst @@ -0,0 +1,291 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let serialized_lower:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 2; + Core.Ops.Range.f_end = sz 18 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 11y + 10y 9y (-1y) 9y 8y 7y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1_TIMES_2_MASK + + <: + u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_17___GAMMA1 + + <: + u8) + coefficients + +let deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 20 <: bool) + in + () + in + let serialized_lower:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized_upper:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 20 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + in + let serialized:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized_upper serialized_lower + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 15y 14y 13y (-1y) 13y 12y 11y (-1y) 10y + 9y 8y (-1y) 8y 7y 6y (-1y) 9y 8y 7y (-1y) 7y 6y 5y (-1y) 4y 3y 2y (-1y) 2y 1y 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 4l 0l 4l 0l 4l 0l 4l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1_TIMES_2_MASK + + <: + u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize_when_gamma1_is_2_pow_19___GAMMA1 + + <: + u8) + coefficients + +let deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) = + match cast (v_GAMMA1_EXPONENT <: usize) <: u8 with + | 17uy -> deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let simd_unit_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_gamma1_is_2_pow_17___GAMMA1 + <: + u8) + simd_unit + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 14l 0l 14l 0l 14l 0l 14l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 14l adjacent_2_combined + in + let every_second_element:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_2_combined + in + let every_second_element_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 36l every_second_element + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_2_combined every_second_element_shifted + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 28L 0L 28L 0L <: u8) + in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 25 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 9; + Core.Ops.Range.f_end = sz 25 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 18 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + +let serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let simd_unit_shifted:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + serialize_when_gamma1_is_2_pow_19___GAMMA1 + <: + u8) + simd_unit + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit_shifted + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y + 10y 9y 8y 4y 3y 2y 1y 0y (-1y) (-1y) (-1y) (-1y) (-1y) (-1y) 12y 11y 10y 9y 8y 4y 3y 2y 1y + 0y + <: + u8) + in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 26 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 v_OUTPUT_SIZE) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 v_OUTPUT_SIZE) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 20 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 v_OUTPUT_SIZE) Core.Array.t_TryFromSliceError) + +let serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti new file mode 100644 index 000000000..655c1c899 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.fsti @@ -0,0 +1,36 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize (v_OUTPUT_SIZE: usize) (simd_unit: u8) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst new file mode 100644 index 000000000..f60e7085a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fst @@ -0,0 +1,112 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let change_interval (simd_unit: u8) = + let interval_end:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (1l < Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let serialized_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let serialized:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (serialized_extended <: t_Slice u8) + in + let serialized:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i serialized serialized in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 serialized + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 12y 11y (-1y) 11y 10y 9y (-1y) + (-1y) 9y 8y (-1y) 8y 7y 6y (-1y) 6y 5y 4y (-1y) (-1y) 4y 3y (-1y) 3y 2y 1y (-1y) (-1y) 1y + 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 3l 6l 1l 4l 7l 2l 5l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8) + in + change_interval coefficients + +let serialize (simd_unit: u8) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let simd_unit:u8 = change_interval simd_unit in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 19l 0l 19l 0l 19l 0l 19l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 19l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 0l 0l 6l 4l 2l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 6l 0l 6l 0l 6l 0l 6l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 6l adjacent_4_combined + in + let second_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_bsrli_epi128 8l adjacent_4_combined + in + let least_12_bits_shifted_up:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_slli_epi64 52l second_4_combined + in + let bits_sequential:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi64 adjacent_4_combined least_12_bits_shifted_up + in + let bits_sequential:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi64 bits_sequential + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi64x 0L 0L 12L 0L <: u8) + in + let bits_sequential:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 bits_sequential in + let serialized:t_Array u8 (sz 16) = + Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 serialized bits_sequential + in + Core.Result.impl__unwrap #(t_Array u8 (sz 13)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 13)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 13 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 13)) Core.Array.t_TryFromSliceError) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti new file mode 100644 index 000000000..a8bc01c8f --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val change_interval (simd_unit: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val serialize (simd_unit: u8) : Prims.Pure (t_Array u8 (sz 13)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst new file mode 100644 index 000000000..c2206218a --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fst @@ -0,0 +1,120 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize (simd_unit: u8) = + let serialized:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 simd_unit + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 22l 0l 22l 0l 22l 0l 22l <: u8) + in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 22l adjacent_2_combined + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 adjacent_2_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 0l 6l 4l 0l 0l 2l 0l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sllv_epi32 adjacent_4_combined + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 12l 0l 12l 0l 12l 0l 12l <: u8) + in + let adjacent_4_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srli_epi64 12l adjacent_4_combined + in + let lower_4_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_4_combined in + let serialized:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + lower_4_ + <: + t_Slice u8) + in + let upper_4_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_4_combined + in + let serialized:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized + ({ Core.Ops.Range.f_start = sz 5; Core.Ops.Range.f_end = sz 21 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_bytes_si128 (serialized.[ { + Core.Ops.Range.f_start = sz 5; + Core.Ops.Range.f_end = sz 21 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + upper_4_ + <: + t_Slice u8) + in + Core.Result.impl__unwrap #(t_Array u8 (sz 10)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice u8) + #(t_Array u8 (sz 10)) + #FStar.Tactics.Typeclasses.solve + (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + <: + Core.Result.t_Result (t_Array u8 (sz 10)) Core.Array.t_TryFromSliceError) + +let deserialize (bytes: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 bytes, sz 10 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let bytes_extended:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let bytes_extended:t_Array u8 (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range bytes_extended + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (bytes_extended.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + bytes + <: + t_Slice u8) + in + let bytes_loaded:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes_extended <: t_Slice u8) + in + let bytes_loaded:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_m128i bytes_loaded bytes_loaded in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 bytes_loaded + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) (-1y) 9y 8y (-1y) (-1y) 8y 7y (-1y) + (-1y) 7y 6y (-1y) (-1y) 6y 5y (-1y) (-1y) 4y 3y (-1y) (-1y) 3y 2y (-1y) (-1y) 2y 1y (-1y) + (-1y) 1y 0y + <: + u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_srlv_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 6l 4l 2l 0l 6l 4l 2l 0l <: u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 deserialize__COEFFICIENT_MASK <: u8) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti new file mode 100644 index 000000000..7999a014d --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.fsti @@ -0,0 +1,10 @@ +module Libcrux_ml_dsa.Simd.Avx2.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val deserialize (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst new file mode 100644 index 000000000..0e6daf656 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fst @@ -0,0 +1,345 @@ +module Libcrux_ml_dsa.Simd.Avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) = + let a_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a in + let b_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b in + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a_shuffled b_shuffled in + let zeta_multiplicands:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a_shuffled b_shuffled + in + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b3 + zeta_b2 + zeta_a3 + zeta_a2 + zeta_b1 + zeta_b0 + zeta_a1 + zeta_a0 + in + let zeta_products:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_terms_shuffled:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms + in + let b_terms_shuffled:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms + in + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l a_terms_shuffled in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 216l b_terms_shuffled in + a_out, b_out <: (u8 & u8) + +let butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) = + let summands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 a b in + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 a b in + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta_b1 + zeta_b1 + zeta_a1 + zeta_a1 + zeta_b0 + zeta_b0 + zeta_a0 + zeta_a0 + in + let zeta_products:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi64 add_terms sub_terms in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 add_terms sub_terms in + a_out, b_out <: (u8 & u8) + +let butterfly_8_ (a b: u8) (zeta0 zeta1: i32) = + let summands:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + b + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 a <: u8) + in + let zeta_multiplicands:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l b a in + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 zeta1 zeta1 zeta0 zeta0 zeta0 zeta0 + in + let zeta_products:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply zeta_multiplicands zetas + in + let add_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add summands zeta_products in + let sub_terms:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract summands zeta_products in + let a_out:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_m128i (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 + sub_terms + <: + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 add_terms <: u8) + in + let b_out:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute2x128_si256 19l sub_terms add_terms in + a_out, b_out <: (u8 & u8) + +let invert_ntt_at_layer_0_ (simd_unit: u8) (zeta0 zeta1 zeta2 zeta3: i32) = + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta3 0l zeta2 0l zeta1 0l zeta0 0l + in + let add_by_signs:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) 1l (-1l) 1l (-1l) 1l (-1l) 1l + in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 177l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 170l sums products + +let invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) = + let zetas:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta1 zeta1 0l 0l zeta0 zeta0 0l 0l + in + let add_by_signs:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) 1l 1l (-1l) (-1l) 1l 1l + in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 78l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 204l sums products + +let invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 zeta zeta zeta zeta 0l 0l 0l 0l in + let add_by_signs:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (-1l) (-1l) (-1l) (-1l) 1l 1l 1l 1l + in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 78l simd_unit in + let add_by:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 add_by add_by_signs in + let sums:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 simd_unit add_by in + let products:u8 = Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply sums zetas in + Libcrux_intrinsics.Avx2_extract.mm256_blend_epi32 240l sums products + +let ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) = + let step:usize = sz 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:t_Array u8 (sz 32) = re in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array u8 (sz 32) = re in + let j:usize = j in + let t:u8 = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + step_by + <: + usize ] + <: + u8) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract (re.[ j ] <: u8) t <: u8) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add (re.[ j ] <: u8) t <: u8) + in + re) + in + re, zeta_i <: (t_Array u8 (sz 32) & usize)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + zeta_i, re <: (usize & t_Array u8 (sz 32)) + +let ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) + (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) + (sz 2) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let round:usize = round in + let a, b:(u8 & u8) = + butterfly_2_ (re.[ round ] <: u8) (re.[ round +! sz 1 <: usize ] <: u8) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 4 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 5 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 6 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 7 <: usize ] + <: + i32) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (round +! sz 1 <: usize) + b + in + let zeta_i:usize = zeta_i +! sz 8 in + re, zeta_i <: (t_Array u8 (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re <: (usize & t_Array u8 (sz 32)) + +let ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array u8 (sz 32) & usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) + (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) + (sz 2) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let round:usize = round in + let a, b:(u8 & u8) = + butterfly_4_ (re.[ round ] <: u8) + (re.[ round +! sz 1 <: usize ] <: u8) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + <: + i32) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (round +! sz 1 <: usize) + b + in + let zeta_i:usize = zeta_i +! sz 4 in + re, zeta_i <: (t_Array u8 (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re <: (usize & t_Array u8 (sz 32)) + +let ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) = + let re, zeta_i:(t_Array u8 (sz 32) & usize) = + Rust_primitives.Hax.Folds.fold_range_step_by (sz 0) + (Core.Slice.impl__len #u8 (re <: t_Slice u8) <: usize) + (sz 2) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let _:usize = temp_1_ in + true) + (re, zeta_i <: (t_Array u8 (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array u8 (sz 32) & usize) = temp_0_ in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let a, b:(u8 & u8) = + butterfly_8_ (re.[ round ] <: u8) + (re.[ round +! sz 1 <: usize ] <: u8) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re round a + in + let re:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (round +! sz 1 <: usize) + b + in + let zeta_i:usize = zeta_i +! sz 1 in + re, zeta_i <: (t_Array u8 (sz 32) & usize)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + zeta_i, re <: (usize & t_Array u8 (sz 32)) + +let ntt (re: t_Array u8 (sz 32)) = + let zeta_i:usize = sz 0 in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 7) zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 6) zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 5) zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 4) zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_3_plus (sz 3) zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_2_ zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_1_ zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & t_Array u8 (sz 32)) = ntt_at_layer_0_ zeta_i re in + let zeta_i:usize = tmp0 in + let re:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti new file mode 100644 index 000000000..2b4b65ff5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Ntt.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_dsa.Simd.Avx2.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let butterfly_2___SHUFFLE: i32 = 216l + +val butterfly_2_ (a b: u8) (zeta_a0 zeta_a1 zeta_a2 zeta_a3 zeta_b0 zeta_b1 zeta_b2 zeta_b3: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val butterfly_4_ (a b: u8) (zeta_a0 zeta_a1 zeta_b0 zeta_b1: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val butterfly_8_ (a b: u8) (zeta0 zeta1: i32) + : Prims.Pure (u8 & u8) Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_0_ (simd_unit: u8) (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ (simd_unit: u8) (zeta0 zeta1: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ (simd_unit: u8) (zeta: i32) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_3_plus (v_LAYER zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ (zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ (zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ (zeta_i: usize) (re: t_Array u8 (sz 32)) + : Prims.Pure (usize & t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val ntt (re: t_Array u8 (sz 32)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst new file mode 100644 index 000000000..51c69e1a1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fst @@ -0,0 +1,137 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let shift_interval (v_ETA: usize) (coefficients: u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> + let quotient:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 26l <: u8) + in + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 7l quotient in + let quotient:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 quotient + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 5l <: u8) + in + let coefficients_mod_5_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 coefficients quotient + in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (v_ETA <: usize) <: i32) + <: + u8) + coefficients_mod_5_ + | 4uy -> + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + (cast (v_ETA <: usize) <: i32) + <: + u8) + coefficients + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) = + let potential_coefficients:u8 = + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize_to_unsigned (sz 4) input + in + let (interval_boundary: i32):i32 = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> 15l + | 4uy -> 9l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let compare_with_interval_boundary:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 + interval_boundary + <: + u8) + potential_coefficients + in + let good:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + compare_with_interval_boundary + <: + u8) + in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let shifted:u8 = shift_interval v_ETA potential_coefficients in + let lower_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half + <: + i32) + <: + usize ] + in + let lower_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) + in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 shifted in + let lower_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + lower_coefficients + <: + t_Slice i32) + in + let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in + let upper_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half + <: + i32) + <: + usize ] + in + let upper_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) + in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l shifted in + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + upper_coefficients + <: + t_Slice i32) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__i32__count_ones good_upper_half <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i32 & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti new file mode 100644 index 000000000..43361f3bb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.fsti @@ -0,0 +1,10 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val shift_interval (v_ETA: usize) (coefficients: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val sample (v_ETA: usize) (input: t_Slice u8) (output: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst new file mode 100644 index 000000000..1ff5ab537 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fst @@ -0,0 +1,138 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let bytestream_to_potential_coefficients (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + match Core.Slice.impl__len #u8 serialized, sz 24 <: (usize & usize) with + | left_val, right_val -> Hax_lib.v_assert (left_val =. right_val <: bool) + in + () + in + let serialized_extended:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let serialized_extended:t_Array u8 (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range_to serialized_extended + ({ Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize) + (Core.Slice.impl__copy_from_slice #u8 + (serialized_extended.[ { Core.Ops.Range.f_end = sz 24 } <: Core.Ops.Range.t_RangeTo usize + ] + <: + t_Slice u8) + serialized + <: + t_Slice u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_u8 (serialized_extended <: t_Slice u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_permutevar8x32_epi32 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 0l 5l 4l 3l 0l 2l 1l 0l <: u8) + in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y + (-1y) 2y 1y 0y (-1y) 11y 10y 9y (-1y) 8y 7y 6y (-1y) 5y 4y 3y (-1y) 2y 1y 0y + <: + u8) + in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 bytestream_to_potential_coefficients__COEFFICIENT_MASK + + <: + u8) + +let sample (input: t_Slice u8) (output: t_Slice i32) = + let field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + in + let potential_coefficients:u8 = bytestream_to_potential_coefficients input in + let compare_with_field_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi32 field_modulus potential_coefficients + in + let good:i32 = + Libcrux_intrinsics.Avx2_extract.mm256_movemask_ps (Libcrux_intrinsics.Avx2_extract.mm256_castsi256_ps + compare_with_field_modulus + <: + u8) + in + let good_lower_half:i32 = good &. 15l in + let good_upper_half:i32 = good >>! 4l in + let lower_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_lower_half + <: + i32) + <: + usize ] + in + let lower_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) + in + let lower_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients + in + let lower_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 4 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + lower_coefficients + <: + t_Slice i32) + in + let sampled_count:usize = cast (Core.Num.impl__i32__count_ones good_lower_half <: u32) <: usize in + let upper_shuffles:t_Array u8 (sz 16) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.v_SHUFFLE_TABLE.[ cast (good_upper_half + <: + i32) + <: + usize ] + in + let upper_shuffles:u8 = + Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) + in + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients + in + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles + in + let output:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range output + ({ + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Libcrux_intrinsics.Avx2_extract.mm_storeu_si128_i32 (output.[ { + Core.Ops.Range.f_start = sampled_count; + Core.Ops.Range.f_end = sampled_count +! sz 4 <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + upper_coefficients + <: + t_Slice i32) + in + let hax_temp_output:usize = + sampled_count +! (cast (Core.Num.impl__i32__count_ones good_upper_half <: u32) <: usize) + in + output, hax_temp_output <: (t_Slice i32 & usize) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti new file mode 100644 index 000000000..185397a4b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let bytestream_to_potential_coefficients__COEFFICIENT_MASK: i32 = (1l < Prims.l_True) + +val sample (input: t_Slice u8) (output: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst new file mode 100644 index 000000000..97a40a5a5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fst @@ -0,0 +1,107 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let is_bit_set (number: usize) (bit_position: u8) = + ((number &. (sz 1 <>! bit_position <: usize) =. sz 1 + +let generate_shuffle_table (_: Prims.unit) = + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 255uy (sz 16) <: t_Array u8 (sz 16)) + (sz 16) + in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 1 < + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in + let _:usize = temp_1_ in + true) + byte_shuffles + (fun byte_shuffles bit_pattern -> + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = byte_shuffles in + let bit_pattern:usize = bit_pattern in + let byte_shuffles_index:usize = sz 0 in + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & usize) = + Rust_primitives.Hax.Folds.fold_range 0uy + 4uy + (fun temp_0_ temp_1_ -> + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & + usize) = + temp_0_ + in + let _:u8 = temp_1_ in + true) + (byte_shuffles, byte_shuffles_index <: (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) + (fun temp_0_ bit_position -> + let byte_shuffles, byte_shuffles_index:(t_Array (t_Array u8 (sz 16)) (sz 16) & + usize) = + temp_0_ + in + let bit_position:u8 = bit_position in + if is_bit_set bit_pattern bit_position <: bool + then + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + (bit_position *! 4uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 1uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 2uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + let byte_shuffles:t_Array (t_Array u8 (sz 16)) (sz 16) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize byte_shuffles + bit_pattern + (Rust_primitives.Hax.Monomorphized_update_at.update_at_usize (byte_shuffles.[ + bit_pattern ] + <: + t_Array u8 (sz 16)) + byte_shuffles_index + ((bit_position *! 4uy <: u8) +! 3uy <: u8) + <: + t_Array u8 (sz 16)) + in + let byte_shuffles_index:usize = byte_shuffles_index +! sz 1 in + byte_shuffles, byte_shuffles_index + <: + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize) + else + byte_shuffles, byte_shuffles_index + <: + (t_Array (t_Array u8 (sz 16)) (sz 16) & usize)) + in + byte_shuffles) + in + byte_shuffles diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti new file mode 100644 index 000000000..9586d3a7b --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table.fsti @@ -0,0 +1,140 @@ +module Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Shuffle_table +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_SHUFFLE_TABLE: t_Array (t_Array u8 (sz 16)) (sz 16) = + let list = + [ + (let list = + [ + 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 255uy; 255uy; 255uy; 255uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; 255uy; 255uy; 255uy; + 255uy; 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 0uy; 1uy; 2uy; 3uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + (let list = + [ + 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy; 255uy; 255uy; 255uy; + 255uy + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list); + let list = + [0uy; 1uy; 2uy; 3uy; 4uy; 5uy; 6uy; 7uy; 8uy; 9uy; 10uy; 11uy; 12uy; 13uy; 14uy; 15uy] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); + Rust_primitives.Hax.array_of_list 16 list + +val is_bit_set (number: usize) (bit_position: u8) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val generate_shuffle_table: Prims.unit + -> Prims.Pure (t_Array (t_Array u8 (sz 16)) (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst new file mode 100644 index 000000000..e220b31db --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fst @@ -0,0 +1,23 @@ +module Libcrux_ml_dsa.Simd.Avx2.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_ZERO (_: Prims.unit) = + Core.Convert.f_into #u8 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () <: u8) + +let from_coefficient_array (coefficient_array: t_Slice i32) = + Core.Convert.f_into #u8 + #t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i32 coefficient_array <: u8) + +let to_coefficient_array (x: t_AVX2SIMDUnit) = + let coefficient_array:t_Array i32 (sz 8) = Rust_primitives.Hax.repeat 0l (sz 8) in + let coefficient_array:t_Array i32 (sz 8) = + Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i32 coefficient_array x.f_coefficients + in + coefficient_array diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti new file mode 100644 index 000000000..052da1273 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.Vector_type.fsti @@ -0,0 +1,22 @@ +module Libcrux_ml_dsa.Simd.Avx2.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_AVX2SIMDUnit = { f_coefficients:u8 } + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Core.Convert.t_From t_AVX2SIMDUnit u8 = + { + f_from_pre = (fun (coefficients: u8) -> true); + f_from_post = (fun (coefficients: u8) (out: t_AVX2SIMDUnit) -> true); + f_from = fun (coefficients: u8) -> { f_coefficients = coefficients } <: t_AVX2SIMDUnit + } + +val v_ZERO: Prims.unit -> Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val from_coefficient_array (coefficient_array: t_Slice i32) + : Prims.Pure t_AVX2SIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (x: t_AVX2SIMDUnit) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti new file mode 100644 index 000000000..46926e5bb --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Avx2.fsti @@ -0,0 +1,636 @@ +module Libcrux_ml_dsa.Simd.Avx2 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Avx2.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Avx2.Vector_type.v_ZERO ()); + f_from_coefficient_array_pre = (fun (coefficient_array: t_Slice i32) -> true); + f_from_coefficient_array_post + = + (fun + (coefficient_array: t_Slice i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_from_coefficient_array + = + (fun (coefficient_array: t_Slice i32) -> + Libcrux_ml_dsa.Simd.Avx2.Vector_type.from_coefficient_array coefficient_array); + f_to_coefficient_array_pre + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_to_coefficient_array_post + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (out: t_Array i32 (sz 8)) -> + true); + f_to_coefficient_array + = + (fun (self: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Vector_type.to_coefficient_array self); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.add lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.subtract lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_montgomery_multiply_by_constant_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (constant: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (constant: i32) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply_by_constant simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + constant + <: + u8)); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.montgomery_multiply lhs + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + rhs.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_shift_left_then_reduce_pre + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_shift_left_then_reduce + = + (fun (v_SHIFT_BY: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.shift_left_then_reduce v_SHIFT_BY + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_power2round_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_power2round_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); + f_power2round + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + let lower, upper:(u8 & u8) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.power2round simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + in + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + lower, + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + upper + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> true); + f_infinity_norm_exceeds_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (bound: i32) + (out: bool) + -> + true); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.infinity_norm_exceeds simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + bound); + f_decompose_pre + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_decompose_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + let lower, upper:(u8 & u8) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.decompose v_GAMMA2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + in + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + lower, + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + upper + <: + (Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit & + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (high: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + let count, hint:(usize & u8) = + Libcrux_ml_dsa.Simd.Avx2.Arithmetic.compute_hint v_GAMMA2 + low.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + high.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + in + count, + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + hint + <: + (usize & Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_use_hint_pre + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_use_hint_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_use_hint + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Arithmetic.use_hint v_GAMMA2 + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + hint.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + <: + u8)); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_field_modulus.sample randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 2) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Avx2.Rejection_sample.Less_than_eta.sample (sz 4) randomness out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); + f_gamma1_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_gamma1_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun + (v_GAMMA1_EXPONENT: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized <: u8)); + f_commitment_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); + f_commitment_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_commitment_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Commitment.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_error_serialize_pre + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + true); + f_error_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_error_serialize + = + (fun (v_OUTPUT_SIZE: usize) (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.serialize v_OUTPUT_SIZE + simd_unit.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun + (v_ETA: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.Error.deserialize v_ETA serialized <: u8)); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 (sz 13)) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true + ); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T0.deserialize serialized <: u8)); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (out: t_Array u8 (sz 10)) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> + Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.serialize simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post + = + (fun (serialized: t_Slice u8) (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) -> true + ); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Encoding.T1.deserialize serialized <: u8)); + f_ntt_pre + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) + -> + true); + f_ntt + = + (fun (simd_units: t_Array Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit (sz 32)) -> + let result:t_Array u8 (sz 32) = + Libcrux_ml_dsa.Simd.Avx2.Ntt.ntt (Core.Array.impl_23__map #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + (sz 32) + #u8 + simd_units + (fun x -> + let x:Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit = x in + x.Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients) + <: + t_Array u8 (sz 32)) + in + Core.Array.impl_23__map #u8 + (sz 32) + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + result + (fun x -> + let x:u8 = x in + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + x + <: + Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit)); + f_invert_ntt_at_layer_0_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + true); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_0_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta0 + zeta1 + zeta2 + zeta3 + <: + u8)); + f_invert_ntt_at_layer_1_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + true); + f_invert_ntt_at_layer_1_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_1_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_1_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta0 + zeta1 + <: + u8)); + f_invert_ntt_at_layer_2_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> true); + f_invert_ntt_at_layer_2_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + (zeta: i32) + (out: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) + -> + true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit) (zeta: i32) -> + Core.Convert.f_into #u8 + #Libcrux_ml_dsa.Simd.Avx2.Vector_type.t_AVX2SIMDUnit + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_dsa.Simd.Avx2.Ntt.invert_ntt_at_layer_2_ simd_unit + .Libcrux_ml_dsa.Simd.Avx2.Vector_type.f_coefficients + zeta + <: + u8) + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst new file mode 100644 index 000000000..b8a8a4b00 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fst @@ -0,0 +1,608 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let compute_one_hint (v_GAMMA2 low high: i32) = + if + low >. v_GAMMA2 || low <. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) || + low =. (Core.Ops.Arith.Neg.neg v_GAMMA2 <: i32) && high <>. 0l + then 1l + else 0l + +let get_n_least_significant_bits (n: u8) (value: u64) = value &. ((1uL <>! 23l in + fe -! (quotient *! Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + +let montgomery_reduce_element (value: i64) = + let t:u64 = + (get_n_least_significant_bits v_MONTGOMERY_SHIFT (cast (value <: i64) <: u64) <: u64) *! + Libcrux_ml_dsa.Simd.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R + in + let k:i32 = cast (get_n_least_significant_bits v_MONTGOMERY_SHIFT t <: u64) <: i32 in + let k_times_modulus:i64 = + (cast (k <: i32) <: i64) *! (cast (Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) <: i64) + in + let c:i32 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + let value_high:i32 = cast (value >>! v_MONTGOMERY_SHIFT <: i64) <: i32 in + value_high -! c + +let montgomery_multiply_fe_by_fer (fe fer: i32) = + montgomery_reduce_element ((cast (fe <: i32) <: i64) *! (cast (fer <: i32) <: i64) <: i64) + +let decompose_element (v_GAMMA2 r: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((r >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (r <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let r:i32 = r +! ((r >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let v_ALPHA:i32 = v_GAMMA2 *! 2l in + let ceil_of_r_by_128_:i32 = (r +! 127l <: i32) >>! 7l in + let r1:i32 = + match v_ALPHA with + | 190464l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 11275l <: i32) +! (1l <>! 24l + in + (result ^. ((43l -! result <: i32) >>! 31l <: i32) <: i32) &. result + | 523776l -> + let result:i32 = + ((ceil_of_r_by_128_ *! 1025l <: i32) +! (1l <>! 22l + in + result &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + in + let r0:i32 = r -! (r1 *! v_ALPHA <: i32) in + let r0:i32 = + r0 -! + (((((Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS -! 1l <: i32) /! 2l <: i32) -! r0 <: i32) >>! + 31l + <: + i32) &. + Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS + <: + i32) + in + r0, r1 <: (i32 & i32) + +let infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + = + let exceeds:bool = false in + let exceeds:bool = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Array.Iter.t_IntoIter + i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (Core.Iter.Traits.Collect.f_into_iter #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + <: + Core.Array.Iter.t_IntoIter i32 (sz 8)) + exceeds + (fun exceeds coefficient -> + let exceeds:bool = exceeds in + let coefficient:i32 = coefficient in + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((coefficient >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (coefficient <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let sign:i32 = coefficient >>! 31l in + let normalized:i32 = coefficient -! (sign &. (2l *! coefficient <: i32) <: i32) in + let exceeds:bool = exceeds || normalized >=. bound in + exceeds) + in + exceeds + +let power2round_element (t: i32) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((t >. + (Core.Ops.Arith.Neg.neg Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) + <: + bool) && + (t <. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: bool)) + in + () + in + let t:i32 = t +! ((t >>! 31l <: i32) &. Libcrux_ml_dsa.Simd.Traits.v_FIELD_MODULUS <: i32) in + let t1:i32 = + ((t -! 1l <: i32) +! + (1l <>! + Libcrux_ml_dsa.Constants.v_BITS_IN_LOWER_PART_OF_T + in + let t0:i32 = t -! (t1 < + if r0 >. 0l + then if r1 =. 43l then 0l else r1 +! hint + else if r1 =. 0l then 43l else r1 -! hint + | 261888l -> if r0 >. 0l then (r1 +! hint <: i32) &. 15l else (r1 -! hint <: i32) &. 15l + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_enumerated_slice simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ temp_1_ -> + let t0_simd_unit, t1_simd_unit:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i, t:(usize & i32) = temp_1_ in + let t0, t1:(i32 & i32) = power2round_element t in + let t0_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t0_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t0_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t0 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t1_simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + t1_simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize t1_simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + t1 + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + t0_simd_unit, t1_simd_unit + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +let add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (sum.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun sum temp_1_ -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let _:usize = temp_1_ in + true) + sum + (fun sum i -> + let sum:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = sum in + let i:usize = i in + { + sum with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sum + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) +! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + sum + +let compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let one_hints_count:usize = sz 0 in + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + (fun temp_0_ i -> + let hint, one_hints_count:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + usize) = + temp_0_ + in + let i:usize = i in + let hint:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + hint with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize hint + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (compute_one_hint v_GAMMA2 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (high.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let one_hints_count:usize = + one_hints_count +! + (cast (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + usize) + in + hint, one_hints_count + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & usize)) + in + one_hints_count, hint <: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +let decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (low.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun temp_0_ temp_1_ -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + (fun temp_0_ i -> + let high, low:(Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + temp_0_ + in + let i:usize = i in + let low_part, high_part:(i32 & i32) = + decompose_element v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + in + let low:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + low with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize low + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + low_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let high:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + high with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize high + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + high_part + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + high, low + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + in + low, high + <: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + +let montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) = + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (product.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun product temp_1_ -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let _:usize = temp_1_ in + true) + product + (fun product i -> + let product:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = product in + let i:usize = i in + { + product with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize product + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (lhs + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + product + +let montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + = + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit i -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i:usize = i in + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (montgomery_reduce_element ((cast (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] + <: + i32) + <: + i64) *! + (cast (c <: i32) <: i64) + <: + i64) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + simd_unit + +let shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun out temp_1_ -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let _:usize = temp_1_ in + true) + out + (fun out i -> + let out:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = out in + let i:usize = i in + { + out with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (reduce_element ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i + ] + <: + i32) < + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let _:usize = temp_1_ in + true) + difference + (fun difference i -> + let difference:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = difference in + let i:usize = i in + { + difference with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize difference + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + ((lhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) -! + (rhs.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + difference + +let use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #i32 + (result.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + <: + usize) + (fun result temp_1_ -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = result in + let i:usize = i in + { + result with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + i + (use_one_hint v_GAMMA2 + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + (hint.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ i ] <: i32) + <: + i32) + <: + t_Array i32 (sz 8) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + result diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti new file mode 100644 index 000000000..2a50db3ec --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Arithmetic.fsti @@ -0,0 +1,89 @@ +module Libcrux_ml_dsa.Simd.Portable.Arithmetic +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let v_MONTGOMERY_SHIFT: u8 = 32uy + +val compute_one_hint (v_GAMMA2 low high: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val get_n_least_significant_bits (n: u8) (value: u64) + : Prims.Pure u64 Prims.l_True (fun _ -> Prims.l_True) + +val reduce_element (fe: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_reduce_element (value: i64) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val montgomery_multiply_fe_by_fer (fe fer: i32) + : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val decompose_element (v_GAMMA2 r: i32) + : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val infinity_norm_exceeds + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + +val power2round_element (t: i32) : Prims.Pure (i32 & i32) Prims.l_True (fun _ -> Prims.l_True) + +val use_one_hint (v_GAMMA2 r hint: i32) : Prims.Pure i32 Prims.l_True (fun _ -> Prims.l_True) + +val power2round (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val add (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val compute_hint + (v_GAMMA2: i32) + (low high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val decompose + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val montgomery_multiply_by_constant + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val shift_left_then_reduce + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val subtract (lhs rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val use_hint + (v_GAMMA2: i32) + (simd_unit hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst new file mode 100644 index 000000000..ff1788cd5 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fst @@ -0,0 +1,72 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 4uy -> + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = cast (coefficients.[ sz 0 ] <: i32) <: u8 in + let coefficient1:u8 = cast (coefficients.[ sz 1 ] <: i32) <: u8 in + let coefficient2:u8 = cast (coefficients.[ sz 2 ] <: i32) <: u8 in + let coefficient3:u8 = cast (coefficients.[ sz 3 ] <: i32) <: u8 in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3 *! i <: usize) + ((coefficient1 <>! 2l <: u8) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 3 *! i <: usize) +! sz 2 <: usize) + ((coefficient3 <>! 4l <: u8) <: u8) + in + serialized) + in + serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti new file mode 100644 index 000000000..cc50ef52c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.fsti @@ -0,0 +1,9 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst new file mode 100644 index 000000000..a91008218 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fst @@ -0,0 +1,332 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let coefficient0:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient2:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient3:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient4:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient5:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient6:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + <: + u8 + in + let coefficient7:u8 = + cast (serialize_when_eta_is_2___ETA -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + <: + u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 0) + (((coefficient2 <>! 2l <: u8) + <: + u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 2) + (((coefficient7 <>! 1l <: u8) + <: + u8) + in + serialized + +let deserialize_when_eta_is_2_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 3 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + (deserialize_when_eta_is_2___ETA -! (byte0 &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (deserialize_when_eta_is_2___ETA -! ((byte0 >>! 3l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (deserialize_when_eta_is_2___ETA -! + (((byte0 >>! 6l <: i32) |. (byte1 <>! 1l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (deserialize_when_eta_is_2___ETA -! ((byte1 >>! 4l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (deserialize_when_eta_is_2___ETA -! + (((byte1 >>! 7l <: i32) |. (byte2 <>! 2l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (deserialize_when_eta_is_2___ETA -! ((byte2 >>! 5l <: i32) &. 7l <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let deserialize_when_eta_is_4_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 4 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_slice serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, byte:(usize & u8) = temp_1_ in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2 *! i <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte &. 15uy <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + ((sz 2 *! i <: usize) +! sz 1 <: usize) + (deserialize_when_eta_is_4___ETA -! (cast (byte >>! 4l <: u8) <: i32) <: i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit) + in + simd_unit + +let deserialize (v_ETA: usize) (serialized: t_Slice u8) = + match cast (v_ETA <: usize) <: u8 with + | 2uy -> deserialize_when_eta_is_2_ serialized + | 4uy -> deserialize_when_eta_is_4_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 0 ] <: i32) <: i32) <: u8 + in + let coefficient1:u8 = + cast (serialize_when_eta_is_4___ETA -! (coefficients.[ sz 1 ] <: i32) <: i32) <: u8 + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + i + ((coefficient1 < serialize_when_eta_is_2_ v_OUTPUT_SIZE simd_unit + | 4uy -> serialize_when_eta_is_4_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti new file mode 100644 index 000000000..e973dc734 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Error.fsti @@ -0,0 +1,42 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Error +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_eta_is_2___ETA: i32 = 2l + +let deserialize_when_eta_is_4___ETA: i32 = 4l + +let serialize_when_eta_is_2___ETA: i32 = 2l + +let serialize_when_eta_is_4___ETA: i32 = 4l + +val serialize_when_eta_is_2_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_2_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize_when_eta_is_4_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_ETA: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_eta_is_4_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst new file mode 100644 index 000000000..ca1f48e87 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fst @@ -0,0 +1,376 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17_ (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 18 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 9) + serialized + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let coefficient0:i32 = + coefficient0 |. ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 2l in + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 3 ] <: u8) <: i32) <>! 4l in + let coefficient2:i32 = + coefficient2 |. ((cast (bytes.[ sz 5 ] <: u8) <: i32) <>! 6l in + let coefficient3:i32 = + coefficient3 |. ((cast (bytes.[ sz 7 ] <: u8) <: i32) < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let coefficient0:i32 = + coefficient0 |. ((cast (bytes.[ sz 1 ] <: u8) <: i32) <>! 4l in + let coefficient1:i32 = + coefficient1 |. ((cast (bytes.[ sz 3 ] <: u8) <: i32) < deserialize_when_gamma1_is_2_pow_17_ serialized + | 19uy -> deserialize_when_gamma1_is_2_pow_19_ serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) + +let serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let coefficient2:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 2 ] <: i32) + in + let coefficient3:i32 = + serialize_when_gamma1_is_2_pow_17___GAMMA1 -! (coefficients.[ sz 3 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 14l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 4 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 4 <: usize ] <: u8) |. + (cast (coefficient2 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + (cast (coefficient2 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 6 <: usize) + ((serialized.[ (sz 9 *! i <: usize) +! sz 6 <: usize ] <: u8) |. + (cast (coefficient3 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 9 *! i <: usize) +! sz 8 <: usize) + (cast (coefficient3 >>! 10l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + let serialized:t_Array u8 v_OUTPUT_SIZE = Rust_primitives.Hax.repeat 0uy v_OUTPUT_SIZE in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 2) + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients <: t_Slice i32) + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 v_OUTPUT_SIZE = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let coefficient0:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 0 ] <: i32) + in + let coefficient1:i32 = + serialize_when_gamma1_is_2_pow_19___GAMMA1 -! (coefficients.[ sz 1 ] <: i32) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast (coefficient0 <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (cast (coefficient0 >>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (cast (coefficient0 >>! 16l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + ((serialized.[ (sz 5 *! i <: usize) +! sz 2 <: usize ] <: u8) |. + (cast (coefficient1 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 v_OUTPUT_SIZE = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (coefficient1 >>! 12l <: i32) <: u8) + in + serialized) + in + serialized + +let serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + = + match cast (v_OUTPUT_SIZE <: usize) <: u8 with + | 18uy -> serialize_when_gamma1_is_2_pow_17_ v_OUTPUT_SIZE simd_unit + | 20uy -> serialize_when_gamma1_is_2_pow_19_ v_OUTPUT_SIZE simd_unit + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti new file mode 100644 index 000000000..a22f485c1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.fsti @@ -0,0 +1,48 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize_when_gamma1_is_2_pow_17___GAMMA1: i32 = 1l < Prims.l_True) + +val deserialize_when_gamma1_is_2_pow_19_ (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val deserialize (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_17_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_when_gamma1_is_2_pow_19_ + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) + +val serialize + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 v_OUTPUT_SIZE) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst new file mode 100644 index 000000000..b9ecdb13c --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T0.fst @@ -0,0 +1,310 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T0 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let change_t0_interval (t0: i32) = + (1l <>! 8l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 1) + ((serialized.[ sz 1 ] <: u8) |. (cast (coefficient1 <>! 3l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + (cast (coefficient1 >>! 11l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 3) + ((serialized.[ sz 3 ] <: u8) |. (cast (coefficient2 <>! 6l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 4) + ((serialized.[ sz 4 ] <: u8) |. (cast (coefficient3 <>! 1l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + (cast (coefficient3 >>! 9l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 6) + ((serialized.[ sz 6 ] <: u8) |. (cast (coefficient4 <>! 4l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + (cast (coefficient4 >>! 12l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 8) + ((serialized.[ sz 8 ] <: u8) |. (cast (coefficient5 <>! 7l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 9) + ((serialized.[ sz 9 ] <: u8) |. (cast (coefficient6 <>! 2l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + (cast (coefficient6 >>! 10l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 13) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 11) + ((serialized.[ sz 11 ] <: u8) |. (cast (coefficient7 <>! 5l <: i32) <: u8) + in + serialized + +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 13 <: bool) + in + () + in + let byte0:i32 = cast (serialized.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (serialized.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (serialized.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (serialized.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (serialized.[ sz 4 ] <: u8) <: i32 in + let byte5:i32 = cast (serialized.[ sz 5 ] <: u8) <: i32 in + let byte6:i32 = cast (serialized.[ sz 6 ] <: u8) <: i32 in + let byte7:i32 = cast (serialized.[ sz 7 ] <: u8) <: i32 in + let byte8:i32 = cast (serialized.[ sz 8 ] <: u8) <: i32 in + let byte9:i32 = cast (serialized.[ sz 9 ] <: u8) <: i32 in + let byte10:i32 = cast (serialized.[ sz 10 ] <: u8) <: i32 in + let byte11:i32 = cast (serialized.[ sz 11 ] <: u8) <: i32 in + let byte12:i32 = cast (serialized.[ sz 12 ] <: u8) <: i32 in + let coefficient0:i32 = byte0 in + let coefficient0:i32 = coefficient0 |. (byte1 <>! 5l in + let coefficient1:i32 = coefficient1 |. (byte2 <>! 2l in + let coefficient2:i32 = coefficient2 |. (byte4 <>! 7l in + let coefficient3:i32 = coefficient3 |. (byte5 <>! 4l in + let coefficient4:i32 = coefficient4 |. (byte7 <>! 1l in + let coefficient5:i32 = coefficient5 |. (byte9 <>! 6l in + let coefficient6:i32 = coefficient6 |. (byte10 <>! 3l in + let coefficient7:i32 = coefficient7 |. (byte12 < Prims.l_True) + +let deserialize__BITS_IN_LOWER_PART_OF_T_MASK: i32 = + (1l < Prims.l_True) + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst new file mode 100644 index 000000000..aab3acfcc --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fst @@ -0,0 +1,140 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let deserialize (serialized: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 serialized <: usize) =. sz 10 <: bool) + in + () + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO () + in + let mask:i32 = (1l < + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let _:usize = temp_1_ in + true) + simd_unit + (fun simd_unit temp_1_ -> + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = simd_unit in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let byte0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let byte1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let byte2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let byte3:i32 = cast (bytes.[ sz 3 ] <: u8) <: i32 in + let byte4:i32 = cast (bytes.[ sz 4 ] <: u8) <: i32 in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4 *! i <: usize) + ((byte0 |. (byte1 <>! 2l <: i32) |. (byte2 <>! 4l <: i32) |. (byte3 <>! 6l <: i32) |. (byte4 < + let serialized:t_Array u8 (sz 10) = serialized in + let _:usize = temp_1_ in + true) + serialized + (fun serialized temp_1_ -> + let serialized:t_Array u8 (sz 10) = serialized in + let i, coefficients:(usize & t_Slice i32) = temp_1_ in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + (sz 5 *! i <: usize) + (cast ((coefficients.[ sz 0 ] <: i32) &. 255l <: i32) <: u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 1 <: usize) + (((cast ((coefficients.[ sz 1 ] <: i32) &. 63l <: i32) <: u8) <>! 8l <: i32) &. 3l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 2 <: usize) + (((cast ((coefficients.[ sz 2 ] <: i32) &. 15l <: i32) <: u8) <>! 6l <: i32) &. 15l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 3 <: usize) + (((cast ((coefficients.[ sz 3 ] <: i32) &. 3l <: i32) <: u8) <>! 4l <: i32) &. 63l <: i32) <: u8) + <: + u8) + in + let serialized:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize serialized + ((sz 5 *! i <: usize) +! sz 4 <: usize) + (cast (((coefficients.[ sz 3 ] <: i32) >>! 2l <: i32) &. 255l <: i32) <: u8) + in + serialized) + in + serialized diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti new file mode 100644 index 000000000..0d94a5f30 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Encoding.T1.fsti @@ -0,0 +1,12 @@ +module Libcrux_ml_dsa.Simd.Portable.Encoding.T1 +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val deserialize (serialized: t_Slice u8) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val serialize (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst new file mode 100644 index 000000000..47babb998 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fst @@ -0,0 +1,1213 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta2 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta3 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta0 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta1 + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let a_minus_b:i32 = + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) -! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! + (simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] <: i32) + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta <: i32 + ) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] + <: + i32) + zeta0 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta3 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] + <: + i32) + zeta1 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta2 + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + = + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 4 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 4) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 0) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 0 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 5 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 5) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 1) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 1 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 6 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 6) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 2) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 2 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let t:i32 = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_fe_by_fer (simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 7 ] + <: + i32) + zeta + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 7) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) -! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + let simd_unit:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + simd_unit with + Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize simd_unit + .Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients + (sz 3) + ((simd_unit.Libcrux_ml_dsa.Simd.Portable.Vector_type.f_coefficients.[ sz 3 ] <: i32) +! t + <: + i32) + } + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + in + simd_unit + +let ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_0_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize ] + <: + i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize ] + <: + i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let zeta_i:usize = zeta_i +! sz 4 in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let zeta_i:usize = zeta_i +! sz 1 in + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_1_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize ] + <: + i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let zeta_i:usize = zeta_i +! sz 2 in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let zeta_i:usize = zeta_i -! sz 1 in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & + usize) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (Core.Slice.impl__len #Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (re <: t_Slice Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + <: + usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + round + (simd_unit_ntt_at_layer_2_ (re.[ round ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + = + let step:usize = sz 1 <>! v_LAYER <: usize) + (fun temp_0_ temp_1_ -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let _:usize = temp_1_ in + true) + (re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + (fun temp_0_ round -> + let re, zeta_i:(t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + (sz 32) & + usize) = + temp_0_ + in + let round:usize = round in + let zeta_i:usize = zeta_i +! sz 1 in + let offset:usize = + ((round *! step <: usize) *! sz 2 <: usize) /! + Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT + in + let step_by:usize = step /! Libcrux_ml_dsa.Simd.Traits.v_COEFFICIENTS_IN_SIMD_UNIT in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = + Rust_primitives.Hax.Folds.fold_range offset + (offset +! step_by <: usize) + (fun re temp_1_ -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + re + in + let _:usize = temp_1_ in + true) + re + (fun re j -> + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + re + in + let j:usize = j in + let t:Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant (re.[ j +! + step_by + <: + usize ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (Libcrux_ml_dsa.Simd.Traits.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i32) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + (j +! step_by <: usize) + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + j + (Libcrux_ml_dsa.Simd.Portable.Arithmetic.add (re.[ j ] + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + t + <: + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + in + re) + in + re, zeta_i + <: + (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) & usize)) + in + let hax_temp_output:Prims.unit = () <: Prims.unit in + zeta_i, re + <: + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + +let ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + let zeta_i:usize = sz 0 in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 7) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 6) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 5) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 4) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_3_plus (sz 3) zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_2_ zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_1_ zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + let tmp0, tmp1:(usize & + t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) = + ntt_at_layer_0_ zeta_i re + in + let zeta_i:usize = tmp0 in + let re:t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32) = tmp1 in + let _:Prims.unit = () in + re diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti new file mode 100644 index 000000000..abb1d13d4 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Ntt.fsti @@ -0,0 +1,83 @@ +module Libcrux_ml_dsa.Simd.Portable.Ntt +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +val invert_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val invert_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_0_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0 zeta1 zeta2 zeta3: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_1_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta1 zeta2: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val simd_unit_ntt_at_layer_2_ + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + : Prims.Pure Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_0_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_1_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_2_ + (zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt_at_layer_3_plus + (v_LAYER zeta_i: usize) + (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure + (usize & t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +val ntt (re: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + : Prims.Pure (t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst new file mode 100644 index 000000000..25f533de9 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Sample.fst @@ -0,0 +1,123 @@ +module Libcrux_ml_dsa.Simd.Portable.Sample +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let rejection_sample_less_than_eta_equals_2_ (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ byte -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let byte:u8 = byte in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in + let out, sampled:(t_Slice i32 & usize) = + if try_0_ <. 15uy + then + let try_0_:i32 = cast (try_0_ <: u8) <: i32 in + let try_0_mod_5_:i32 = + try_0_ -! (((try_0_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) + in + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (2l -! try_0_mod_5_ <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize) + in + if try_1_ <. 15uy + then + let try_1_:i32 = cast (try_1_ <: u8) <: i32 in + let try_1_mod_5_:i32 = + try_1_ -! (((try_1_ *! 26l <: i32) >>! 7l <: i32) *! 5l <: i32) + in + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (2l -! try_1_mod_5_ <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize)) + in + let hax_temp_output:usize = sampled in + out, hax_temp_output <: (t_Slice i32 & usize) + +let rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(t_Slice u8) + #FStar.Tactics.Typeclasses.solve + randomness + <: + Core.Slice.Iter.t_Iter u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ byte -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let byte:u8 = byte in + let try_0_:u8 = byte &. 15uy in + let try_1_:u8 = byte >>! 4l in + let out, sampled:(t_Slice i32 & usize) = + if try_0_ <. 9uy + then + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (4l -! (cast (try_0_ <: u8) <: i32) <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize) + in + if try_1_ <. 9uy + then + let out:t_Slice i32 = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + sampled + (4l -! (cast (try_1_ <: u8) <: i32) <: i32) + in + let sampled:usize = sampled +! sz 1 in + out, sampled <: (t_Slice i32 & usize) + else out, sampled <: (t_Slice i32 & usize)) + in + let hax_temp_output:usize = sampled in + out, hax_temp_output <: (t_Slice i32 & usize) + +let rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) = + let sampled:usize = sz 0 in + let out, sampled:(t_Slice i32 & usize) = + Core.Iter.Traits.Iterator.f_fold (Core.Iter.Traits.Collect.f_into_iter #(Core.Slice.Iter.t_Chunks + u8) + #FStar.Tactics.Typeclasses.solve + (Core.Slice.impl__chunks #u8 randomness (sz 3) <: Core.Slice.Iter.t_Chunks u8) + <: + Core.Slice.Iter.t_Chunks u8) + (out, sampled <: (t_Slice i32 & usize)) + (fun temp_0_ bytes -> + let out, sampled:(t_Slice i32 & usize) = temp_0_ in + let bytes:t_Slice u8 = bytes in + let b0:i32 = cast (bytes.[ sz 0 ] <: u8) <: i32 in + let b1:i32 = cast (bytes.[ sz 1 ] <: u8) <: i32 in + let b2:i32 = cast (bytes.[ sz 2 ] <: u8) <: i32 in + let coefficient:i32 = + (((b2 < Prims.l_True) + +val rejection_sample_less_than_eta_equals_4_ (randomness: t_Slice u8) (out: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) + +val rejection_sample_less_than_field_modulus (randomness: t_Slice u8) (out: t_Slice i32) + : Prims.Pure (t_Slice i32 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst new file mode 100644 index 000000000..338234407 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fst @@ -0,0 +1,29 @@ +module Libcrux_ml_dsa.Simd.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let from_coefficient_array (array: t_Slice i32) = + { + f_coefficients + = + Core.Result.impl__unwrap #(t_Array i32 (sz 8)) + #Core.Array.t_TryFromSliceError + (Core.Convert.f_try_into #(t_Slice i32) + #(t_Array i32 (sz 8)) + #FStar.Tactics.Typeclasses.solve + (array.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i32) + <: + Core.Result.t_Result (t_Array i32 (sz 8)) Core.Array.t_TryFromSliceError) + } + <: + t_PortableSIMDUnit + +let to_coefficient_array (x: t_PortableSIMDUnit) = x.f_coefficients + +let v_ZERO (_: Prims.unit) = + { f_coefficients = Rust_primitives.Hax.repeat 0l (sz 8) } <: t_PortableSIMDUnit diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti new file mode 100644 index 000000000..0b3010e59 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.Vector_type.fsti @@ -0,0 +1,14 @@ +module Libcrux_ml_dsa.Simd.Portable.Vector_type +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +type t_PortableSIMDUnit = { f_coefficients:t_Array i32 (sz 8) } + +val from_coefficient_array (array: t_Slice i32) + : Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) + +val to_coefficient_array (x: t_PortableSIMDUnit) + : Prims.Pure (t_Array i32 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + +val v_ZERO: Prims.unit -> Prims.Pure t_PortableSIMDUnit Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti new file mode 100644 index 000000000..4b05f75c3 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Portable.fsti @@ -0,0 +1,532 @@ +module Libcrux_ml_dsa.Simd.Portable +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Portable.Vector_type in + () + +[@@ FStar.Tactics.Typeclasses.tcinstance] +let impl: Libcrux_ml_dsa.Simd.Traits.t_Operations +Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit = + { + _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; + _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; + f_ZERO_pre = (fun (_: Prims.unit) -> true); + f_ZERO_post + = + (fun (_: Prims.unit) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_dsa.Simd.Portable.Vector_type.v_ZERO ()); + f_from_coefficient_array_pre = (fun (array: t_Slice i32) -> true); + f_from_coefficient_array_post + = + (fun (array: t_Slice i32) (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + true); + f_from_coefficient_array + = + (fun (array: t_Slice i32) -> + Libcrux_ml_dsa.Simd.Portable.Vector_type.from_coefficient_array array); + f_to_coefficient_array_pre + = + (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_to_coefficient_array_post + = + (fun + (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array i32 (sz 8)) + -> + true); + f_to_coefficient_array + = + (fun (self: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Vector_type.to_coefficient_array self); + f_add_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_add_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_add + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.add lhs rhs); + f_subtract_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_subtract_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_subtract + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.subtract lhs rhs); + f_montgomery_multiply_by_constant_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> true); + f_montgomery_multiply_by_constant_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (c: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_montgomery_multiply_by_constant + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (c: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply_by_constant simd_unit c); + f_montgomery_multiply_pre + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_montgomery_multiply_post + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_montgomery_multiply + = + (fun + (lhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (rhs: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.montgomery_multiply lhs rhs); + f_shift_left_then_reduce_pre + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_shift_left_then_reduce_post + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_shift_left_then_reduce + = + (fun + (v_SHIFT_BY: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.shift_left_then_reduce v_SHIFT_BY simd_unit); + f_power2round_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_power2round_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); + f_power2round + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.power2round simd_unit); + f_infinity_norm_exceeds_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> + true); + f_infinity_norm_exceeds_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (bound: i32) + (out: bool) + -> + true); + f_infinity_norm_exceeds + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (bound: i32) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.infinity_norm_exceeds simd_unit bound); + f_decompose_pre + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + true); + f_decompose_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: + (Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit & + Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); + f_decompose + = + (fun (v_GAMMA2: i32) (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.decompose v_GAMMA2 simd_unit); + f_compute_hint_pre + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_compute_hint_post + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: (usize & Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit)) + -> + true); + f_compute_hint + = + (fun + (v_GAMMA2: i32) + (low: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (high: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.compute_hint v_GAMMA2 low high); + f_use_hint_pre + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_use_hint_post + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_use_hint + = + (fun + (v_GAMMA2: i32) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (hint: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Arithmetic.use_hint v_GAMMA2 simd_unit hint); + f_rejection_sample_less_than_field_modulus_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_field_modulus_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_field_modulus + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_field_modulus randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_2_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_2_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_2_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_2_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_rejection_sample_less_than_eta_equals_4_pre + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> true); + f_rejection_sample_less_than_eta_equals_4_post + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) (out2: (t_Slice i32 & usize)) -> true); + f_rejection_sample_less_than_eta_equals_4_ + = + (fun (randomness: t_Slice u8) (out: t_Slice i32) -> + let tmp0, out1:(t_Slice i32 & usize) = + Libcrux_ml_dsa.Simd.Portable.Sample.rejection_sample_less_than_eta_equals_4_ randomness + out + in + let out:t_Slice i32 = tmp0 in + let hax_temp_output:usize = out1 in + out, hax_temp_output <: (t_Slice i32 & usize)); + f_gamma1_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_gamma1_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_gamma1_serialize + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.serialize v_OUTPUT_SIZE simd_unit); + f_gamma1_deserialize_pre = (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> true); + f_gamma1_deserialize_post + = + (fun + (v_GAMMA1_EXPONENT: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_gamma1_deserialize + = + (fun (v_GAMMA1_EXPONENT: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Gamma1.deserialize v_GAMMA1_EXPONENT serialized); + f_commitment_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_commitment_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_commitment_serialize + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Commitment.serialize v_OUTPUT_SIZE simd_unit); + f_error_serialize_pre + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_error_serialize_post + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 v_OUTPUT_SIZE) + -> + true); + f_error_serialize + = + (fun + (v_OUTPUT_SIZE: usize) + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.serialize v_OUTPUT_SIZE simd_unit); + f_error_deserialize_pre = (fun (v_ETA: usize) (serialized: t_Slice u8) -> true); + f_error_deserialize_post + = + (fun + (v_ETA: usize) + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_error_deserialize + = + (fun (v_ETA: usize) (serialized: t_Slice u8) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.Error.deserialize v_ETA serialized); + f_t0_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_t0_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 (sz 13)) + -> + true); + f_t0_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T0.serialize simd_unit); + f_t0_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t0_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_t0_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T0.deserialize serialized + ); + f_t1_serialize_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> true); + f_t1_serialize_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (out: t_Array u8 (sz 10)) + -> + true); + f_t1_serialize + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) -> + Libcrux_ml_dsa.Simd.Portable.Encoding.T1.serialize simd_unit); + f_t1_deserialize_pre = (fun (serialized: t_Slice u8) -> true); + f_t1_deserialize_post + = + (fun + (serialized: t_Slice u8) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_t1_deserialize + = + (fun (serialized: t_Slice u8) -> Libcrux_ml_dsa.Simd.Portable.Encoding.T1.deserialize serialized + ); + f_ntt_pre + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + -> + true); + f_ntt_post + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + (out: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + -> + true); + f_ntt + = + (fun + (simd_units: t_Array Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit (sz 32)) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.ntt simd_units); + f_invert_ntt_at_layer_0_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + true); + f_invert_ntt_at_layer_0_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_0_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (zeta2: i32) + (zeta3: i32) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_0_ simd_unit zeta0 zeta1 zeta2 zeta3); + f_invert_ntt_at_layer_1_pre + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + true); + f_invert_ntt_at_layer_1_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_1_ + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta0: i32) + (zeta1: i32) + -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_1_ simd_unit zeta0 zeta1); + f_invert_ntt_at_layer_2_pre + = + (fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> + true); + f_invert_ntt_at_layer_2_post + = + (fun + (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + (zeta: i32) + (out: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) + -> + true); + f_invert_ntt_at_layer_2_ + = + fun (simd_unit: Libcrux_ml_dsa.Simd.Portable.Vector_type.t_PortableSIMDUnit) (zeta: i32) -> + Libcrux_ml_dsa.Simd.Portable.Ntt.invert_ntt_at_layer_2_ simd_unit zeta + } diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst new file mode 100644 index 000000000..5bf547714 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fst @@ -0,0 +1,11 @@ +module Libcrux_ml_dsa.Simd.Traits +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let montgomery_multiply_by_fer + (#v_S: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: t_Operations v_S) + (simd_unit: v_S) + (fer: i32) + = f_montgomery_multiply_by_constant #v_S #FStar.Tactics.Typeclasses.solve simd_unit fer diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti new file mode 100644 index 000000000..1ef0cb0e8 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Simd.Traits.fsti @@ -0,0 +1,225 @@ +module Libcrux_ml_dsa.Simd.Traits +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +class t_Operations (v_Self: Type0) = { + [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; + [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; + f_ZERO_pre:Prims.unit -> Type0; + f_ZERO_post:Prims.unit -> v_Self -> Type0; + f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); + f_from_coefficient_array_pre:t_Slice i32 -> Type0; + f_from_coefficient_array_post:t_Slice i32 -> v_Self -> Type0; + f_from_coefficient_array:x0: t_Slice i32 + -> Prims.Pure v_Self + (f_from_coefficient_array_pre x0) + (fun result -> f_from_coefficient_array_post x0 result); + f_to_coefficient_array_pre:v_Self -> Type0; + f_to_coefficient_array_post:v_Self -> t_Array i32 (sz 8) -> Type0; + f_to_coefficient_array:x0: v_Self + -> Prims.Pure (t_Array i32 (sz 8)) + (f_to_coefficient_array_pre x0) + (fun result -> f_to_coefficient_array_post x0 result); + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; + f_add:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); + f_subtract_pre:v_Self -> v_Self -> Type0; + f_subtract_post:v_Self -> v_Self -> v_Self -> Type0; + f_subtract:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self (f_subtract_pre x0 x1) (fun result -> f_subtract_post x0 x1 result); + f_infinity_norm_exceeds_pre:v_Self -> i32 -> Type0; + f_infinity_norm_exceeds_post:v_Self -> i32 -> bool -> Type0; + f_infinity_norm_exceeds:x0: v_Self -> x1: i32 + -> Prims.Pure bool + (f_infinity_norm_exceeds_pre x0 x1) + (fun result -> f_infinity_norm_exceeds_post x0 x1 result); + f_decompose_pre:v_GAMMA2: i32 -> v_Self -> Type0; + f_decompose_post:v_GAMMA2: i32 -> v_Self -> (v_Self & v_Self) -> Type0; + f_decompose:v_GAMMA2: i32 -> x0: v_Self + -> Prims.Pure (v_Self & v_Self) + (f_decompose_pre v_GAMMA2 x0) + (fun result -> f_decompose_post v_GAMMA2 x0 result); + f_compute_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; + f_compute_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> (usize & v_Self) -> Type0; + f_compute_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self + -> Prims.Pure (usize & v_Self) + (f_compute_hint_pre v_GAMMA2 x0 x1) + (fun result -> f_compute_hint_post v_GAMMA2 x0 x1 result); + f_use_hint_pre:v_GAMMA2: i32 -> v_Self -> v_Self -> Type0; + f_use_hint_post:v_GAMMA2: i32 -> v_Self -> v_Self -> v_Self -> Type0; + f_use_hint:v_GAMMA2: i32 -> x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self + (f_use_hint_pre v_GAMMA2 x0 x1) + (fun result -> f_use_hint_post v_GAMMA2 x0 x1 result); + f_montgomery_multiply_pre:v_Self -> v_Self -> Type0; + f_montgomery_multiply_post:v_Self -> v_Self -> v_Self -> Type0; + f_montgomery_multiply:x0: v_Self -> x1: v_Self + -> Prims.Pure v_Self + (f_montgomery_multiply_pre x0 x1) + (fun result -> f_montgomery_multiply_post x0 x1 result); + f_montgomery_multiply_by_constant_pre:v_Self -> i32 -> Type0; + f_montgomery_multiply_by_constant_post:v_Self -> i32 -> v_Self -> Type0; + f_montgomery_multiply_by_constant:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_montgomery_multiply_by_constant_pre x0 x1) + (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); + f_shift_left_then_reduce_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_left_then_reduce_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; + f_shift_left_then_reduce:v_SHIFT_BY: i32 -> x0: v_Self + -> Prims.Pure v_Self + (f_shift_left_then_reduce_pre v_SHIFT_BY x0) + (fun result -> f_shift_left_then_reduce_post v_SHIFT_BY x0 result); + f_power2round_pre:v_Self -> Type0; + f_power2round_post:v_Self -> (v_Self & v_Self) -> Type0; + f_power2round:x0: v_Self + -> Prims.Pure (v_Self & v_Self) + (f_power2round_pre x0) + (fun result -> f_power2round_post x0 result); + f_rejection_sample_less_than_field_modulus_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_field_modulus_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_field_modulus:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_field_modulus_pre x0 x1) + (fun result -> f_rejection_sample_less_than_field_modulus_post x0 x1 result); + f_rejection_sample_less_than_eta_equals_2_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_eta_equals_2_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_eta_equals_2_:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_eta_equals_2_pre x0 x1) + (fun result -> f_rejection_sample_less_than_eta_equals_2_post x0 x1 result); + f_rejection_sample_less_than_eta_equals_4_pre:t_Slice u8 -> t_Slice i32 -> Type0; + f_rejection_sample_less_than_eta_equals_4_post:t_Slice u8 -> t_Slice i32 -> (t_Slice i32 & usize) + -> Type0; + f_rejection_sample_less_than_eta_equals_4_:x0: t_Slice u8 -> x1: t_Slice i32 + -> Prims.Pure (t_Slice i32 & usize) + (f_rejection_sample_less_than_eta_equals_4_pre x0 x1) + (fun result -> f_rejection_sample_less_than_eta_equals_4_post x0 x1 result); + f_gamma1_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_gamma1_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_gamma1_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_gamma1_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_gamma1_serialize_post v_OUTPUT_SIZE x0 result); + f_gamma1_deserialize_pre:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> Type0; + f_gamma1_deserialize_post:v_GAMMA1_EXPONENT: usize -> t_Slice u8 -> v_Self -> Type0; + f_gamma1_deserialize:v_GAMMA1_EXPONENT: usize -> x0: t_Slice u8 + -> Prims.Pure v_Self + (f_gamma1_deserialize_pre v_GAMMA1_EXPONENT x0) + (fun result -> f_gamma1_deserialize_post v_GAMMA1_EXPONENT x0 result); + f_commitment_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_commitment_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_commitment_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_commitment_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_commitment_serialize_post v_OUTPUT_SIZE x0 result); + f_error_serialize_pre:v_OUTPUT_SIZE: usize -> v_Self -> Type0; + f_error_serialize_post:v_OUTPUT_SIZE: usize -> v_Self -> t_Array u8 v_OUTPUT_SIZE -> Type0; + f_error_serialize:v_OUTPUT_SIZE: usize -> x0: v_Self + -> Prims.Pure (t_Array u8 v_OUTPUT_SIZE) + (f_error_serialize_pre v_OUTPUT_SIZE x0) + (fun result -> f_error_serialize_post v_OUTPUT_SIZE x0 result); + f_error_deserialize_pre:v_ETA: usize -> t_Slice u8 -> Type0; + f_error_deserialize_post:v_ETA: usize -> t_Slice u8 -> v_Self -> Type0; + f_error_deserialize:v_ETA: usize -> x0: t_Slice u8 + -> Prims.Pure v_Self + (f_error_deserialize_pre v_ETA x0) + (fun result -> f_error_deserialize_post v_ETA x0 result); + f_t0_serialize_pre:v_Self -> Type0; + f_t0_serialize_post:v_Self -> t_Array u8 (sz 13) -> Type0; + f_t0_serialize:x0: v_Self + -> Prims.Pure (t_Array u8 (sz 13)) + (f_t0_serialize_pre x0) + (fun result -> f_t0_serialize_post x0 result); + f_t0_deserialize_pre:t_Slice u8 -> Type0; + f_t0_deserialize_post:t_Slice u8 -> v_Self -> Type0; + f_t0_deserialize:x0: t_Slice u8 + -> Prims.Pure v_Self (f_t0_deserialize_pre x0) (fun result -> f_t0_deserialize_post x0 result); + f_t1_serialize_pre:v_Self -> Type0; + f_t1_serialize_post:v_Self -> t_Array u8 (sz 10) -> Type0; + f_t1_serialize:x0: v_Self + -> Prims.Pure (t_Array u8 (sz 10)) + (f_t1_serialize_pre x0) + (fun result -> f_t1_serialize_post x0 result); + f_t1_deserialize_pre:t_Slice u8 -> Type0; + f_t1_deserialize_post:t_Slice u8 -> v_Self -> Type0; + f_t1_deserialize:x0: t_Slice u8 + -> Prims.Pure v_Self (f_t1_deserialize_pre x0) (fun result -> f_t1_deserialize_post x0 result); + f_ntt_pre:t_Array v_Self (sz 32) -> Type0; + f_ntt_post:t_Array v_Self (sz 32) -> t_Array v_Self (sz 32) -> Type0; + f_ntt:x0: t_Array v_Self (sz 32) + -> Prims.Pure (t_Array v_Self (sz 32)) (f_ntt_pre x0) (fun result -> f_ntt_post x0 result); + f_invert_ntt_at_layer_0_pre:v_Self -> i32 -> i32 -> i32 -> i32 -> Type0; + f_invert_ntt_at_layer_0_post:v_Self -> i32 -> i32 -> i32 -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_0_:x0: v_Self -> x1: i32 -> x2: i32 -> x3: i32 -> x4: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_0_pre x0 x1 x2 x3 x4) + (fun result -> f_invert_ntt_at_layer_0_post x0 x1 x2 x3 x4 result); + f_invert_ntt_at_layer_1_pre:v_Self -> i32 -> i32 -> Type0; + f_invert_ntt_at_layer_1_post:v_Self -> i32 -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_1_:x0: v_Self -> x1: i32 -> x2: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_1_pre x0 x1 x2) + (fun result -> f_invert_ntt_at_layer_1_post x0 x1 x2 result); + f_invert_ntt_at_layer_2_pre:v_Self -> i32 -> Type0; + f_invert_ntt_at_layer_2_post:v_Self -> i32 -> v_Self -> Type0; + f_invert_ntt_at_layer_2_:x0: v_Self -> x1: i32 + -> Prims.Pure v_Self + (f_invert_ntt_at_layer_2_pre x0 x1) + (fun result -> f_invert_ntt_at_layer_2_post x0 x1 result) +} + +let v_COEFFICIENTS_IN_SIMD_UNIT: usize = sz 8 + +let v_FIELD_MODULUS: i32 = 8380417l + +let v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u64 = 58728449uL + +let v_SIMD_UNITS_IN_RING_ELEMENT: usize = + Libcrux_ml_dsa.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! v_COEFFICIENTS_IN_SIMD_UNIT + +let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i32 (sz 256) = + let list = + [ + 0l; 25847l; (-2608894l); (-518909l); 237124l; (-777960l); (-876248l); 466468l; 1826347l; + 2353451l; (-359251l); (-2091905l); 3119733l; (-2884855l); 3111497l; 2680103l; 2725464l; + 1024112l; (-1079900l); 3585928l; (-549488l); (-1119584l); 2619752l; (-2108549l); (-2118186l); + (-3859737l); (-1399561l); (-3277672l); 1757237l; (-19422l); 4010497l; 280005l; 2706023l; + 95776l; 3077325l; 3530437l; (-1661693l); (-3592148l); (-2537516l); 3915439l; (-3861115l); + (-3043716l); 3574422l; (-2867647l); 3539968l; (-300467l); 2348700l; (-539299l); (-1699267l); + (-1643818l); 3505694l; (-3821735l); 3507263l; (-2140649l); (-1600420l); 3699596l; 811944l; + 531354l; 954230l; 3881043l; 3900724l; (-2556880l); 2071892l; (-2797779l); (-3930395l); + (-1528703l); (-3677745l); (-3041255l); (-1452451l); 3475950l; 2176455l; (-1585221l); + (-1257611l); 1939314l; (-4083598l); (-1000202l); (-3190144l); (-3157330l); (-3632928l); + 126922l; 3412210l; (-983419l); 2147896l; 2715295l; (-2967645l); (-3693493l); (-411027l); + (-2477047l); (-671102l); (-1228525l); (-22981l); (-1308169l); (-381987l); 1349076l; 1852771l; + (-1430430l); (-3343383l); 264944l; 508951l; 3097992l; 44288l; (-1100098l); 904516l; 3958618l; + (-3724342l); (-8578l); 1653064l; (-3249728l); 2389356l; (-210977l); 759969l; (-1316856l); + 189548l; (-3553272l); 3159746l; (-1851402l); (-2409325l); (-177440l); 1315589l; 1341330l; + 1285669l; (-1584928l); (-812732l); (-1439742l); (-3019102l); (-3881060l); (-3628969l); + 3839961l; 2091667l; 3407706l; 2316500l; 3817976l; (-3342478l); 2244091l; (-2446433l); + (-3562462l); 266997l; 2434439l; (-1235728l); 3513181l; (-3520352l); (-3759364l); (-1197226l); + (-3193378l); 900702l; 1859098l; 909542l; 819034l; 495491l; (-1613174l); (-43260l); (-522500l); + (-655327l); (-3122442l); 2031748l; 3207046l; (-3556995l); (-525098l); (-768622l); (-3595838l); + 342297l; 286988l; (-2437823l); 4108315l; 3437287l; (-3342277l); 1735879l; 203044l; 2842341l; + 2691481l; (-2590150l); 1265009l; 4055324l; 1247620l; 2486353l; 1595974l; (-3767016l); 1250494l; + 2635921l; (-3548272l); (-2994039l); 1869119l; 1903435l; (-1050970l); (-1333058l); 1237275l; + (-3318210l); (-1430225l); (-451100l); 1312455l; 3306115l; (-1962642l); (-1279661l); 1917081l; + (-2546312l); (-1374803l); 1500165l; 777191l; 2235880l; 3406031l; (-542412l); (-2831860l); + (-1671176l); (-1846953l); (-2584293l); (-3724270l); 594136l; (-3776993l); (-2013608l); + 2432395l; 2454455l; (-164721l); 1957272l; 3369112l; 185531l; (-1207385l); (-3183426l); 162844l; + 1616392l; 3014001l; 810149l; 1652634l; (-3694233l); (-1799107l); (-3038916l); 3523897l; + 3866901l; 269760l; 2213111l; (-975884l); 1717735l; 472078l; (-426683l); 1723600l; (-1803090l); + 1910376l; (-1667432l); (-1104333l); (-260646l); (-3833893l); (-2939036l); (-2235985l); + (-420899l); (-2286327l); 183443l; (-976891l); 1612842l; (-3545687l); (-554416l); 3919660l; + (-48306l); (-1362209l); 3937738l; 1400424l; (-846154l); 1976782l + ] + in + FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 256); + Rust_primitives.Hax.array_of_list 256 list + +val montgomery_multiply_by_fer (#v_S: Type0) {| i1: t_Operations v_S |} (simd_unit: v_S) (fer: i32) + : Prims.Pure v_S Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst new file mode 100644 index 000000000..8af0ff228 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fst @@ -0,0 +1,34 @@ +module Libcrux_ml_dsa.Types +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +let impl__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_2__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let impl_4__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE + +let t_SigningError_cast_to_repr (x: t_SigningError) = + match x with + | SigningError_RejectionSamplingError -> isz 0 + | SigningError_ContextTooLongError -> isz 1 + +let t_VerificationError_cast_to_repr (x: t_VerificationError) = + match x with + | VerificationError_MalformedHintError -> isz 0 + | VerificationError_SignerResponseExceedsBoundError -> isz 1 + | VerificationError_CommitmentHashesDontMatchError -> isz 3 + | VerificationError_ContextTooLongError -> isz 6 + +let impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) = self._0 <: t_Slice u8 + +let impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) = self._0 <: t_Slice u8 + +let impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) = self._0 <: t_Slice u8 diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti new file mode 100644 index 000000000..f121066d7 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Types.fsti @@ -0,0 +1,77 @@ +module Libcrux_ml_dsa.Types +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_dsa.Simd.Traits in + () + +/// The number of bytes +val impl__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_2__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +/// The number of bytes +val impl_4__len: v_SIZE: usize -> Prims.unit + -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) + +///An ML-DSA signature. +type t_MLDSASignature (v_SIZE: usize) = + | MLDSASignature : t_Array u8 v_SIZE -> t_MLDSASignature v_SIZE + +///An ML-DSA signature key. +type t_MLDSASigningKey (v_SIZE: usize) = + | MLDSASigningKey : t_Array u8 v_SIZE -> t_MLDSASigningKey v_SIZE + +///An ML-DSA verification key. +type t_MLDSAVerificationKey (v_SIZE: usize) = + | MLDSAVerificationKey : t_Array u8 v_SIZE -> t_MLDSAVerificationKey v_SIZE + +/// An ML-DSA key pair. +type t_MLDSAKeyPair (v_VERIFICATION_KEY_SIZE: usize) (v_SIGNING_KEY_SIZE: usize) = { + f_signing_key:t_MLDSASigningKey v_SIGNING_KEY_SIZE; + f_verification_key:t_MLDSAVerificationKey v_VERIFICATION_KEY_SIZE +} + +type t_Signature + (v_SIMDUnit: Type0) (v_COMMITMENT_HASH_SIZE: usize) (v_COLUMNS_IN_A: usize) (v_ROWS_IN_A: usize) + {| i1: Libcrux_ml_dsa.Simd.Traits.t_Operations v_SIMDUnit |} + = { + f_commitment_hash:t_Array u8 v_COMMITMENT_HASH_SIZE; + f_signer_response:t_Array (Libcrux_ml_dsa.Polynomial.t_PolynomialRingElement v_SIMDUnit) + v_COLUMNS_IN_A; + f_hint:t_Array (t_Array i32 (sz 256)) v_ROWS_IN_A +} + +type t_SigningError = + | SigningError_RejectionSamplingError : t_SigningError + | SigningError_ContextTooLongError : t_SigningError + +val t_SigningError_cast_to_repr (x: t_SigningError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +type t_VerificationError = + | VerificationError_MalformedHintError : t_VerificationError + | VerificationError_SignerResponseExceedsBoundError : t_VerificationError + | VerificationError_CommitmentHashesDontMatchError : t_VerificationError + | VerificationError_ContextTooLongError : t_VerificationError + +val t_VerificationError_cast_to_repr (x: t_VerificationError) + : Prims.Pure isize Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl__as_slice (v_SIZE: usize) (self: t_MLDSASigningKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_2__as_slice (v_SIZE: usize) (self: t_MLDSAVerificationKey v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) + +/// A reference to the raw byte slice. +val impl_4__as_slice (v_SIZE: usize) (self: t_MLDSASignature v_SIZE) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst new file mode 100644 index 000000000..82aa84965 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fst @@ -0,0 +1,37 @@ +module Libcrux_ml_dsa.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert ((Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN <: bool) + in + () + in + let out:t_Array u8 v_LEN = Rust_primitives.Hax.repeat 0uy v_LEN in + let out:t_Array u8 v_LEN = + Rust_primitives.Hax.Monomorphized_update_at.update_at_range out + ({ + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize) + (Core.Slice.impl__copy_from_slice #u8 + (out.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = Core.Slice.impl__len #u8 slice <: usize + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice u8) + slice + <: + t_Slice u8) + in + out diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti new file mode 100644 index 000000000..112de368e --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Libcrux_ml_dsa.Utils.fsti @@ -0,0 +1,8 @@ +module Libcrux_ml_dsa.Utils +#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +open Core +open FStar.Mul + +/// Pad the `slice` with `0`s at the end. +val into_padded_array (v_LEN: usize) (slice: t_Slice u8) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) diff --git a/fstar-helpers/fstar-bitvec/Makefile b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile similarity index 69% rename from fstar-helpers/fstar-bitvec/Makefile rename to libcrux-ml-dsa/proofs/fstar/extraction/Makefile index b4ce70a38..4f7a001a8 100644 --- a/fstar-helpers/fstar-bitvec/Makefile +++ b/libcrux-ml-dsa/proofs/fstar/extraction/Makefile @@ -1 +1,3 @@ +SLOW_MODULES += +ADMIT_MODULES = include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph new file mode 100644 index 000000000..ddce2bce1 --- /dev/null +++ b/libcrux-ml-dsa/proofs/fstar/extraction/dep.graph @@ -0,0 +1,4883 @@ +digraph { + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "prims" + "fstar_reflection_const" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ntt" -> "core_slice" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_ntt" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44_" -> "core" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44_" -> "prims" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_ml_dsa_44_" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "prims" + "core_ops_range" -> "prims" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "fstar_bitvector" + "fstar_sealed_inhabited" -> "fstar_sealed" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "prims" + "fstar_sealed_inhabited" -> "prims" + "core_fmt" -> "core_fmt_rt" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "fstar_tactics_typeclasses" + "core_fmt" -> "core_result" + "core_fmt" -> "core_result" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "rust_primitives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "fstar_pervasives" + "core_fmt" -> "prims" + "core_fmt" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_generic_keccak" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_vconfig" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "prims" + "fstar_reflection_v1_derived" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "fstar_tactics_bv" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_num" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "prims" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "prims" + "fstar_seq" -> "prims" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "rust_primitives_arrays" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "prims" + "core_iter_traits_iterator" -> "prims" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "prims" + "core_slice_iter" -> "prims" + "core_option" -> "fstar_pervasives" + "core_option" -> "fstar_pervasives" + "core_option" -> "prims" + "core_option" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "prims" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "fstar_tactics_typeclasses" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "libcrux_sha3_traits" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "fstar_mul" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "core" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "fstar_pervasives" + "libcrux_sha3_generic_keccak" -> "prims" + "libcrux_sha3_generic_keccak" -> "prims" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "prims" + "fstar_math_lib" -> "prims" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "prims" + "fstar_reflection_v2_arith" -> "prims" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" + "lib_sequence" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_ml_dsa_65_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65_" -> "core" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87_" -> "core" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_ml_dsa_87_" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_platform_platform" -> "fstar_mul" + "libcrux_platform_platform" -> "core" + "libcrux_platform_platform" -> "fstar_pervasives" + "libcrux_platform_platform" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "core_slice" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "prims" + "rust_primitives_hax" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_traits" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_traits" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_uint64" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "fstar_int32" + "libcrux_ml_dsa_simd_traits" -> "core_clone" + "libcrux_ml_dsa_simd_traits" -> "core_clone" + "libcrux_ml_dsa_simd_traits" -> "core_marker" + "libcrux_ml_dsa_simd_traits" -> "core_marker" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_ml_dsa_65__neon" + "libcrux_ml_dsa_encoding_t0" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t0" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t0" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "core_option" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t0" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "core_slice" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_encoding_t0" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "prims" + "fstar_heap" -> "prims" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "prims" + "fstar_reflection_v1_compare" -> "prims" + "fstar_issue" -> "fstar_stubs_pprint" + "fstar_issue" -> "fstar_range" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "prims" + "fstar_issue" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_platform_platform" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "fstar_ghost" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "prims" + "fstar_stubs_errors_msg" -> "prims" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_char" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "prims" + "fstar_string" -> "prims" + "spec_sha3" -> "fstar_pervasives_native" + "spec_sha3" -> "fstar_pervasives_native" + "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "spec_sha3_constants" + "spec_sha3" -> "lib_loopcombinators" + "spec_sha3" -> "lib_loopcombinators" + "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "fstar_mul" + "spec_sha3" -> "lib_bytesequence" + "spec_sha3" -> "lib_bytesequence" + "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_sequence" + "spec_sha3" -> "lib_inttypes" + "spec_sha3" -> "lib_inttypes" + "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "fstar_pervasives" + "spec_sha3" -> "prims" + "spec_sha3" -> "prims" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_simd256" -> "libcrux_sha3_avx2_x4_incremental" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "core" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_simd256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "libcrux_ml_dsa_hash_functions_simd256" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "prims" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_calc" -> "fstar_calc" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "rust_primitives_integers" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_calc" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int32" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_int16" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_math_lemmas" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "fstar_classical_sugar" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "rust_primitives_hax_monomorphized_update_at" + "spec_utils" -> "core_ops_range" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_inttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "lib_rawinttypes" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "spec_sha3" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "fstar_list_tot" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "rust_primitives_hax" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "lib_loopcombinators" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "fstar_seq" + "spec_utils" -> "core" + "spec_utils" -> "core" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_mul" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "fstar_pervasives" + "spec_utils" -> "prims" + "spec_utils" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_num" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "fstar_stubs_reflection_types" -> "fstar_sealed" + "fstar_stubs_reflection_types" -> "fstar_range" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "prims" + "fstar_stubs_reflection_types" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t0" -> "prims" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "core_iter_traits_iterator" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_tactics_typeclasses" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "fstar_pervasives" + "core_iter_traits_collect" -> "prims" + "core_iter_traits_collect" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "core_convert" + "libcrux_ml_dsa_encoding_signature" -> "core_convert" + "libcrux_ml_dsa_encoding_signature" -> "core_array" + "libcrux_ml_dsa_encoding_signature" -> "core_array" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "fstar_int32" + "libcrux_ml_dsa_encoding_signature" -> "core_ops_range" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signature" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signature" -> "core_slice" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_encoding_signature" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_tactics" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "fstar_pervasives" + "hax_lib" -> "prims" + "hax_lib" -> "prims" + "libcrux_ml_dsa_utils" -> "core_ops_range" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "fstar_uint8" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax" + "libcrux_ml_dsa_utils" -> "rust_primitives_hax" + "libcrux_ml_dsa_utils" -> "core_slice" + "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "hax_lib" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "libcrux_ml_dsa_utils" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "fstar_math_lemmas" + "fstar_calc" -> "fstar_range" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_bitvector" -> "fstar_seq_base" + "fstar_bitvector" -> "fstar_seq_base" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "prims" + "fstar_tactics_util" -> "prims" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "prims" + "core_ops_arith" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "prims" + "fstar_order" -> "prims" + "fstar_tactics_smt" -> "fstar_vconfig" + "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "fstar_tactics_smt" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_seq" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "fstar_pervasives" + "core_core_arch_arm_shared_neon" -> "prims" + "core_core_arch_arm_shared_neon" -> "prims" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_stubs_reflection_types" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "fstar_mul" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "core" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_sha3_avx2_x4" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "fstar_mul" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "core" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "fstar_pervasives" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "prims" + "libcrux_sha3_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_sealed" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "fstar_reflection_termeq" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "core_ops_range" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "prims" + "rust_primitives_hax_folds" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_signing_key" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_signing_key" -> "core_ops_range" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_convert" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_array" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "core_result" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_t0" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_error" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_signing_key" -> "core_slice" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "prims" + "core_iter_adapters_step_by" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_sample" -> "core_slice" + "libcrux_ml_dsa_simd_portable_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_sample" -> "core_slice_iter" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_sample" -> "core" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_sample" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "libcrux_ml_dsa_simd_portable_sample" + "fstar_stubs_tactics_types" -> "fstar_issue" + "fstar_stubs_tactics_types" -> "fstar_range" + "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" + "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" + "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "prims" + "fstar_stubs_tactics_types" -> "prims" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "fstar_uint16" + "libcrux_ml_dsa_samplex4" -> "core_panicking" + "libcrux_ml_dsa_samplex4" -> "core_panicking" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives_native" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" + "libcrux_ml_dsa_samplex4" -> "fstar_uint8" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" + "libcrux_ml_dsa_samplex4" -> "rust_primitives_hax" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "fstar_int32" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "core" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "libcrux_ml_dsa_simd_avx2_vector_type" -> "prims" + "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "prims" + "fstar_stubs_tactics_result" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_int32" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "prims" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "libcrux_ml_dsa_matrix" -> "fstar_int32" + "libcrux_ml_dsa_matrix" -> "fstar_int32" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "rust_primitives_hax" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_ml_dsa_44__neon" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_print" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "lib_inttypes" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__neon" -> "prims" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_classical" -> "fstar_classical" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "prims" + "fstar_reflection_v1_formula" -> "prims" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_tactics_effect" -> "fstar_range" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "core" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "libcrux_ml_dsa_encoding_signing_key" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_print" -> "fstar_stubs_reflection_types" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_ntt" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "core" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "prims" + "libcrux_ml_dsa_simd_avx2_ntt" -> "libcrux_ml_dsa_simd_avx2_ntt" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_bv_lemmas" + "fstar_tactics_bv" -> "fstar_tactics_effect" + "fstar_tactics_bv" -> "fstar_tactics_effect" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "prims" + "fstar_stubs_syntax_syntax" -> "prims" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "prims" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "fstar_pervasives" + "core_fmt_rt" -> "prims" + "core_fmt_rt" -> "prims" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_types" + "lib_bytesequence" -> "fstar_pervasives_native" + "lib_bytesequence" -> "fstar_pervasives_native" + "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_calc" + "lib_bytesequence" -> "fstar_math_lemmas" + "lib_bytesequence" -> "fstar_math_lemmas" + "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_classical" + "lib_bytesequence" -> "fstar_uint8" + "lib_bytesequence" -> "fstar_uint8" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "lib_loopcombinators" + "lib_bytesequence" -> "lib_loopcombinators" + "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_rawinttypes" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "lib_bytesequence" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_uint64" + "spec_sha3_constants" -> "fstar_list_tot" + "spec_sha3_constants" -> "fstar_list_tot" + "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "fstar_uint32" + "spec_sha3_constants" -> "lib_sequence" + "spec_sha3_constants" -> "lib_sequence" + "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "lib_inttypes" + "spec_sha3_constants" -> "fstar_pervasives" + "spec_sha3_constants" -> "fstar_pervasives" + "spec_sha3_constants" -> "prims" + "spec_sha3_constants" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" + "libcrux_ml_dsa_pre_hash" -> "rust_primitives_hax" + "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" + "libcrux_ml_dsa_pre_hash" -> "fstar_list_tot" + "libcrux_ml_dsa_pre_hash" -> "fstar_uint8" + "libcrux_ml_dsa_pre_hash" -> "fstar_uint8" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_pre_hash" -> "core_convert" + "libcrux_ml_dsa_pre_hash" -> "core_convert" + "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "prims" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1" -> "fstar_reflection_v1_compare" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_stubs_reflection_types" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "prims" + "fstar_tactics_v1" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_ntt" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_t0" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_sample" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_error" -> "prims" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "fstar_seq_base" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "fstar_int8" -> "fstar_int8" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "fstar_list_tot" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "core" + "bitvec_utils" -> "core" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "prims" + "bitvec_utils" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_tactics_typeclasses" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "fstar_pervasives" + "core_clone" -> "prims" + "core_clone" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_ntt" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "libcrux_ml_dsa_polynomial" -> "core_ops_range" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "fstar_int32" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_polynomial" -> "core_option" + "libcrux_ml_dsa_polynomial" -> "core_option" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives_native" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "core_slice_iter" + "libcrux_ml_dsa_polynomial" -> "core_slice" + "libcrux_ml_dsa_polynomial" -> "hax_lib" + "libcrux_ml_dsa_polynomial" -> "hax_lib" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "rust_primitives_hax" + "libcrux_ml_dsa_polynomial" -> "core_array_iter" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_collect" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "fstar_mul" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "core" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "fstar_pervasives" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "prims" + "libcrux_ml_dsa_polynomial" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_types" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "fstar_mul" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "core" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "fstar_pervasives" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_types" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "prims" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "prims" + "fstar_erasedlogic" -> "prims" + "core_array" -> "rust_primitives" + "core_array" -> "rust_primitives" + "core_array" -> "fstar_pervasives" + "core_array" -> "fstar_pervasives" + "core_array" -> "prims" + "core_array" -> "prims" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_visit" + "fstar_tactics_names" -> "fstar_tactics_visit" + "fstar_tactics_names" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_names" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_effect" + "fstar_tactics_names" -> "fstar_tactics_namedview" + "fstar_tactics_names" -> "fstar_tactics_namedview" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "fstar_pervasives" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "prims" + "fstar_tactics_names" -> "fstar_tactics_names" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_v2_syntaxhelpers" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "rust_primitives_integers" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_tactics_typeclasses" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "fstar_pervasives" + "core_marker" -> "prims" + "core_marker" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable" -> "core" + "libcrux_ml_dsa_simd_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable" -> "prims" + "libcrux_ml_dsa_simd_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" + "libcrux_ml_dsa_encoding_verification_key" -> "core_convert" + "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_array" + "libcrux_ml_dsa_encoding_verification_key" -> "core_result" + "libcrux_ml_dsa_encoding_verification_key" -> "core_result" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_verification_key" -> "core_ops_range" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_encoding_verification_key" -> "core_slice" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_encoding_verification_key" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "prims" + "core_ops_control_flow" -> "prims" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "fstar_uint32" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_range" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_tactics_names" + "fstar_tactics_v2_derived" -> "fstar_tactics_names" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_vconfig" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "prims" + "fstar_tactics_v2_derived" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "prims" + "fstar_stubs_pprint" -> "fstar_float" + "fstar_stubs_pprint" -> "fstar_char" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "prims" + "fstar_stubs_pprint" -> "prims" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "prims" + "fstar_st" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint128" + "lib_rawinttypes" -> "fstar_uint64" + "lib_rawinttypes" -> "fstar_uint64" + "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint32" + "lib_rawinttypes" -> "fstar_uint16" + "lib_rawinttypes" -> "fstar_uint16" + "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "fstar_uint8" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "prims" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "fstar_uint8" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_tactics_typeclasses" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_option" + "rust_primitives" -> "core_option" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "prims" + "rust_primitives" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_int16" -> "fstar_int16" + "fstar_reflection_v1" -> "fstar_reflection_v1_compare" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "prims" + "fstar_reflection_v1" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "fstar_mul" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "core" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "fstar_pervasives" + "libcrux_ml_dsa_samplex4" -> "prims" + "libcrux_ml_dsa_samplex4" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" + "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "fstar_functionalextensionality" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_set" -> "fstar_set" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "prims" + "fstar_tactics" -> "prims" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq" + "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "fstar_seq_base" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_sequence" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "lib_inttypes" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_mul" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "fstar_pervasives" + "lib_bytesequence" -> "prims" + "lib_bytesequence" -> "prims" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" + "libcrux_ml_dsa_ntt" -> "rust_primitives_hax" + "libcrux_ml_dsa_ntt" -> "fstar_list_tot" + "libcrux_ml_dsa_ntt" -> "fstar_list_tot" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "fstar_int32" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "fstar_mul" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "core" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_ntt" -> "prims" + "libcrux_ml_dsa_ntt" -> "prims" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_uint" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_bv" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "fstar_pervasives" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "prims" + "fstar_tactics_bv_lemmas" -> "fstar_tactics_bv_lemmas" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_44_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44_" -> "core" + "libcrux_ml_dsa_ml_dsa_44_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44_" -> "prims" + "libcrux_ml_dsa_ml_dsa_87_" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87_" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87_" -> "core" + "libcrux_ml_dsa_ml_dsa_87_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87_" -> "prims" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_sealed" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "prims" + "fstar_tactics_unseal" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "core_result" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_pre_hash" -> "core_slice" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "core_option" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "fstar_mul" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "core" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "fstar_pervasives" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "prims" + "libcrux_ml_dsa_pre_hash" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "prims" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_bv" -> "fstar_bv" + "fstar_pervasives_native" -> "prims" + "fstar_pervasives_native" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_gamma1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_gamma1" -> "core_option" + "libcrux_ml_dsa_encoding_gamma1" -> "core_option" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "core" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_encoding_gamma1" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__avx2" -> "libcrux_ml_dsa_ml_dsa_87__avx2" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "prims" + "fstar_list_tot_base" -> "prims" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "prims" + "fstar_option" -> "prims" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_sample" -> "core" + "libcrux_ml_dsa_simd_portable_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_sample" -> "prims" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "prims" + "fstar_reflection_v2_formula" -> "prims" + "core_panicking" -> "core_fmt" + "core_panicking" -> "core_option" + "core_panicking" -> "core_option" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives_hax" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "rust_primitives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "fstar_pervasives" + "core_panicking" -> "prims" + "core_panicking" -> "prims" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "prims" + "fstar_char" -> "prims" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_mapply" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "prims" + "lib_loopcombinators" -> "fstar_tactics_effect" + "lib_loopcombinators" -> "fstar_tactics_effect" + "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_propositionalextensionality" + "lib_loopcombinators" -> "fstar_tactics" + "lib_loopcombinators" -> "fstar_tactics" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "lib_loopcombinators" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "fstar_classical_sugar" + "core_result" -> "fstar_pervasives" + "core_result" -> "fstar_pervasives" + "core_result" -> "prims" + "core_result" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_ops_range" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_convert" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_array" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core_result" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "core" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "prims" + "libcrux_ml_dsa_simd_portable_vector_type" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "prims" + "fstar_exn" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "core_ops" -> "core_ops_index" + "core_ops" -> "core_ops_index" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "rust_primitives" + "core_ops" -> "rust_primitives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "prims" + "core_ops" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "fstar_mul" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "core" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "fstar_pervasives" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_ml_dsa_utils" -> "prims" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "fstar_mul" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "core" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "fstar_pervasives" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "prims" + "libcrux_sha3_traits" -> "libcrux_sha3_traits" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "fstar_list_tot_properties" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "prims" + "fstar_preorder" -> "prims" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "prims" + "fstar_monotonic_pure" -> "prims" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "prims" + "core_num_error" -> "prims" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "prims" + "fstar_int_cast_full" -> "prims" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "prims" + "fstar_all" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "hax_lib" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_slice" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_array_iter" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_iter_traits_collect" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_fmt_rt" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_fmt" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_uint64" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core_ops_arith_neg" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "core" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "prims" + "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "rust_primitives_integers" + "core_convert" -> "core_slice" + "core_convert" -> "core_array" + "core_convert" -> "core_array" + "core_convert" -> "core_result" + "core_convert" -> "core_result" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "fstar_tactics_typeclasses" + "core_convert" -> "rust_primitives" + "core_convert" -> "rust_primitives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "fstar_pervasives" + "core_convert" -> "prims" + "core_convert" -> "prims" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "libcrux_sha3_portable" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "fstar_mul" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "core" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "fstar_pervasives" + "libcrux_sha3_portable_incremental" -> "prims" + "libcrux_sha3_portable_incremental" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int16" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_commitment" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__portable" -> "libcrux_ml_dsa_ml_dsa_87__portable" + "fstar_range" -> "fstar_sealed" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "prims" + "fstar_range" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_squash" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "fstar_monotonic_heap" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" + "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int64" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_panicking" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_gamma1" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_hash_functions_neon" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_int8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_uint8" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_seq" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "bitvec_intrinsics" -> "prims" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "rust_primitives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "fstar_pervasives" + "core_ops_arith_neg" -> "prims" + "core_ops_arith_neg" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "fstar_int32" + "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" + "libcrux_ml_dsa_arithmetic" -> "core_slice_iter" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_collect" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_arithmetic" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_arithmetic" -> "core_slice" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_arithmetic" -> "rust_primitives_hax" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_tactics_bv_lemmas" + "fstar_uint128" -> "fstar_tactics_bv_lemmas" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_mapply" + "fstar_uint128" -> "fstar_tactics_mapply" + "fstar_uint128" -> "fstar_tactics_v2_derived" + "fstar_uint128" -> "fstar_tactics_v2_derived" + "fstar_uint128" -> "fstar_stubs_tactics_v2_builtins" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "fstar_uint128" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_range" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_tactics_names" + "fstar_tactics_v1_derived" -> "fstar_tactics_names" + "fstar_tactics_v1_derived" -> "fstar_vconfig" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_v1_derived" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_hash_functions_portable" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "core" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "prims" + "libcrux_ml_dsa_hash_functions_shake128" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_neon" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_ml_dsa_87__neon" + "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_list_tot" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" -> "prims" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "core_ops_arith" + "core_num" -> "core_num_error" + "core_num" -> "core_result" + "core_num" -> "core_result" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "lib_inttypes" + "core_num" -> "lib_inttypes" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint32" + "core_num" -> "fstar_uint32" + "core_num" -> "rust_primitives" + "core_num" -> "rust_primitives" + "core_num" -> "fstar_pervasives" + "core_num" -> "fstar_pervasives" + "core_num" -> "prims" + "core_num" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_logic" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_int128" -> "fstar_int128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_portable" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "libcrux_sha3_portable" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "core" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_hash_functions_portable" -> "prims" + "libcrux_ml_dsa_simd_avx2" -> "core_array" + "libcrux_ml_dsa_simd_avx2" -> "core_array" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_ntt" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_t0" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_error" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_commitment" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_encoding_gamma1" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_arithmetic" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "core_convert" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_simd_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "core" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_convert" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_array" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_result" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_avx2_encoding_t1" -> "libcrux_ml_dsa_simd_avx2_encoding_t1" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "rust_primitives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "core" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "prims" + "libcrux_ml_dsa_hash_functions_shake256" -> "libcrux_ml_dsa_hash_functions_shake256" + "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" + "fstar_tactics_v1_logic_lemmas" -> "fstar_squash" + "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic_lemmas" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic_lemmas" -> "fstar_classical" + "fstar_tactics_v1_logic_lemmas" -> "fstar_classical" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "fstar_tactics_v1_logic_lemmas" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "core" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_encoding_t0" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "core" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_avx2_arithmetic" -> "prims" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "prims" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "prims" + "fstar_sealed" -> "prims" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "prims" + "fstar_vconfig" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "core_slice" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "fstar_int32" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "spec_utils" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_seq" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "fstar_seq_properties" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t0" -> "prims" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "prims" + "core_iter_adapters_enumerate" -> "prims" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "prims" + "core_ops_index" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_ml_dsa_44__portable" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "prims" + "fstar_float" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "core_ops_range" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "fstar_pervasives" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "prims" + "rust_primitives_hax_monomorphized_update_at" -> "rust_primitives_hax_monomorphized_update_at" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_stubs_reflection_types" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "prims" + "fstar_tactics_v2" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived" -> "fstar_vconfig" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "prims" + "fstar_reflection_v2_derived" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_stubs_tactics_common" -> "fstar_range" + "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_tactics_common" -> "prims" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "prims" + "fstar_int_cast" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__neon" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "rust_primitives" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "libcrux_ml_dsa_simd_portable" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "core" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_simd_portable_ntt" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_commitment" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_encoding_commitment" -> "core_slice" + "libcrux_ml_dsa_encoding_commitment" -> "core_ops_range" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "core" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "prims" + "libcrux_ml_dsa_encoding_commitment" -> "libcrux_ml_dsa_encoding_commitment" + "fstar_reflection_v2" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "prims" + "fstar_reflection_v2" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_uint8" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives_native" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "rust_primitives_hax" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_list_tot" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_hash_functions_neon" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_mul" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "core" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "fstar_pervasives" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "libcrux_ml_dsa_hash_functions_neon" -> "prims" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "lib_inttypes" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "fstar_pervasives" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "prims" + "lib_rawinttypes" -> "lib_rawinttypes" + "libcrux_sha3_avx2_x4_incremental" -> "libcrux_sha3_neon_x2_incremental" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_mul" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "core" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "fstar_pervasives" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "libcrux_sha3_avx2_x4_incremental" -> "prims" + "fstar_tactics_namedview" -> "fstar_range" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "fstar_indefinitedescription" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_stubs_reflection_v1_data" -> "prims" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "fstar_mul" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "core" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "fstar_pervasives" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_matrix" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_portable" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__portable" -> "libcrux_ml_dsa_ml_dsa_65__portable" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core_panicking" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_int32" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_uint8" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_vector_type" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_commitment" -> "libcrux_ml_dsa_simd_portable_encoding_commitment" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "core" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_arithmetic" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_65__avx2" -> "libcrux_ml_dsa_ml_dsa_65__avx2" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "fstar_tactics_namedview" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_slice_iter" + "core_slice" -> "core_slice_iter" + "core_slice" -> "fstar_seq" + "core_slice" -> "fstar_seq" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "prims" + "core_slice" -> "prims" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "rust_primitives" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "fstar_mul" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "core" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "fstar_pervasives" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "prims" + "libcrux_ml_dsa_constants" -> "libcrux_ml_dsa_constants" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_int" -> "fstar_int" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "fstar_uint16" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "fstar_int64" -> "fstar_int64" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_verification_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_convert" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signature" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_commitment" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_arithmetic" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_matrix" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives_native" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint16" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_uint8" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_utils" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_samplex4" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_encoding_signing_key" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_slice" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "rust_primitives_hax" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_list_tot" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_list_tot" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "core_option" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_sha3_portable_incremental" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "core" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core_result" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "core" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_87__neon" -> "prims" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "prims" + "fstar_mul" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2_vector_type" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_simd_avx2" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_pre_hash" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_simd256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "prims" + "fstar_propositionalextensionality" -> "prims" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "prims" + "fstar_predicateextensionality" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "core_ops_range" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t1" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "core_option" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_t1" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_t1" -> "core_slice" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "core" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "prims" + "libcrux_ml_dsa_encoding_t1" -> "libcrux_ml_dsa_encoding_t1" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_num" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_shuffle_table" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_int32" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_ops_range" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_uint8" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "rust_primitives_hax" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "hax_lib" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core_slice" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives_native" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" -> "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_field_modulus" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_generic_multiplexing" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_65_" -> "core" + "libcrux_ml_dsa_ml_dsa_65_" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_65_" -> "prims" + "libcrux_ml_dsa_ml_dsa_65_" -> "libcrux_ml_dsa_ml_dsa_65_" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "hax_lib" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_encoding_gamma1" + "libcrux_ml_dsa_sample" -> "fstar_uint8" + "libcrux_ml_dsa_sample" -> "fstar_uint8" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "rust_primitives" + "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_convert" + "libcrux_ml_dsa_sample" -> "core_array" + "libcrux_ml_dsa_sample" -> "core_array" + "libcrux_ml_dsa_sample" -> "core_result" + "libcrux_ml_dsa_sample" -> "core_result" + "libcrux_ml_dsa_sample" -> "core_num" + "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "fstar_uint64" + "libcrux_ml_dsa_sample" -> "core_panicking" + "libcrux_ml_dsa_sample" -> "core_panicking" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_constants" + "libcrux_ml_dsa_sample" -> "core_ops_range" + "libcrux_ml_dsa_sample" -> "core_slice" + "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_slice_iter" + "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_sample" -> "core_iter_traits_collect" + "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "fstar_pervasives_native" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_uint16" + "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "fstar_int32" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_sample" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake256" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_hash_functions_shake128" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "fstar_mul" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "core" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "fstar_pervasives" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "prims" + "libcrux_ml_dsa_sample" -> "libcrux_ml_dsa_sample" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core_result" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "core" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_generic_multiplexing" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_error" -> "libcrux_ml_dsa_simd_portable_encoding_error" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_all" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "fstar_pervasives" + "lib_loopcombinators" -> "prims" + "lib_loopcombinators" -> "prims" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_list_tot" + "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_calc" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_math_lemmas" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_pervasives_native" + "lib_sequence" -> "fstar_seq_properties" + "lib_sequence" -> "fstar_seq_properties" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "fstar_seq" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_loopcombinators" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "lib_inttypes" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_mul" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "fstar_pervasives" + "lib_sequence" -> "prims" + "lib_sequence" -> "prims" + "lib_sequence" -> "lib_sequence" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_t1" -> "libcrux_ml_dsa_simd_portable_encoding_t1" + "core" -> "core_ops" + "core" -> "core_ops" + "core" -> "core_iter" + "core" -> "core_num" + "core" -> "rust_primitives" + "core" -> "rust_primitives" + "core" -> "fstar_pervasives" + "core" -> "fstar_pervasives" + "core" -> "prims" + "core" -> "prims" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_char" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_string" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "prims" + "fstar_class_printable" -> "prims" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "prims" + "fstar_list_tot" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "core" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "prims" + "libcrux_ml_dsa_simd_portable_encoding_gamma1" -> "libcrux_ml_dsa_simd_portable_encoding_gamma1" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "prims" + "fstar_list" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_uint" -> "fstar_uint" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tset" -> "fstar_tset" + "libcrux_sha3_neon_x2_incremental" -> "core_core_arch_arm_shared_neon" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "libcrux_sha3_generic_keccak" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "fstar_mul" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "core" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "fstar_pervasives" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "libcrux_sha3_neon_x2_incremental" -> "prims" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_visit" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_visit" -> "fstar_stubs_reflection_types" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "prims" + "fstar_tactics_visit" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "fstar_mul" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "core" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "prims" + "libcrux_ml_dsa_simd_traits" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "libcrux_intrinsics_avx2_extract" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_mul" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "core" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "libcrux_ml_dsa_simd_avx2_rejection_sample_less_than_eta" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_collect" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "core_ops_range" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "fstar_uint8" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_ntt" + "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_error" -> "core_iter_adapters_enumerate" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_collect" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_monomorphized_update_at" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_error" -> "core_iter_traits_iterator" + "libcrux_ml_dsa_encoding_error" -> "core_option" + "libcrux_ml_dsa_encoding_error" -> "core_option" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives_native" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax_folds" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_encoding_error" -> "core_panicking" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_error" -> "rust_primitives_hax" + "libcrux_ml_dsa_encoding_error" -> "core_slice" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "core_slice_iter" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "fstar_mul" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "core" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "prims" + "libcrux_ml_dsa_encoding_error" -> "libcrux_ml_dsa_encoding_error" + "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "core_result" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "fstar_mul" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "core" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_signature" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_polynomial" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_tactics_typeclasses" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "libcrux_ml_dsa_simd_traits" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_mul" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "core" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "fstar_pervasives" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_encoding_verification_key" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core_result" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "core" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__portable" -> "prims" + "fstar_reflection_v2_collect" -> "fstar_list_tot_base" + "fstar_reflection_v2_collect" -> "fstar_list_tot_base" + "fstar_reflection_v2_collect" -> "fstar_pervasives_native" + "fstar_reflection_v2_collect" -> "fstar_pervasives_native" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_collect" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_collect" -> "fstar_pervasives" + "fstar_reflection_v2_collect" -> "fstar_pervasives" + "fstar_reflection_v2_collect" -> "prims" + "fstar_reflection_v2_collect" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "fstar_mul" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "core" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "fstar_pervasives" + "libcrux_sha3_neon_x2" -> "prims" + "libcrux_sha3_neon_x2" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "fstar_pervasives" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "fstar_tactics_v1_logic_lemmas" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_int32" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_types" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_generic_instantiations_avx2" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_mul" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "core" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "fstar_pervasives" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "prims" + "libcrux_ml_dsa_ml_dsa_44__avx2" -> "libcrux_ml_dsa_ml_dsa_44__avx2" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "fstar_tactics_effect" + "core_array_iter" -> "core_iter" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "rust_primitives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "fstar_pervasives" + "core_array_iter" -> "prims" + "core_array_iter" -> "prims" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_char" + "tactics_utils" -> "fstar_string" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "core" + "tactics_utils" -> "core" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "prims" + "tactics_utils" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_rec_bundle_437004224" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_mul" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "core" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "fstar_pervasives" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "prims" + "libcrux_ml_dsa_simd_portable_arithmetic" -> "libcrux_ml_dsa_simd_portable_arithmetic" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_v1_logic_lemmas" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_logic" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "core_ops_range" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "core_ops" + "core_iter" -> "core_ops" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "rust_primitives" + "core_iter" -> "rust_primitives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "prims" + "core_iter" -> "prims" +} diff --git a/libcrux-ml-dsa/src/arithmetic.rs b/libcrux-ml-dsa/src/arithmetic.rs index 7030bef96..25db431db 100644 --- a/libcrux-ml-dsa/src/arithmetic.rs +++ b/libcrux-ml-dsa/src/arithmetic.rs @@ -14,7 +14,7 @@ pub(crate) fn vector_infinity_norm_exceeds( - input0: &[u8], - input1: &[u8], - input2: &[u8], - input3: &[u8], - out0: &mut [u8; OUT_LEN], - out1: &mut [u8; OUT_LEN], - out2: &mut [u8; OUT_LEN], - out3: &mut [u8; OUT_LEN], - ); - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self; - fn squeeze_first_block( + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self; + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; BLOCK_SIZE], @@ -32,7 +22,7 @@ pub(crate) mod shake256 { [u8; BLOCK_SIZE], [u8; BLOCK_SIZE], ); - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; BLOCK_SIZE], @@ -40,6 +30,16 @@ pub(crate) mod shake256 { [u8; BLOCK_SIZE], [u8; BLOCK_SIZE], ); + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ); } } @@ -76,16 +76,14 @@ pub(crate) mod shake128 { /// A portable implementation of [`shake128::Xof`] and [`shake256::Xof`]. pub(crate) mod portable { - use libcrux_sha3::portable::{ - incremental::{self, shake128_absorb_final, shake128_init}, - shake128, shake256, KeccakState, - }; - use super::{shake128, shake256}; + use libcrux_sha3::portable::incremental; + use libcrux_sha3::portable::KeccakState; /// Portable SHAKE 128 x4 state. /// /// We're using a portable implementation so this is actually sequential. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128X4 { state0: KeccakState, state1: KeccakState, @@ -93,27 +91,63 @@ pub(crate) mod portable { state3: KeccakState, } + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128X4 { + let mut state0 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state0, &input0); + + let mut state1 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state1, &input1); + + let mut state2 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state2, &input2); + + let mut state3 = incremental::shake128_init(); + incremental::shake128_absorb_final(&mut state3, &input3); + + Shake128X4 { + state0, + state1, + state2, + state3, + } + } + + fn squeeze_first_five_blocks( + state: &mut Shake128X4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + incremental::shake128_squeeze_first_five_blocks(&mut state.state0, out0); + incremental::shake128_squeeze_first_five_blocks(&mut state.state1, out1); + incremental::shake128_squeeze_first_five_blocks(&mut state.state2, out2); + incremental::shake128_squeeze_first_five_blocks(&mut state.state3, out3); + } + + fn squeeze_next_block( + state: &mut Shake128X4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state0, &mut out0); + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state1, &mut out1); + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state2, &mut out2); + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + incremental::shake128_squeeze_next_block(&mut state.state3, &mut out3); + + (out0, out1, out2, out3) + } + impl shake128::XofX4 for Shake128X4 { fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - #[inline(always)] - fn init_absorb(input: &[u8]) -> KeccakState { - let mut state = shake128_init(); - shake128_absorb_final(&mut state, &input); - - state - } - - let state0 = init_absorb(input0); - let state1 = init_absorb(input1); - let state2 = init_absorb(input2); - let state3 = init_absorb(input3); - - Self { - state0, - state1, - state2, - state3, - } + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -123,12 +157,8 @@ pub(crate) mod portable { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - incremental::shake128_squeeze_first_five_blocks(&mut self.state0, out0); - incremental::shake128_squeeze_first_five_blocks(&mut self.state1, out1); - incremental::shake128_squeeze_first_five_blocks(&mut self.state2, out2); - incremental::shake128_squeeze_first_five_blocks(&mut self.state3, out3); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } - fn squeeze_next_block( &mut self, ) -> ( @@ -137,90 +167,146 @@ pub(crate) mod portable { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - incremental::shake128_squeeze_next_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } /// Portable SHAKE 128 state pub(crate) struct Shake128 {} + fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake128(out, input); + } + impl shake128::Xof for Shake128 { fn shake128(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - shake128(out, input); + shake128(input, out); } } /// Portable SHAKE 256 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256 { state: KeccakState, } + + fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { + libcrux_sha3::portable::shake256(out, input); + } + + fn init_absorb_shake256(input: &[u8]) -> Shake256 { + let mut state = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state, input); + Shake256 { state } + } + + fn squeeze_first_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state, &mut out); + out + } + + fn squeeze_next_block_shake256(state: &mut Shake256) -> [u8; shake256::BLOCK_SIZE] { + let mut out = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state, &mut out); + out + } + impl shake256::Xof for Shake256 { fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - shake256(out, input); + shake256(input, out); } fn init_absorb(input: &[u8]) -> Self { - let mut state = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state, input); - - Self { state } + init_absorb_shake256(input) } fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - out + squeeze_first_block_shake256(self) } fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - out + squeeze_next_block_shake256(self) } } /// Portable SHAKE 256 x4 state. /// /// We're using a portable implementation so this is actually sequential. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256X4 { - state0: KeccakState, - state1: KeccakState, - state2: KeccakState, - state3: KeccakState, + state0: libcrux_sha3::portable::KeccakState, + state1: libcrux_sha3::portable::KeccakState, + state2: libcrux_sha3::portable::KeccakState, + state3: libcrux_sha3::portable::KeccakState, } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256X4 { + let mut state0 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state0, input0); - impl shake256::XofX4 for Shake256X4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state0 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state0, input0); + let mut state1 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state1, input1); - let mut state1 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state1, input1); + let mut state2 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state2, input2); - let mut state2 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state2, input2); + let mut state3 = incremental::shake256_init(); + incremental::shake256_absorb_final(&mut state3, input3); - let mut state3 = incremental::shake256_init(); - incremental::shake256_absorb_final(&mut state3, input3); + Shake256X4 { + state0, + state1, + state2, + state3, + } + } + + fn squeeze_first_block_x4( + state: &mut Shake256X4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state0, &mut out0); + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state1, &mut out1); + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state2, &mut out2); + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_first_block(&mut state.state3, &mut out3); + + (out0, out1, out2, out3) + } - Self { - state0, - state1, - state2, - state3, - } + fn squeeze_next_block_x4( + state: &mut Shake256X4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state0, &mut out0); + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state1, &mut out1); + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state2, &mut out2); + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + incremental::shake256_squeeze_next_block(&mut state.state3, &mut out3); + + (out0, out1, out2, out3) + } + + impl shake256::XofX4 for Shake256X4 { + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -228,19 +314,10 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_first_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -248,19 +325,10 @@ pub(crate) mod portable { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state0, &mut out0); - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state1, &mut out1); - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state2, &mut out2); - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - incremental::shake256_squeeze_next_block(&mut self.state3, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -270,39 +338,109 @@ pub(crate) mod portable { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - shake256(out0, input0); - shake256(out1, input1); - shake256(out2, input2); - shake256(out3, input3); + shake256(input0, out0); + shake256(input1, out1); + shake256(input2, out2); + shake256(input3, out3); } } + + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Absorb { + state: libcrux_sha3::portable::incremental::Shake256Absorb, + } + + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256Squeeze { + state: libcrux_sha3::portable::incremental::Shake256Squeeze, + } + + use libcrux_sha3::portable::incremental::{XofAbsorb, XofSqueeze}; + + pub(crate) fn shake256_init() -> Shake256Absorb { + Shake256Absorb { + state: libcrux_sha3::portable::incremental::Shake256Absorb::new(), + } + } + pub(crate) fn shake256_absorb(st: &mut Shake256Absorb, input: &[u8]) { + st.state.absorb(input) + } + pub(crate) fn shake256_absorb_final(st: Shake256Absorb, input: &[u8]) -> Shake256Squeeze { + Shake256Squeeze { + state: st.state.absorb_final(input), + } + } + pub(crate) fn shake256_squeeze(st: &mut Shake256Squeeze, out: &mut [u8]) { + st.state.squeeze(out) + } } /// A SIMD256 implementation of [`shake128::XofX4`] and [`shake256::Xof`] for AVX2. #[cfg(feature = "simd256")] pub(crate) mod simd256 { - use libcrux_sha3::{ - avx2::x4::{self, incremental::KeccakState}, - portable, - }; - use super::{shake128, shake256}; + use libcrux_sha3::avx2::x4; /// AVX2 SHAKE 128 state /// /// This only implements the XofX4 API. For the single Xof, the portable /// version is used. + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128x4 { - state: KeccakState, + state: libcrux_sha3::avx2::x4::incremental::KeccakState, + } + + /// Init the state and absorb 4 blocks in parallel. + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { + let mut state = x4::incremental::init(); + x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); + Shake128x4 { state } + } + + fn squeeze_first_five_blocks( + state: &mut Shake128x4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + x4::incremental::shake128_squeeze_first_five_blocks( + &mut state.state, + out0, + out1, + out2, + out3, + ); + } + + fn squeeze_next_block( + state: &mut Shake128x4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + x4::incremental::shake128_squeeze_next_block( + &mut state.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) } impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = x4::incremental::init(); - x4::incremental::shake128_absorb_final(&mut state, &input0, &input1, &input2, &input3); - Self { state } + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -312,13 +450,7 @@ pub(crate) mod simd256 { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x4::incremental::shake128_squeeze_first_five_blocks( - &mut self.state, - out0, - out1, - out2, - out3, - ); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } fn squeeze_next_block( @@ -329,67 +461,90 @@ pub(crate) mod simd256 { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x4::incremental::shake128_squeeze_next_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } - // TODO: Shake256 is only portable for now. If we don't want to change that, - // we should use the portable Xof impelmentation above. - /// AVX2 SHAKE 256 state - pub(crate) struct Shake256 { - state: portable::KeccakState, + pub(crate) type Shake256 = super::portable::Shake256; + + /// AVX2 SHAKE 256 x4 state. + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) struct Shake256x4 { + state: libcrux_sha3::avx2::x4::incremental::KeccakState, } - impl shake256::Xof for Shake256 { - fn shake256(input: &[u8], out: &mut [u8; OUTPUT_LENGTH]) { - portable::shake256(out, input); - } - fn init_absorb(input: &[u8]) -> Self { - let mut state = portable::incremental::shake256_init(); - portable::incremental::shake256_absorb_final(&mut state, input); + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { + let mut state = x4::incremental::init(); + x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); + Shake256x4 { state } + } - Self { state } - } + fn squeeze_first_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x4::incremental::shake256_squeeze_first_block( + &mut state.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); - fn squeeze_first_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_first_block(&mut self.state, &mut out); - out - } + (out0, out1, out2, out3) + } - fn squeeze_next_block(&mut self) -> [u8; shake256::BLOCK_SIZE] { - let mut out = [0u8; shake256::BLOCK_SIZE]; - portable::incremental::shake256_squeeze_next_block(&mut self.state, &mut out); - out - } + fn squeeze_next_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x4::incremental::shake256_squeeze_next_block( + &mut state.state, + &mut out0, + &mut out1, + &mut out2, + &mut out3, + ); + + (out0, out1, out2, out3) } - /// AVX2 SHAKE 256 x4 state. - pub(crate) struct Shake256x4 { - state: KeccakState, + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ) { + x4::shake256(input0, input1, input2, input3, out0, out1, out2, out3); } impl shake256::XofX4 for Shake256x4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = x4::incremental::init(); - x4::incremental::shake256_absorb_final(&mut state, &input0, &input1, &input2, &input3); - Self { state } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -397,22 +552,10 @@ pub(crate) mod simd256 { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x4::incremental::shake256_squeeze_first_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -420,22 +563,10 @@ pub(crate) mod simd256 { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x4::incremental::shake256_squeeze_next_block( - &mut self.state, - &mut out0, - &mut out1, - &mut out2, - &mut out3, - ); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -445,7 +576,7 @@ pub(crate) mod simd256 { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - x4::shake256(input0, input1, input2, input3, out0, out1, out2, out3); + shake256_x4(input0, input1, input2, input3, out0, out1, out2, out3); } } } @@ -454,21 +585,57 @@ pub(crate) mod simd256 { #[cfg(feature = "simd128")] pub(crate) mod neon { - use libcrux_sha3::neon::x2::{self, incremental::KeccakState}; - use super::{shake128, shake256}; + use libcrux_sha3::neon::x2; + #[cfg_attr(hax, hax_lib::opaque_type)] + pub(crate) type KeccakState = x2::incremental::KeccakState; + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake128x4 { state: [KeccakState; 2], } + /// Init the state and absorb 4 blocks in parallel. + fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake128x4 { + let mut state = [x2::incremental::init(), x2::incremental::init()]; + x2::incremental::shake128_absorb_final(&mut state[0], &input0, &input1); + x2::incremental::shake128_absorb_final(&mut state[1], &input2, &input3); + Shake128x4 { state } + } + + fn squeeze_first_five_blocks( + state: &mut Shake128x4, + out0: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out1: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], + ) { + x2::incremental::shake128_squeeze_first_five_blocks(&mut state.state[0], out0, out1); + x2::incremental::shake128_squeeze_first_five_blocks(&mut state.state[1], out2, out3); + } + + fn squeeze_next_block( + state: &mut Shake128x4, + ) -> ( + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + [u8; shake128::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake128::BLOCK_SIZE]; + let mut out1 = [0u8; shake128::BLOCK_SIZE]; + let mut out2 = [0u8; shake128::BLOCK_SIZE]; + let mut out3 = [0u8; shake128::BLOCK_SIZE]; + x2::incremental::shake128_squeeze_next_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake128_squeeze_next_block(&mut state.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + impl shake128::XofX4 for Shake128x4 { /// Init the state and absorb 4 blocks in parallel. fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = [x2::incremental::init(), x2::incremental::init()]; - x2::incremental::shake128_absorb_final(&mut state[0], &input0, &input1); - x2::incremental::shake128_absorb_final(&mut state[1], &input2, &input3); - Self { state } + init_absorb(input0, input1, input2, input3) } fn squeeze_first_five_blocks( @@ -478,8 +645,7 @@ pub(crate) mod neon { out2: &mut [u8; shake128::FIVE_BLOCKS_SIZE], out3: &mut [u8; shake128::FIVE_BLOCKS_SIZE], ) { - x2::incremental::shake128_squeeze_first_five_blocks(&mut self.state[0], out0, out1); - x2::incremental::shake128_squeeze_first_five_blocks(&mut self.state[1], out2, out3); + squeeze_first_five_blocks(self, out0, out1, out2, out3); } fn squeeze_next_block( @@ -490,31 +656,79 @@ pub(crate) mod neon { [u8; shake128::BLOCK_SIZE], [u8; shake128::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake128::BLOCK_SIZE]; - let mut out1 = [0u8; shake128::BLOCK_SIZE]; - let mut out2 = [0u8; shake128::BLOCK_SIZE]; - let mut out3 = [0u8; shake128::BLOCK_SIZE]; - x2::incremental::shake128_squeeze_next_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake128_squeeze_next_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block(self) } } /// Neon SHAKE 256 x4 state + #[cfg_attr(hax, hax_lib::opaque_type)] pub(crate) struct Shake256x4 { state: [KeccakState; 2], } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Shake256x4 { + let mut state = [x2::incremental::init(), x2::incremental::init()]; + x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); + x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); + Shake256x4 { state } + } + + fn squeeze_first_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x2::incremental::shake256_squeeze_first_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_first_block(&mut state.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + + fn squeeze_next_block_x4( + state: &mut Shake256x4, + ) -> ( + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + [u8; shake256::BLOCK_SIZE], + ) { + let mut out0 = [0u8; shake256::BLOCK_SIZE]; + let mut out1 = [0u8; shake256::BLOCK_SIZE]; + let mut out2 = [0u8; shake256::BLOCK_SIZE]; + let mut out3 = [0u8; shake256::BLOCK_SIZE]; + x2::incremental::shake256_squeeze_next_block(&mut state.state[0], &mut out0, &mut out1); + x2::incremental::shake256_squeeze_next_block(&mut state.state[1], &mut out2, &mut out3); + + (out0, out1, out2, out3) + } + + fn shake256_x4( + input0: &[u8], + input1: &[u8], + input2: &[u8], + input3: &[u8], + out0: &mut [u8; OUT_LEN], + out1: &mut [u8; OUT_LEN], + out2: &mut [u8; OUT_LEN], + out3: &mut [u8; OUT_LEN], + ) { + x2::shake256(input0, input1, out0, out1); + x2::shake256(input2, input3, out2, out3); + } + impl shake256::XofX4 for Shake256x4 { - fn init_absorb(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { - let mut state = [x2::incremental::init(), x2::incremental::init()]; - x2::incremental::shake256_absorb_final(&mut state[0], &input0, &input1); - x2::incremental::shake256_absorb_final(&mut state[1], &input2, &input3); - Self { state } + fn init_absorb_x4(input0: &[u8], input1: &[u8], input2: &[u8], input3: &[u8]) -> Self { + init_absorb_x4(input0, input1, input2, input3) } - fn squeeze_first_block( + fn squeeze_first_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -522,17 +736,10 @@ pub(crate) mod neon { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_first_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_first_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_first_block_x4(self) } - fn squeeze_next_block( + fn squeeze_next_block_x4( &mut self, ) -> ( [u8; shake256::BLOCK_SIZE], @@ -540,17 +747,10 @@ pub(crate) mod neon { [u8; shake256::BLOCK_SIZE], [u8; shake256::BLOCK_SIZE], ) { - let mut out0 = [0u8; shake256::BLOCK_SIZE]; - let mut out1 = [0u8; shake256::BLOCK_SIZE]; - let mut out2 = [0u8; shake256::BLOCK_SIZE]; - let mut out3 = [0u8; shake256::BLOCK_SIZE]; - x2::incremental::shake256_squeeze_next_block(&mut self.state[0], &mut out0, &mut out1); - x2::incremental::shake256_squeeze_next_block(&mut self.state[1], &mut out2, &mut out3); - - (out0, out1, out2, out3) + squeeze_next_block_x4(self) } - fn shake256( + fn shake256_x4( input0: &[u8], input1: &[u8], input2: &[u8], @@ -560,8 +760,7 @@ pub(crate) mod neon { out2: &mut [u8; OUT_LEN], out3: &mut [u8; OUT_LEN], ) { - x2::shake256(input0, input1, out0, out1); - x2::shake256(input2, input3, out2, out3); + shake256_x4(input0, input1, input2, input3, out0, out1, out2, out3); } } } diff --git a/libcrux-ml-dsa/src/lib.rs b/libcrux-ml-dsa/src/lib.rs index c83f0ce20..3a9090beb 100644 --- a/libcrux-ml-dsa/src/lib.rs +++ b/libcrux-ml-dsa/src/lib.rs @@ -16,10 +16,7 @@ mod types; mod utils; // Public interface -pub use { - ml_dsa_generic::{SigningError, VerificationError}, - types::*, -}; +pub use types::*; pub use crate::constants::KEY_GENERATION_RANDOMNESS_SIZE; pub use crate::constants::SIGNING_RANDOMNESS_SIZE; diff --git a/libcrux-ml-dsa/src/ml_dsa_generic.rs b/libcrux-ml-dsa/src/ml_dsa_generic.rs index d13930b0b..85ba11ccf 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic.rs @@ -1,22 +1,23 @@ -use libcrux_sha3::portable::incremental::{Shake256Absorb, XofAbsorb, XofSqueeze}; - use crate::{ arithmetic::{ decompose_vector, make_hint, power2round_vector, use_hint, vector_infinity_norm_exceeds, }, constants::*, encoding, - hash_functions::{shake128, shake256}, + hash_functions::{ + portable::{shake256_absorb, shake256_absorb_final, shake256_init, shake256_squeeze}, + shake128, shake256, + }, matrix::{ add_vectors, compute_A_times_mask, compute_As1_plus_s2, compute_w_approx, subtract_vectors, vector_times_ring_element, }, ntt::ntt, - polynomial::PolynomialRingElement, pre_hash::{DomainSeparationContext, PreHash}, sample::{sample_challenge_ring_element, sample_mask_vector}, samplex4, simd::traits::Operations, + types::{Signature, SigningError, VerificationError}, utils::into_padded_array, MLDSASignature, }; @@ -24,17 +25,6 @@ use crate::{ pub(crate) mod instantiations; pub(crate) mod multiplexing; -pub(crate) struct Signature< - SIMDUnit: Operations, - const COMMITMENT_HASH_SIZE: usize, - const COLUMNS_IN_A: usize, - const ROWS_IN_A: usize, -> { - pub commitment_hash: [u8; COMMITMENT_HASH_SIZE], - pub signer_response: [PolynomialRingElement; COLUMNS_IN_A], - pub hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], -} - /// Generate a key pair. pub(crate) fn generate_key_pair< SIMDUnit: Operations, @@ -52,10 +42,10 @@ pub(crate) fn generate_key_pair< ) -> ([u8; SIGNING_KEY_SIZE], [u8; VERIFICATION_KEY_SIZE]) { // 128 = SEED_FOR_A_SIZE + SEED_FOR_ERROR_VECTORS_SIZE + SEED_FOR_SIGNING_SIZE let mut seed_expanded = [0; 128]; - let mut shake = Shake256Absorb::new(); - shake.absorb(&randomness); - let mut shake = shake.absorb_final(&[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); - shake.squeeze(&mut seed_expanded); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &randomness); + let mut shake = shake256_absorb_final(shake, &[ROWS_IN_A as u8, COLUMNS_IN_A as u8]); + shake256_squeeze(&mut shake, &mut seed_expanded); let (seed_for_a, seed_expanded) = seed_expanded.split_at(SEED_FOR_A_SIZE); let (seed_for_error_vectors, seed_for_signing) = @@ -99,20 +89,6 @@ pub(crate) fn generate_key_pair< (signing_key_serialized, verification_key_serialized) } -#[derive(Debug)] -pub enum VerificationError { - MalformedHintError, - SignerResponseExceedsBoundError, - CommitmentHashesDontMatchError, - ContextTooLongError, -} - -#[derive(Debug)] -pub enum SigningError { - RejectionSamplingError, - ContextTooLongError, -} - #[allow(non_snake_case)] pub(crate) fn sign_pre_hashed< SIMDUnit: Operations, @@ -145,7 +121,6 @@ pub(crate) fn sign_pre_hashed< return Err(SigningError::ContextTooLongError); } let pre_hashed_message = PH::hash(message); - sign_internal::< SIMDUnit, Shake128X4, @@ -199,6 +174,7 @@ pub(crate) fn sign< context: &[u8], randomness: [u8; SIGNING_RANDOMNESS_SIZE], ) -> Result, SigningError> { + // TODO: Support implicit into() in ? so that this match becomes unnecessary sign_internal::< SIMDUnit, Shake128X4, @@ -280,12 +256,12 @@ pub(crate) fn sign_internal< let mut mask_seed = [0; MASK_SEED_SIZE]; { - let mut shake = Shake256Absorb::new(); - shake.absorb(&seed_for_signing); - shake.absorb(&randomness); - let mut shake = shake.absorb_final(&message_representative); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &seed_for_signing); + shake256_absorb(&mut shake, &randomness); + let mut shake = shake256_absorb_final(shake, &message_representative); - shake.squeeze(&mut mask_seed); + shake256_squeeze(&mut shake, &mut mask_seed); } let mut domain_separator_for_mask: u16 = 0; @@ -326,11 +302,11 @@ pub(crate) fn sign_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = Shake256Absorb::new(); - shake.absorb(&message_representative); - let mut shake = shake.absorb_final(&commitment_serialized); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &message_representative); + let mut shake = shake256_absorb_final(shake, &commitment_serialized); - shake.squeeze(&mut commitment_hash_candidate); + shake256_squeeze(&mut shake, &mut commitment_hash_candidate); } let verifier_challenge_as_ntt = ntt(sample_challenge_ring_element::< @@ -443,19 +419,25 @@ fn derive_message_representative( message: &[u8], message_representative: &mut [u8; 64], ) { - let mut shake = Shake256Absorb::new(); - shake.absorb(&verification_key_hash); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &verification_key_hash); if let Some(domain_separation_context) = domain_separation_context { - shake.absorb(&[domain_separation_context.pre_hash_oid().is_some() as u8]); - shake.absorb(&[domain_separation_context.context().len() as u8]); - shake.absorb(domain_separation_context.context()); + shake256_absorb( + &mut shake, + &[domain_separation_context.pre_hash_oid().is_some() as u8], + ); + shake256_absorb( + &mut shake, + &[domain_separation_context.context().len() as u8], + ); + shake256_absorb(&mut shake, domain_separation_context.context()); if let Some(pre_hash_oid) = domain_separation_context.pre_hash_oid() { - shake.absorb(pre_hash_oid) + shake256_absorb(&mut shake, pre_hash_oid) } } - let mut shake = shake.absorb_final(message); - shake.squeeze(message_representative); + let mut shake = shake256_absorb_final(shake, message); + shake256_squeeze(&mut shake, message_representative); } /// The internal verification API. @@ -545,11 +527,11 @@ pub(crate) fn verify_internal< COMMITMENT_VECTOR_SIZE, >(commitment); - let mut shake = Shake256Absorb::new(); - shake.absorb(&message_representative); - let mut shake = shake.absorb_final(&commitment_serialized); + let mut shake = shake256_init(); + shake256_absorb(&mut shake, &message_representative); + let mut shake = shake256_absorb_final(shake, &commitment_serialized); - shake.squeeze(&mut commitment_hash); + shake256_squeeze(&mut shake, &mut commitment_hash); } if signature.commitment_hash != commitment_hash { @@ -586,6 +568,7 @@ pub(crate) fn verify< context: &[u8], signature_serialized: &[u8; SIGNATURE_SIZE], ) -> Result<(), VerificationError> { + // TODO: Support implicit into() in ? so that this match becomes unnecessary verify_internal::< SIMDUnit, Shake128X4, diff --git a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs index 1718f6c01..aa859d7d5 100644 --- a/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs +++ b/libcrux-ml-dsa/src/ml_dsa_generic/instantiations.rs @@ -3,9 +3,9 @@ macro_rules! instantiate { pub mod $modp { use crate::{ constants::*, - ml_dsa_generic::{SigningError, VerificationError}, pre_hash::SHAKE128_PH, types::*, + types::{SigningError, VerificationError}, }; /// Generate key pair. diff --git a/libcrux-ml-dsa/src/ntt.rs b/libcrux-ml-dsa/src/ntt.rs index a1246393c..7094faaa5 100644 --- a/libcrux-ml-dsa/src/ntt.rs +++ b/libcrux-ml-dsa/src/ntt.rs @@ -94,6 +94,7 @@ fn invert_ntt_at_layer_2( ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); } + () } #[inline(always)] fn invert_ntt_at_layer_3_plus( @@ -114,7 +115,9 @@ fn invert_ntt_at_layer_3_plus( re.simd_units[j + step_by] = montgomery_multiply_by_fer(a_minus_b, ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } + () } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/polynomial.rs b/libcrux-ml-dsa/src/polynomial.rs index acc135481..0cab00b27 100644 --- a/libcrux-ml-dsa/src/polynomial.rs +++ b/libcrux-ml-dsa/src/polynomial.rs @@ -44,7 +44,7 @@ impl PolynomialRingElement { let mut exceeds = false; for simd_unit in self.simd_units { - exceeds |= SIMDUnit::infinity_norm_exceeds(simd_unit, bound); + exceeds = exceeds || SIMDUnit::infinity_norm_exceeds(simd_unit, bound); } exceeds diff --git a/libcrux-ml-dsa/src/pre_hash.rs b/libcrux-ml-dsa/src/pre_hash.rs index e21e412c2..06855c0f9 100644 --- a/libcrux-ml-dsa/src/pre_hash.rs +++ b/libcrux-ml-dsa/src/pre_hash.rs @@ -5,7 +5,9 @@ //!/perform the pre-hash of the message. This module implements the //! pre-hash trait for SHAKE-128, with a digest length of 256 bytes. use crate::{ - constants::CONTEXT_MAX_LEN, hash_functions::shake128::Xof, SigningError, VerificationError, + constants::CONTEXT_MAX_LEN, + hash_functions::shake128::Xof, + types::{SigningError, VerificationError}, }; pub(crate) const PRE_HASH_OID_LEN: usize = 11; diff --git a/libcrux-ml-dsa/src/sample.rs b/libcrux-ml-dsa/src/sample.rs index dfbb5b554..f1558eb7f 100644 --- a/libcrux-ml-dsa/src/sample.rs +++ b/libcrux-ml-dsa/src/sample.rs @@ -251,8 +251,8 @@ pub(crate) fn sample_four_error_ring_elements< seed3[64] = domain_separator3 as u8; seed3[65] = (domain_separator3 >> 8) as u8; - let mut state = Shake256::init_absorb(&seed0, &seed1, &seed2, &seed3); - let randomnesses = state.squeeze_first_block(); + let mut state = Shake256::init_absorb_x4(&seed0, &seed1, &seed2, &seed3); + let randomnesses = state.squeeze_first_block_x4(); // Every call to |rejection_sample_less_than_field_modulus| // will result in a call to |SIMDUnit::rejection_sample_less_than_field_modulus|; @@ -283,7 +283,7 @@ pub(crate) fn sample_four_error_ring_elements< while !done0 || !done1 || !done2 || !done3 { // Always sample another 4, but we only use it if we actually need it. - let randomnesses = state.squeeze_next_block(); + let randomnesses = state.squeeze_next_block_x4(); if !done0 { done0 = rejection_sample_less_than_eta::( &randomnesses.0, @@ -380,7 +380,7 @@ pub(crate) fn sample_mask_vector< let mut out1 = [0; 576]; let mut out2 = [0; 576]; let mut out3 = [0; 576]; - Shake256X4::shake256( + Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); mask[0] = encoding::gamma1::deserialize::(&out0); @@ -393,7 +393,7 @@ pub(crate) fn sample_mask_vector< let mut out1 = [0; 640]; let mut out2 = [0; 640]; let mut out3 = [0; 640]; - Shake256X4::shake256( + Shake256X4::shake256_x4( &seed0, &seed1, &seed2, &seed3, &mut out0, &mut out1, &mut out2, &mut out3, ); mask[0] = encoding::gamma1::deserialize::(&out0); diff --git a/libcrux-ml-dsa/src/samplex4.rs b/libcrux-ml-dsa/src/samplex4.rs index 1173c0abf..918deb8ce 100644 --- a/libcrux-ml-dsa/src/samplex4.rs +++ b/libcrux-ml-dsa/src/samplex4.rs @@ -10,6 +10,22 @@ fn generate_domain_separator(row: u8, column: u8) -> u16 { (column as u16) | ((row as u16) << 8) } +// Doing deep updates like `a[1][1] = 3` causes a memory blowup in F* +// https://github.com/hacspec/hax/issues/1098 +// So we are instead using a matrix abstraction with a custom update function here. + +type Matrix = + [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A]; + +fn update_matrix( + m: &mut Matrix, + i: usize, + j: usize, + v: PolynomialRingElement, +) { + m[i][j] = v; +} + #[allow(non_snake_case)] #[inline(always)] pub(crate) fn matrix_A_4_by_4< @@ -19,8 +35,9 @@ pub(crate) fn matrix_A_4_by_4< const COLUMNS_IN_A: usize, >( seed: [u8; 34], -) -> [[PolynomialRingElement; COLUMNS_IN_A]; ROWS_IN_A] { - let mut A = [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; +) -> Matrix { + let mut A: Matrix = + [[PolynomialRingElement::::ZERO(); COLUMNS_IN_A]; ROWS_IN_A]; let four_ring_elements = sample_four_ring_elements::( seed, @@ -29,10 +46,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -41,10 +58,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(1, 2), generate_domain_separator(1, 3), ); - A[1][0] = four_ring_elements.0; - A[1][1] = four_ring_elements.1; - A[1][2] = four_ring_elements.2; - A[1][3] = four_ring_elements.3; + update_matrix(&mut A, 1, 0, four_ring_elements.0); + update_matrix(&mut A, 1, 1, four_ring_elements.1); + update_matrix(&mut A, 1, 2, four_ring_elements.2); + update_matrix(&mut A, 1, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -53,10 +70,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(2, 2), generate_domain_separator(2, 3), ); - A[2][0] = four_ring_elements.0; - A[2][1] = four_ring_elements.1; - A[2][2] = four_ring_elements.2; - A[2][3] = four_ring_elements.3; + update_matrix(&mut A, 2, 0, four_ring_elements.0); + update_matrix(&mut A, 2, 1, four_ring_elements.1); + update_matrix(&mut A, 2, 2, four_ring_elements.2); + update_matrix(&mut A, 2, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -65,10 +82,10 @@ pub(crate) fn matrix_A_4_by_4< generate_domain_separator(3, 2), generate_domain_separator(3, 3), ); - A[3][0] = four_ring_elements.0; - A[3][1] = four_ring_elements.1; - A[3][2] = four_ring_elements.2; - A[3][3] = four_ring_elements.3; + update_matrix(&mut A, 3, 0, four_ring_elements.0); + update_matrix(&mut A, 3, 1, four_ring_elements.1); + update_matrix(&mut A, 3, 2, four_ring_elements.2); + update_matrix(&mut A, 3, 3, four_ring_elements.3); A } @@ -92,10 +109,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -104,10 +121,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(1, 1), generate_domain_separator(1, 2), ); - A[0][4] = four_ring_elements.0; - A[1][0] = four_ring_elements.1; - A[1][1] = four_ring_elements.2; - A[1][2] = four_ring_elements.3; + update_matrix(&mut A, 0, 4, four_ring_elements.0); + update_matrix(&mut A, 1, 0, four_ring_elements.1); + update_matrix(&mut A, 1, 1, four_ring_elements.2); + update_matrix(&mut A, 1, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -116,10 +133,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(2, 0), generate_domain_separator(2, 1), ); - A[1][3] = four_ring_elements.0; - A[1][4] = four_ring_elements.1; - A[2][0] = four_ring_elements.2; - A[2][1] = four_ring_elements.3; + update_matrix(&mut A, 1, 3, four_ring_elements.0); + update_matrix(&mut A, 1, 4, four_ring_elements.1); + update_matrix(&mut A, 2, 0, four_ring_elements.2); + update_matrix(&mut A, 2, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -128,10 +145,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(2, 4), generate_domain_separator(3, 0), ); - A[2][2] = four_ring_elements.0; - A[2][3] = four_ring_elements.1; - A[2][4] = four_ring_elements.2; - A[3][0] = four_ring_elements.3; + update_matrix(&mut A, 2, 2, four_ring_elements.0); + update_matrix(&mut A, 2, 3, four_ring_elements.1); + update_matrix(&mut A, 2, 4, four_ring_elements.2); + update_matrix(&mut A, 3, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -140,10 +157,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(3, 3), generate_domain_separator(3, 4), ); - A[3][1] = four_ring_elements.0; - A[3][2] = four_ring_elements.1; - A[3][3] = four_ring_elements.2; - A[3][4] = four_ring_elements.3; + update_matrix(&mut A, 3, 1, four_ring_elements.0); + update_matrix(&mut A, 3, 2, four_ring_elements.1); + update_matrix(&mut A, 3, 3, four_ring_elements.2); + update_matrix(&mut A, 3, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -152,10 +169,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(4, 2), generate_domain_separator(4, 3), ); - A[4][0] = four_ring_elements.0; - A[4][1] = four_ring_elements.1; - A[4][2] = four_ring_elements.2; - A[4][3] = four_ring_elements.3; + update_matrix(&mut A, 4, 0, four_ring_elements.0); + update_matrix(&mut A, 4, 1, four_ring_elements.1); + update_matrix(&mut A, 4, 2, four_ring_elements.2); + update_matrix(&mut A, 4, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -164,10 +181,10 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(5, 1), generate_domain_separator(5, 2), ); - A[4][4] = four_ring_elements.0; - A[5][0] = four_ring_elements.1; - A[5][1] = four_ring_elements.2; - A[5][2] = four_ring_elements.3; + update_matrix(&mut A, 4, 4, four_ring_elements.0); + update_matrix(&mut A, 5, 0, four_ring_elements.1); + update_matrix(&mut A, 5, 1, four_ring_elements.2); + update_matrix(&mut A, 5, 2, four_ring_elements.3); // The the last 2 sampled ring elements are discarded here. let four_ring_elements = sample_four_ring_elements::( @@ -177,8 +194,8 @@ pub(crate) fn matrix_A_6_by_5< generate_domain_separator(5, 5), generate_domain_separator(5, 6), ); - A[5][3] = four_ring_elements.0; - A[5][4] = four_ring_elements.1; + update_matrix(&mut A, 5, 3, four_ring_elements.0); + update_matrix(&mut A, 5, 4, four_ring_elements.1); A } @@ -201,10 +218,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(0, 2), generate_domain_separator(0, 3), ); - A[0][0] = four_ring_elements.0; - A[0][1] = four_ring_elements.1; - A[0][2] = four_ring_elements.2; - A[0][3] = four_ring_elements.3; + update_matrix(&mut A, 0, 0, four_ring_elements.0); + update_matrix(&mut A, 0, 1, four_ring_elements.1); + update_matrix(&mut A, 0, 2, four_ring_elements.2); + update_matrix(&mut A, 0, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -213,10 +230,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(0, 6), generate_domain_separator(1, 0), ); - A[0][4] = four_ring_elements.0; - A[0][5] = four_ring_elements.1; - A[0][6] = four_ring_elements.2; - A[1][0] = four_ring_elements.3; + update_matrix(&mut A, 0, 4, four_ring_elements.0); + update_matrix(&mut A, 0, 5, four_ring_elements.1); + update_matrix(&mut A, 0, 6, four_ring_elements.2); + update_matrix(&mut A, 1, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -225,10 +242,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(1, 3), generate_domain_separator(1, 4), ); - A[1][1] = four_ring_elements.0; - A[1][2] = four_ring_elements.1; - A[1][3] = four_ring_elements.2; - A[1][4] = four_ring_elements.3; + update_matrix(&mut A, 1, 1, four_ring_elements.0); + update_matrix(&mut A, 1, 2, four_ring_elements.1); + update_matrix(&mut A, 1, 3, four_ring_elements.2); + update_matrix(&mut A, 1, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -237,10 +254,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(2, 0), generate_domain_separator(2, 1), ); - A[1][5] = four_ring_elements.0; - A[1][6] = four_ring_elements.1; - A[2][0] = four_ring_elements.2; - A[2][1] = four_ring_elements.3; + update_matrix(&mut A, 1, 5, four_ring_elements.0); + update_matrix(&mut A, 1, 6, four_ring_elements.1); + update_matrix(&mut A, 2, 0, four_ring_elements.2); + update_matrix(&mut A, 2, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -249,10 +266,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(2, 4), generate_domain_separator(2, 5), ); - A[2][2] = four_ring_elements.0; - A[2][3] = four_ring_elements.1; - A[2][4] = four_ring_elements.2; - A[2][5] = four_ring_elements.3; + update_matrix(&mut A, 2, 2, four_ring_elements.0); + update_matrix(&mut A, 2, 3, four_ring_elements.1); + update_matrix(&mut A, 2, 4, four_ring_elements.2); + update_matrix(&mut A, 2, 5, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -261,10 +278,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(3, 1), generate_domain_separator(3, 2), ); - A[2][6] = four_ring_elements.0; - A[3][0] = four_ring_elements.1; - A[3][1] = four_ring_elements.2; - A[3][2] = four_ring_elements.3; + update_matrix(&mut A, 2, 6, four_ring_elements.0); + update_matrix(&mut A, 3, 0, four_ring_elements.1); + update_matrix(&mut A, 3, 1, four_ring_elements.2); + update_matrix(&mut A, 3, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -273,10 +290,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(3, 5), generate_domain_separator(3, 6), ); - A[3][3] = four_ring_elements.0; - A[3][4] = four_ring_elements.1; - A[3][5] = four_ring_elements.2; - A[3][6] = four_ring_elements.3; + update_matrix(&mut A, 3, 3, four_ring_elements.0); + update_matrix(&mut A, 3, 4, four_ring_elements.1); + update_matrix(&mut A, 3, 5, four_ring_elements.2); + update_matrix(&mut A, 3, 6, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -285,10 +302,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(4, 2), generate_domain_separator(4, 3), ); - A[4][0] = four_ring_elements.0; - A[4][1] = four_ring_elements.1; - A[4][2] = four_ring_elements.2; - A[4][3] = four_ring_elements.3; + update_matrix(&mut A, 4, 0, four_ring_elements.0); + update_matrix(&mut A, 4, 1, four_ring_elements.1); + update_matrix(&mut A, 4, 2, four_ring_elements.2); + update_matrix(&mut A, 4, 3, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -297,10 +314,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(4, 6), generate_domain_separator(5, 0), ); - A[4][4] = four_ring_elements.0; - A[4][5] = four_ring_elements.1; - A[4][6] = four_ring_elements.2; - A[5][0] = four_ring_elements.3; + update_matrix(&mut A, 4, 4, four_ring_elements.0); + update_matrix(&mut A, 4, 5, four_ring_elements.1); + update_matrix(&mut A, 4, 6, four_ring_elements.2); + update_matrix(&mut A, 5, 0, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -309,10 +326,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(5, 3), generate_domain_separator(5, 4), ); - A[5][1] = four_ring_elements.0; - A[5][2] = four_ring_elements.1; - A[5][3] = four_ring_elements.2; - A[5][4] = four_ring_elements.3; + update_matrix(&mut A, 5, 1, four_ring_elements.0); + update_matrix(&mut A, 5, 2, four_ring_elements.1); + update_matrix(&mut A, 5, 3, four_ring_elements.2); + update_matrix(&mut A, 5, 4, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -321,10 +338,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(6, 0), generate_domain_separator(6, 1), ); - A[5][5] = four_ring_elements.0; - A[5][6] = four_ring_elements.1; - A[6][0] = four_ring_elements.2; - A[6][1] = four_ring_elements.3; + update_matrix(&mut A, 5, 5, four_ring_elements.0); + update_matrix(&mut A, 5, 6, four_ring_elements.1); + update_matrix(&mut A, 6, 0, four_ring_elements.2); + update_matrix(&mut A, 6, 1, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -333,10 +350,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(6, 4), generate_domain_separator(6, 5), ); - A[6][2] = four_ring_elements.0; - A[6][3] = four_ring_elements.1; - A[6][4] = four_ring_elements.2; - A[6][5] = four_ring_elements.3; + update_matrix(&mut A, 6, 2, four_ring_elements.0); + update_matrix(&mut A, 6, 3, four_ring_elements.1); + update_matrix(&mut A, 6, 4, four_ring_elements.2); + update_matrix(&mut A, 6, 5, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -345,10 +362,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(7, 1), generate_domain_separator(7, 2), ); - A[6][6] = four_ring_elements.0; - A[7][0] = four_ring_elements.1; - A[7][1] = four_ring_elements.2; - A[7][2] = four_ring_elements.3; + update_matrix(&mut A, 6, 6, four_ring_elements.0); + update_matrix(&mut A, 7, 0, four_ring_elements.1); + update_matrix(&mut A, 7, 1, four_ring_elements.2); + update_matrix(&mut A, 7, 2, four_ring_elements.3); let four_ring_elements = sample_four_ring_elements::( seed, @@ -357,10 +374,10 @@ pub(crate) fn matrix_A_8_by_7< generate_domain_separator(7, 5), generate_domain_separator(7, 6), ); - A[7][3] = four_ring_elements.0; - A[7][4] = four_ring_elements.1; - A[7][5] = four_ring_elements.2; - A[7][6] = four_ring_elements.3; + update_matrix(&mut A, 7, 3, four_ring_elements.0); + update_matrix(&mut A, 7, 4, four_ring_elements.1); + update_matrix(&mut A, 7, 5, four_ring_elements.2); + update_matrix(&mut A, 7, 6, four_ring_elements.3); A } diff --git a/libcrux-ml-dsa/src/simd.rs b/libcrux-ml-dsa/src/simd.rs index 7228eefe2..376602844 100644 --- a/libcrux-ml-dsa/src/simd.rs +++ b/libcrux-ml-dsa/src/simd.rs @@ -3,3 +3,6 @@ pub(crate) mod avx2; pub(crate) mod portable; pub(crate) mod traits; + +#[cfg(test)] +pub(crate) mod tests; diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index 82192638a..f891d39be 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -1,36 +1,24 @@ use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; -use libcrux_intrinsics; mod arithmetic; mod encoding; mod ntt; mod rejection_sample; +mod vector_type; -#[derive(Clone, Copy)] -pub struct AVX2SIMDUnit { - pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, -} - -impl From for AVX2SIMDUnit { - fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { - Self { coefficients } - } -} +pub(crate) use vector_type::AVX2SIMDUnit; impl Operations for AVX2SIMDUnit { fn ZERO() -> Self { - libcrux_intrinsics::avx2::mm256_setzero_si256().into() + vector_type::ZERO() } fn from_coefficient_array(coefficient_array: &[i32]) -> Self { - libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() + vector_type::from_coefficient_array(coefficient_array) } fn to_coefficient_array(&self) -> [i32; 8] { - let mut coefficient_array = [0i32; 8]; - libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, self.coefficients); - - coefficient_array + vector_type::to_coefficient_array(&self) } fn add(lhs: &Self, rhs: &Self) -> Self { diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index c6f302155..94d8aa1dd 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -214,6 +214,7 @@ fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEME *zeta_i += 1; } + () } #[inline(always)] @@ -238,7 +239,9 @@ fn ntt_at_layer_3_plus( re[j + step_by] = arithmetic::subtract(re[j], t); re[j] = arithmetic::add(re[j], t); } + () // This is because of https://github.com/hacspec/hax/issues/720 } + () } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/avx2/vector_type.rs b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs new file mode 100644 index 000000000..13fa15372 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/avx2/vector_type.rs @@ -0,0 +1,25 @@ +#[derive(Clone, Copy)] +pub struct AVX2SIMDUnit { + pub(crate) coefficients: libcrux_intrinsics::avx2::Vec256, +} + +impl From for AVX2SIMDUnit { + fn from(coefficients: libcrux_intrinsics::avx2::Vec256) -> Self { + Self { coefficients } + } +} + +#[allow(non_snake_case)] +pub(crate) fn ZERO() -> AVX2SIMDUnit { + libcrux_intrinsics::avx2::mm256_setzero_si256().into() +} + +pub(crate) fn from_coefficient_array(coefficient_array: &[i32]) -> AVX2SIMDUnit { + libcrux_intrinsics::avx2::mm256_loadu_si256_i32(coefficient_array).into() +} + +pub(crate) fn to_coefficient_array(x: &AVX2SIMDUnit) -> [i32; 8] { + let mut coefficient_array = [0i32; 8]; + libcrux_intrinsics::avx2::mm256_storeu_si256_i32(&mut coefficient_array, x.coefficients); + coefficient_array +} diff --git a/libcrux-ml-dsa/src/simd/portable.rs b/libcrux-ml-dsa/src/simd/portable.rs index 05098b5c7..d45daf829 100644 --- a/libcrux-ml-dsa/src/simd/portable.rs +++ b/libcrux-ml-dsa/src/simd/portable.rs @@ -1,34 +1,26 @@ -use crate::simd::traits::{Operations, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT}; +use crate::simd::traits::{Operations, SIMD_UNITS_IN_RING_ELEMENT}; mod arithmetic; - +mod vector_type; // Some of the portable implementations are used in lieu of vectorized ones in // the AVX2 module. pub(crate) mod encoding; - mod ntt; mod sample; -#[derive(Clone, Copy)] -pub struct PortableSIMDUnit { - pub(crate) coefficients: [arithmetic::FieldElement; COEFFICIENTS_IN_SIMD_UNIT], -} +pub(crate) use vector_type::PortableSIMDUnit; impl Operations for PortableSIMDUnit { fn ZERO() -> Self { - PortableSIMDUnit { - coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], - } + vector_type::ZERO() } fn from_coefficient_array(array: &[i32]) -> Self { - PortableSIMDUnit { - coefficients: array[0..8].try_into().unwrap(), - } + vector_type::from_coefficient_array(array) } fn to_coefficient_array(&self) -> [i32; 8] { - self.coefficients.try_into().unwrap() + vector_type::to_coefficient_array(&self) } fn add(lhs: &Self, rhs: &Self) -> Self { diff --git a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs index 1785d108e..51e009243 100644 --- a/libcrux-ml-dsa/src/simd/portable/arithmetic.rs +++ b/libcrux-ml-dsa/src/simd/portable/arithmetic.rs @@ -1,18 +1,11 @@ +use super::vector_type::{FieldElement, PortableSIMDUnit, ZERO}; use crate::{ constants::BITS_IN_LOWER_PART_OF_T, - simd::{ - portable::PortableSIMDUnit, - traits::{ - FieldElementTimesMontgomeryR, Operations, FIELD_MODULUS, - INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, - }, + simd::traits::{ + FieldElementTimesMontgomeryR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, }, }; -/// Values having this type hold a representative 'x' of the Kyber field. -/// We use 'fe' as a shorthand for this type. -pub(crate) type FieldElement = i32; - /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). /// We use 'mfe' as a shorthand for this type @@ -22,7 +15,7 @@ pub(crate) const MONTGOMERY_SHIFT: u8 = 32; #[inline(always)] pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut sum = PortableSIMDUnit::ZERO(); + let mut sum = ZERO(); for i in 0..sum.coefficients.len() { sum.coefficients[i] = lhs.coefficients[i] + rhs.coefficients[i]; @@ -33,7 +26,7 @@ pub fn add(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { #[inline(always)] pub fn subtract(lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit) -> PortableSIMDUnit { - let mut difference = PortableSIMDUnit::ZERO(); + let mut difference = ZERO(); for i in 0..difference.coefficients.len() { difference.coefficients[i] = lhs.coefficients[i] - rhs.coefficients[i]; @@ -86,7 +79,7 @@ pub(crate) fn montgomery_multiply( lhs: &PortableSIMDUnit, rhs: &PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut product = PortableSIMDUnit::ZERO(); + let mut product = ZERO(); for i in 0..product.coefficients.len() { product.coefficients[i] = @@ -106,7 +99,8 @@ pub(crate) fn montgomery_multiply( // to the standard unsigned range. #[inline(always)] fn power2round_element(t: i32) -> (i32, i32) { - debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS, "t is {}", t); + // Hax issue: https://github.com/hacspec/hax/issues/1082 + debug_assert!(t > -FIELD_MODULUS && t < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let t = t + ((t >> 31) & FIELD_MODULUS); @@ -123,8 +117,8 @@ fn power2round_element(t: i32) -> (i32, i32) { } pub fn power2round(simd_unit: PortableSIMDUnit) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut t0_simd_unit = PortableSIMDUnit::ZERO(); - let mut t1_simd_unit = PortableSIMDUnit::ZERO(); + let mut t0_simd_unit = ZERO(); + let mut t1_simd_unit = ZERO(); for (i, t) in simd_unit.coefficients.into_iter().enumerate() { let (t0, t1) = power2round_element(t); @@ -150,11 +144,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { // straightforward way to do so (returning false) will not go through hax; // revisit if performance is impacted. for coefficient in simd_unit.coefficients.into_iter() { - debug_assert!( - coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS, - "coefficient is {}", - coefficient - ); + debug_assert!(coefficient > -FIELD_MODULUS && coefficient < FIELD_MODULUS); // This norm is calculated using the absolute value of the // signed representative in the range: // @@ -165,7 +155,7 @@ pub fn infinity_norm_exceeds(simd_unit: PortableSIMDUnit, bound: i32) -> bool { let sign = coefficient >> 31; let normalized = coefficient - (sign & (2 * coefficient)); - exceeds |= normalized >= bound; + exceeds = exceeds || normalized >= bound; } exceeds @@ -182,7 +172,7 @@ fn reduce_element(fe: FieldElement) -> FieldElement { pub fn shift_left_then_reduce( simd_unit: PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut out = PortableSIMDUnit::ZERO(); + let mut out = ZERO(); for i in 0..simd_unit.coefficients.len() { out.coefficients[i] = reduce_element(simd_unit.coefficients[i] << SHIFT_BY); @@ -205,7 +195,7 @@ pub fn compute_hint( low: PortableSIMDUnit, high: PortableSIMDUnit, ) -> (usize, PortableSIMDUnit) { - let mut hint = PortableSIMDUnit::ZERO(); + let mut hint = ZERO(); let mut one_hints_count = 0; for i in 0..hint.coefficients.len() { @@ -234,11 +224,7 @@ pub fn compute_hint( #[allow(non_snake_case)] #[inline(always)] fn decompose_element(r: i32) -> (i32, i32) { - debug_assert!( - r > -FIELD_MODULUS && r < FIELD_MODULUS, - "the representative is {}", - r - ); + debug_assert!(r > -FIELD_MODULUS && r < FIELD_MODULUS); // Convert the signed representative to the standard unsigned one. let r = r + ((r >> 31) & FIELD_MODULUS); @@ -319,8 +305,8 @@ pub(crate) fn use_one_hint(r: i32, hint: i32) -> i32 { pub fn decompose( simd_unit: PortableSIMDUnit, ) -> (PortableSIMDUnit, PortableSIMDUnit) { - let mut low = PortableSIMDUnit::ZERO(); - let mut high = PortableSIMDUnit::ZERO(); + let mut low = ZERO(); + let mut high = ZERO(); for i in 0..low.coefficients.len() { let (low_part, high_part) = decompose_element::(simd_unit.coefficients[i]); @@ -336,7 +322,7 @@ pub fn use_hint( simd_unit: PortableSIMDUnit, hint: PortableSIMDUnit, ) -> PortableSIMDUnit { - let mut result = PortableSIMDUnit::ZERO(); + let mut result = ZERO(); for i in 0..result.coefficients.len() { result.coefficients[i] = diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs index c6886ba50..6ffafe423 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/commitment.rs @@ -1,4 +1,4 @@ -use crate::simd::portable::PortableSIMDUnit; +use super::super::vector_type::PortableSIMDUnit; #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; OUTPUT_SIZE] { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs index d7878fbc8..5581cc2a4 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/error.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/error.rs @@ -1,4 +1,4 @@ -use crate::simd::{portable::PortableSIMDUnit, traits::Operations}; +use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] fn serialize_when_eta_is_2( @@ -54,7 +54,7 @@ pub(crate) fn serialize( fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 3); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const ETA: i32 = 2; let byte0 = serialized[0] as i32; @@ -76,7 +76,7 @@ fn deserialize_when_eta_is_2(serialized: &[u8]) -> PortableSIMDUnit { fn deserialize_when_eta_is_4(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 4); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); const ETA: i32 = 4; for (i, byte) in serialized.iter().enumerate() { diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs index eabb2fd81..3dbb5f20a 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/gamma1.rs @@ -1,5 +1,4 @@ -use crate::simd::{portable::PortableSIMDUnit, traits::Operations}; - +use super::super::vector_type::{PortableSIMDUnit, ZERO}; // This function is marked public since it is called in the corresponding AVX2 code. #[inline(always)] pub fn serialize_when_gamma1_is_2_pow_17( @@ -37,6 +36,7 @@ pub fn serialize_when_gamma1_is_2_pow_17( serialized } + #[inline(always)] fn serialize_when_gamma1_is_2_pow_19( simd_unit: PortableSIMDUnit, @@ -81,33 +81,33 @@ fn deserialize_when_gamma1_is_2_pow_17(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 17; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(9).enumerate() { - simd_unit.coefficients[4 * i] = bytes[0] as i32; - simd_unit.coefficients[4 * i] |= (bytes[1] as i32) << 8; - simd_unit.coefficients[4 * i] |= (bytes[2] as i32) << 16; - simd_unit.coefficients[4 * i] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 1] = (bytes[2] as i32) >> 2; - simd_unit.coefficients[4 * i + 1] |= (bytes[3] as i32) << 6; - simd_unit.coefficients[4 * i + 1] |= (bytes[4] as i32) << 14; - simd_unit.coefficients[4 * i + 1] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 2] = (bytes[4] as i32) >> 4; - simd_unit.coefficients[4 * i + 2] |= (bytes[5] as i32) << 4; - simd_unit.coefficients[4 * i + 2] |= (bytes[6] as i32) << 12; - simd_unit.coefficients[4 * i + 2] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i + 3] = (bytes[6] as i32) >> 6; - simd_unit.coefficients[4 * i + 3] |= (bytes[7] as i32) << 2; - simd_unit.coefficients[4 * i + 3] |= (bytes[8] as i32) << 10; - simd_unit.coefficients[4 * i + 3] &= GAMMA1_TIMES_2_BITMASK; - - simd_unit.coefficients[4 * i] = GAMMA1 - simd_unit.coefficients[4 * i]; - simd_unit.coefficients[4 * i + 1] = GAMMA1 - simd_unit.coefficients[4 * i + 1]; - simd_unit.coefficients[4 * i + 2] = GAMMA1 - simd_unit.coefficients[4 * i + 2]; - simd_unit.coefficients[4 * i + 3] = GAMMA1 - simd_unit.coefficients[4 * i + 3]; + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient1 = (bytes[2] as i32) >> 2; + coefficient1 |= (bytes[3] as i32) << 6; + coefficient1 |= (bytes[4] as i32) << 14; + coefficient1 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient2 = (bytes[4] as i32) >> 4; + coefficient2 |= (bytes[5] as i32) << 4; + coefficient2 |= (bytes[6] as i32) << 12; + coefficient2 &= GAMMA1_TIMES_2_BITMASK; + + let mut coefficient3 = (bytes[6] as i32) >> 6; + coefficient3 |= (bytes[7] as i32) << 2; + coefficient3 |= (bytes[8] as i32) << 10; + coefficient3 &= GAMMA1_TIMES_2_BITMASK; + + simd_unit.coefficients[4 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[4 * i + 1] = GAMMA1 - coefficient1; + simd_unit.coefficients[4 * i + 2] = GAMMA1 - coefficient2; + simd_unit.coefficients[4 * i + 3] = GAMMA1 - coefficient3; } simd_unit @@ -121,20 +121,20 @@ fn deserialize_when_gamma1_is_2_pow_19(serialized: &[u8]) -> PortableSIMDUnit { const GAMMA1: i32 = 1 << 19; const GAMMA1_TIMES_2_BITMASK: i32 = (GAMMA1 << 1) - 1; - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); for (i, bytes) in serialized.chunks_exact(5).enumerate() { - simd_unit.coefficients[2 * i] = bytes[0] as i32; - simd_unit.coefficients[2 * i] |= (bytes[1] as i32) << 8; - simd_unit.coefficients[2 * i] |= (bytes[2] as i32) << 16; - simd_unit.coefficients[2 * i] &= GAMMA1_TIMES_2_BITMASK; + let mut coefficient0 = bytes[0] as i32; + coefficient0 |= (bytes[1] as i32) << 8; + coefficient0 |= (bytes[2] as i32) << 16; + coefficient0 &= GAMMA1_TIMES_2_BITMASK; - simd_unit.coefficients[2 * i + 1] = (bytes[2] as i32) >> 4; - simd_unit.coefficients[2 * i + 1] |= (bytes[3] as i32) << 4; - simd_unit.coefficients[2 * i + 1] |= (bytes[4] as i32) << 12; + let mut coefficient1 = (bytes[2] as i32) >> 4; + coefficient1 |= (bytes[3] as i32) << 4; + coefficient1 |= (bytes[4] as i32) << 12; - simd_unit.coefficients[2 * i] = GAMMA1 - simd_unit.coefficients[2 * i]; - simd_unit.coefficients[2 * i + 1] = GAMMA1 - simd_unit.coefficients[2 * i + 1]; + simd_unit.coefficients[2 * i] = GAMMA1 - coefficient0; + simd_unit.coefficients[2 * i + 1] = GAMMA1 - coefficient1; } simd_unit diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs index da66b7729..626f14c43 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t0.rs @@ -1,7 +1,6 @@ -use crate::{ - constants::BITS_IN_LOWER_PART_OF_T, - simd::{portable::PortableSIMDUnit, traits::Operations}, -}; +use crate::constants::BITS_IN_LOWER_PART_OF_T; + +use super::super::vector_type::{PortableSIMDUnit, ZERO}; // If t0 is a signed representative, change it to an unsigned one and // vice versa. @@ -63,8 +62,6 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 13] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 13); - let mut simd_unit = PortableSIMDUnit::ZERO(); - const BITS_IN_LOWER_PART_OF_T_MASK: i32 = (1 << (BITS_IN_LOWER_PART_OF_T as i32)) - 1; let byte0 = serialized[0] as i32; @@ -81,50 +78,52 @@ pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { let byte11 = serialized[11] as i32; let byte12 = serialized[12] as i32; - simd_unit.coefficients[0] = byte0; - simd_unit.coefficients[0] |= byte1 << 8; - simd_unit.coefficients[0] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[1] = byte1 >> 5; - simd_unit.coefficients[1] |= byte2 << 3; - simd_unit.coefficients[1] |= byte3 << 11; - simd_unit.coefficients[1] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[2] = byte3 >> 2; - simd_unit.coefficients[2] |= byte4 << 6; - simd_unit.coefficients[2] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[3] = byte4 >> 7; - simd_unit.coefficients[3] |= byte5 << 1; - simd_unit.coefficients[3] |= byte6 << 9; - simd_unit.coefficients[3] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[4] = byte6 >> 4; - simd_unit.coefficients[4] |= byte7 << 4; - simd_unit.coefficients[4] |= byte8 << 12; - simd_unit.coefficients[4] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[5] = byte8 >> 1; - simd_unit.coefficients[5] |= byte9 << 7; - simd_unit.coefficients[5] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[6] = byte9 >> 6; - simd_unit.coefficients[6] |= byte10 << 2; - simd_unit.coefficients[6] |= byte11 << 10; - simd_unit.coefficients[6] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[7] = byte11 >> 3; - simd_unit.coefficients[7] |= byte12 << 5; - simd_unit.coefficients[7] &= BITS_IN_LOWER_PART_OF_T_MASK; - - simd_unit.coefficients[0] = change_t0_interval(simd_unit.coefficients[0]); - simd_unit.coefficients[1] = change_t0_interval(simd_unit.coefficients[1]); - simd_unit.coefficients[2] = change_t0_interval(simd_unit.coefficients[2]); - simd_unit.coefficients[3] = change_t0_interval(simd_unit.coefficients[3]); - simd_unit.coefficients[4] = change_t0_interval(simd_unit.coefficients[4]); - simd_unit.coefficients[5] = change_t0_interval(simd_unit.coefficients[5]); - simd_unit.coefficients[6] = change_t0_interval(simd_unit.coefficients[6]); - simd_unit.coefficients[7] = change_t0_interval(simd_unit.coefficients[7]); + let mut coefficient0 = byte0; + coefficient0 |= byte1 << 8; + coefficient0 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient1 = byte1 >> 5; + coefficient1 |= byte2 << 3; + coefficient1 |= byte3 << 11; + coefficient1 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient2 = byte3 >> 2; + coefficient2 |= byte4 << 6; + coefficient2 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient3 = byte4 >> 7; + coefficient3 |= byte5 << 1; + coefficient3 |= byte6 << 9; + coefficient3 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient4 = byte6 >> 4; + coefficient4 |= byte7 << 4; + coefficient4 |= byte8 << 12; + coefficient4 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient5 = byte8 >> 1; + coefficient5 |= byte9 << 7; + coefficient5 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient6 = byte9 >> 6; + coefficient6 |= byte10 << 2; + coefficient6 |= byte11 << 10; + coefficient6 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut coefficient7 = byte11 >> 3; + coefficient7 |= byte12 << 5; + coefficient7 &= BITS_IN_LOWER_PART_OF_T_MASK; + + let mut simd_unit = ZERO(); + + simd_unit.coefficients[0] = change_t0_interval(coefficient0); + simd_unit.coefficients[1] = change_t0_interval(coefficient1); + simd_unit.coefficients[2] = change_t0_interval(coefficient2); + simd_unit.coefficients[3] = change_t0_interval(coefficient3); + simd_unit.coefficients[4] = change_t0_interval(coefficient4); + simd_unit.coefficients[5] = change_t0_interval(coefficient5); + simd_unit.coefficients[6] = change_t0_interval(coefficient6); + simd_unit.coefficients[7] = change_t0_interval(coefficient7); simd_unit } diff --git a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs index 3b8c56515..c0fc9de40 100644 --- a/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs +++ b/libcrux-ml-dsa/src/simd/portable/encoding/t1.rs @@ -1,7 +1,6 @@ -use crate::{ - constants::BITS_IN_UPPER_PART_OF_T, - simd::{portable::PortableSIMDUnit, traits::Operations}, -}; +use crate::constants::BITS_IN_UPPER_PART_OF_T; + +use super::super::vector_type::{PortableSIMDUnit, ZERO}; #[inline(always)] pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { @@ -25,7 +24,7 @@ pub fn serialize(simd_unit: PortableSIMDUnit) -> [u8; 10] { pub fn deserialize(serialized: &[u8]) -> PortableSIMDUnit { debug_assert!(serialized.len() == 10); - let mut simd_unit = PortableSIMDUnit::ZERO(); + let mut simd_unit = ZERO(); let mask = (1 << BITS_IN_UPPER_PART_OF_T) - 1; for (i, bytes) in serialized.chunks_exact(5).enumerate() { diff --git a/libcrux-ml-dsa/src/simd/portable/ntt.rs b/libcrux-ml-dsa/src/simd/portable/ntt.rs index ac40a9c1c..93a049c21 100644 --- a/libcrux-ml-dsa/src/simd/portable/ntt.rs +++ b/libcrux-ml-dsa/src/simd/portable/ntt.rs @@ -1,10 +1,7 @@ -use super::arithmetic::{self, montgomery_multiply_fe_by_fer}; -use crate::simd::{ - portable::PortableSIMDUnit, - traits::{ - montgomery_multiply_by_fer, COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, - ZETAS_TIMES_MONTGOMERY_R, - }, +use super::arithmetic::{self, montgomery_multiply_by_constant, montgomery_multiply_fe_by_fer}; +use super::vector_type::PortableSIMDUnit; +use crate::simd::traits::{ + COEFFICIENTS_IN_SIMD_UNIT, SIMD_UNITS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R, }; #[inline(always)] @@ -33,6 +30,7 @@ pub fn simd_unit_ntt_at_layer_0( simd_unit } + #[inline(always)] pub fn simd_unit_ntt_at_layer_1( mut simd_unit: PortableSIMDUnit, @@ -57,6 +55,7 @@ pub fn simd_unit_ntt_at_layer_1( simd_unit } + #[inline(always)] pub fn simd_unit_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { let t = montgomery_multiply_fe_by_fer(simd_unit.coefficients[4], zeta); @@ -104,6 +103,7 @@ pub fn invert_ntt_at_layer_0( simd_unit } + #[inline(always)] pub fn invert_ntt_at_layer_1( mut simd_unit: PortableSIMDUnit, @@ -128,6 +128,7 @@ pub fn invert_ntt_at_layer_1( simd_unit } + #[inline(always)] pub fn invert_ntt_at_layer_2(mut simd_unit: PortableSIMDUnit, zeta: i32) -> PortableSIMDUnit { let a_minus_b = simd_unit.coefficients[4] - simd_unit.coefficients[0]; @@ -167,6 +168,7 @@ fn ntt_at_layer_0(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_ *zeta_i -= 1; } + #[inline(always)] fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { *zeta_i += 1; @@ -183,13 +185,16 @@ fn ntt_at_layer_1(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_ *zeta_i -= 1; } + #[inline(always)] fn ntt_at_layer_2(zeta_i: &mut usize, re: &mut [PortableSIMDUnit; SIMD_UNITS_IN_RING_ELEMENT]) { for round in 0..re.len() { *zeta_i += 1; re[round] = simd_unit_ntt_at_layer_2(re[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } + () } + #[inline(always)] fn ntt_at_layer_3_plus( zeta_i: &mut usize, @@ -204,12 +209,14 @@ fn ntt_at_layer_3_plus( let step_by = step / COEFFICIENTS_IN_SIMD_UNIT; for j in offset..offset + step_by { - let t = montgomery_multiply_by_fer(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); + let t = + montgomery_multiply_by_constant(re[j + step_by], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); re[j + step_by] = arithmetic::subtract(&re[j], &t); re[j] = arithmetic::add(&re[j], &t); } } + () // Needed because of https://github.com/hacspec/hax/issues/720 } #[inline(always)] diff --git a/libcrux-ml-dsa/src/simd/portable/vector_type.rs b/libcrux-ml-dsa/src/simd/portable/vector_type.rs new file mode 100644 index 000000000..3a71624d9 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/portable/vector_type.rs @@ -0,0 +1,26 @@ +use crate::simd::traits::COEFFICIENTS_IN_SIMD_UNIT; +/// Values having this type hold a representative 'x' of the ML-DSA field. +/// We use 'fe' as a shorthand for this type. +pub(crate) type FieldElement = i32; + +#[derive(Clone, Copy)] +pub struct PortableSIMDUnit { + pub(crate) coefficients: [FieldElement; COEFFICIENTS_IN_SIMD_UNIT], +} + +#[allow(non_snake_case)] +pub(crate) fn ZERO() -> PortableSIMDUnit { + PortableSIMDUnit { + coefficients: [0i32; COEFFICIENTS_IN_SIMD_UNIT], + } +} + +pub(crate) fn from_coefficient_array(array: &[i32]) -> PortableSIMDUnit { + PortableSIMDUnit { + coefficients: array[0..8].try_into().unwrap(), + } +} + +pub(crate) fn to_coefficient_array(x: &PortableSIMDUnit) -> [i32; 8] { + x.coefficients +} diff --git a/libcrux-ml-dsa/src/simd/tests.rs b/libcrux-ml-dsa/src/simd/tests.rs new file mode 100644 index 000000000..acd67ac45 --- /dev/null +++ b/libcrux-ml-dsa/src/simd/tests.rs @@ -0,0 +1,94 @@ +use crate::simd::traits::*; + +fn test_decompose_generic() { + // When GAMMA2 = 95,232 + let input = SIMDUnit::from_coefficient_array(&[ + 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, + ]); + + let expected_low = SIMDUnit::from_coefficient_array(&[ + -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, + ]); + let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); + + let (low, high) = SIMDUnit::decompose::<95_232>(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); + + // When GAMMA2 = 261,888 + let input = SIMDUnit::from_coefficient_array(&[ + 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, + ]); + + let expected_low = SIMDUnit::from_coefficient_array(&[ + 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, + ]); + let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); + + let (low, high) = SIMDUnit::decompose::<261_888>(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); +} + +fn test_power2round_generic() { + let input = SIMDUnit::from_coefficient_array(&[ + 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, + ]); + + let expected_low = + SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); + let expected_high = SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); + + let (low, high) = SIMDUnit::power2round(input); + + assert_eq!( + low.to_coefficient_array(), + expected_low.to_coefficient_array() + ); + assert_eq!( + high.to_coefficient_array(), + expected_high.to_coefficient_array() + ); +} + +#[cfg(not(feature = "simd256"))] +mod portable { + use super::{test_decompose_generic, test_power2round_generic}; + + #[test] + fn test_decompose() { + test_decompose_generic::(); + } + #[test] + fn test_power2round() { + test_power2round_generic::(); + } +} + +#[cfg(feature = "simd256")] +mod avx2 { + use super::{test_decompose_generic, test_power2round_generic}; + + #[test] + fn test_decompose() { + test_decompose_generic::(); + } + #[test] + fn test_power2round() { + test_power2round_generic::(); + } +} diff --git a/libcrux-ml-dsa/src/simd/traits.rs b/libcrux-ml-dsa/src/simd/traits.rs index 71d7455f1..c50ff8537 100644 --- a/libcrux-ml-dsa/src/simd/traits.rs +++ b/libcrux-ml-dsa/src/simd/traits.rs @@ -121,102 +121,3 @@ pub(crate) trait Operations: Copy + Clone { pub fn montgomery_multiply_by_fer(simd_unit: S, fer: i32) -> S { S::montgomery_multiply_by_constant(simd_unit, fer) } - -#[cfg(test)] -mod tests { - use super::*; - - fn test_decompose_generic() { - // When GAMMA2 = 95,232 - let input = SIMDUnit::from_coefficient_array(&[ - 5520769, 5416853, 180455, 8127421, 5159850, 5553986, 3391280, 3968290, - ]); - - let expected_low = SIMDUnit::from_coefficient_array(&[ - -2687, 83861, -10009, -62531, 17322, 30530, -37072, -31454, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[29, 28, 1, 43, 27, 29, 18, 21]); - - let (low, high) = SIMDUnit::decompose::<95_232>(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - - // When GAMMA2 = 261,888 - let input = SIMDUnit::from_coefficient_array(&[ - 2108939, 7162128, 6506792, 7957464, 2350341, 8333084, 496214, 2168929, - ]); - - let expected_low = SIMDUnit::from_coefficient_array(&[ - 13835, -170736, 221480, 100824, 255237, -47333, -27562, 73825, - ]); - let expected_high = SIMDUnit::from_coefficient_array(&[4, 14, 12, 15, 4, 0, 1, 4]); - - let (low, high) = SIMDUnit::decompose::<261_888>(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - } - - fn test_power2round_generic() { - let input = SIMDUnit::from_coefficient_array(&[ - 6950677, 3362411, 5783989, 5909314, 6459529, 5751812, 864332, 3667708, - ]); - - let expected_low = - SIMDUnit::from_coefficient_array(&[3861, 3691, 437, 2882, -3959, 1028, -4020, -2308]); - let expected_high = - SIMDUnit::from_coefficient_array(&[848, 410, 706, 721, 789, 702, 106, 448]); - - let (low, high) = SIMDUnit::power2round(input); - - assert_eq!( - low.to_coefficient_array(), - expected_low.to_coefficient_array() - ); - assert_eq!( - high.to_coefficient_array(), - expected_high.to_coefficient_array() - ); - } - - #[cfg(not(feature = "simd256"))] - mod portable { - use super::{test_decompose_generic, test_power2round_generic}; - - #[test] - fn test_decompose() { - test_decompose_generic::(); - } - #[test] - fn test_power2round() { - test_power2round_generic::(); - } - } - - #[cfg(feature = "simd256")] - mod avx2 { - use super::{test_decompose_generic, test_power2round_generic}; - - #[test] - fn test_decompose() { - test_decompose_generic::(); - } - #[test] - fn test_power2round() { - test_power2round_generic::(); - } - } -} diff --git a/libcrux-ml-dsa/src/types.rs b/libcrux-ml-dsa/src/types.rs index 72c5e1479..d432b1e99 100644 --- a/libcrux-ml-dsa/src/types.rs +++ b/libcrux-ml-dsa/src/types.rs @@ -33,3 +33,30 @@ pub struct MLDSAKeyPair, pub verification_key: MLDSAVerificationKey, } + +use crate::{constants::*, polynomial::PolynomialRingElement, simd::traits::Operations}; + +pub(crate) struct Signature< + SIMDUnit: Operations, + const COMMITMENT_HASH_SIZE: usize, + const COLUMNS_IN_A: usize, + const ROWS_IN_A: usize, +> { + pub commitment_hash: [u8; COMMITMENT_HASH_SIZE], + pub signer_response: [PolynomialRingElement; COLUMNS_IN_A], + pub hint: [[i32; COEFFICIENTS_IN_RING_ELEMENT]; ROWS_IN_A], +} + +#[derive(Debug)] +pub enum VerificationError { + MalformedHintError, + SignerResponseExceedsBoundError, + CommitmentHashesDontMatchError, + ContextTooLongError, +} + +#[derive(Debug)] +pub enum SigningError { + RejectionSamplingError, + ContextTooLongError, +} diff --git a/libcrux-ml-kem/Cargo.toml b/libcrux-ml-kem/Cargo.toml index 87e585f3c..08e922560 100644 --- a/libcrux-ml-kem/Cargo.toml +++ b/libcrux-ml-kem/Cargo.toml @@ -26,8 +26,7 @@ rand = { version = "0.8", optional = true } libcrux-platform = { version = "0.0.2-beta.2", path = "../sys/platform" } libcrux-sha3 = { version = "0.0.2-beta.2", path = "../libcrux-sha3" } libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" } - -hax-lib.workspace = true +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] # By default all variants and std are enabled. @@ -44,9 +43,6 @@ mlkem512 = [] mlkem768 = [] mlkem1024 = [] -# Enable the unpacked API -unpacked = [] - # Enable Round 3 Kyber in addition to ML-KEM kyber = [] @@ -83,7 +79,7 @@ name = "keygen" required-features = ["mlkem768"] [package.metadata."docs.rs"] -features = ["pre-verification", "kyber", "unpacked"] +features = ["pre-verification", "kyber"] rustdoc-args = ["--cfg", "doc_cfg"] [lints.rust] diff --git a/libcrux-ml-kem/cg/karamel/endianness.h b/libcrux-ml-kem/cg/karamel/endianness.h new file mode 100644 index 000000000..d59d9854d --- /dev/null +++ b/libcrux-ml-kem/cg/karamel/endianness.h @@ -0,0 +1,228 @@ +/* Copyright (c) INRIA and Microsoft Corporation. All rights reserved. + Licensed under the Apache 2.0 and MIT Licenses. */ + +#ifndef __LOWSTAR_ENDIANNESS_H +#define __LOWSTAR_ENDIANNESS_H + +#include +#include + +/******************************************************************************/ +/* Implementing C.fst (part 2: endian-ness macros) */ +/******************************************************************************/ + +/* ... for Linux */ +#if defined(__linux__) || defined(__CYGWIN__) || \ + defined(__USE_SYSTEM_ENDIAN_H__) || defined(__GLIBC__) +#include + +/* ... for OSX */ +#elif defined(__APPLE__) +#include +#define htole64(x) OSSwapHostToLittleInt64(x) +#define le64toh(x) OSSwapLittleToHostInt64(x) +#define htobe64(x) OSSwapHostToBigInt64(x) +#define be64toh(x) OSSwapBigToHostInt64(x) + +#define htole16(x) OSSwapHostToLittleInt16(x) +#define le16toh(x) OSSwapLittleToHostInt16(x) +#define htobe16(x) OSSwapHostToBigInt16(x) +#define be16toh(x) OSSwapBigToHostInt16(x) + +#define htole32(x) OSSwapHostToLittleInt32(x) +#define le32toh(x) OSSwapLittleToHostInt32(x) +#define htobe32(x) OSSwapHostToBigInt32(x) +#define be32toh(x) OSSwapBigToHostInt32(x) + +/* ... for Solaris */ +#elif defined(__sun__) +#include +#define htole64(x) LE_64(x) +#define le64toh(x) LE_64(x) +#define htobe64(x) BE_64(x) +#define be64toh(x) BE_64(x) + +#define htole16(x) LE_16(x) +#define le16toh(x) LE_16(x) +#define htobe16(x) BE_16(x) +#define be16toh(x) BE_16(x) + +#define htole32(x) LE_32(x) +#define le32toh(x) LE_32(x) +#define htobe32(x) BE_32(x) +#define be32toh(x) BE_32(x) + +/* ... for the BSDs */ +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__DragonFly__) +#include +#elif defined(__OpenBSD__) +#include + +/* ... for Windows (MSVC)... not targeting XBOX 360! */ +#elif defined(_MSC_VER) + +#include +#define htobe16(x) _byteswap_ushort(x) +#define htole16(x) (x) +#define be16toh(x) _byteswap_ushort(x) +#define le16toh(x) (x) + +#define htobe32(x) _byteswap_ulong(x) +#define htole32(x) (x) +#define be32toh(x) _byteswap_ulong(x) +#define le32toh(x) (x) + +#define htobe64(x) _byteswap_uint64(x) +#define htole64(x) (x) +#define be64toh(x) _byteswap_uint64(x) +#define le64toh(x) (x) + +/* ... for Windows (GCC-like, e.g. mingw or clang) */ +#elif (defined(_WIN32) || defined(_WIN64) || defined(__EMSCRIPTEN__)) && \ + (defined(__GNUC__) || defined(__clang__)) + +#define htobe16(x) __builtin_bswap16(x) +#define htole16(x) (x) +#define be16toh(x) __builtin_bswap16(x) +#define le16toh(x) (x) + +#define htobe32(x) __builtin_bswap32(x) +#define htole32(x) (x) +#define be32toh(x) __builtin_bswap32(x) +#define le32toh(x) (x) + +#define htobe64(x) __builtin_bswap64(x) +#define htole64(x) (x) +#define be64toh(x) __builtin_bswap64(x) +#define le64toh(x) (x) + +/* ... generic big-endian fallback code */ +/* ... AIX doesn't have __BYTE_ORDER__ (with XLC compiler) & is always + * big-endian */ +#elif (defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__) || \ + defined(_AIX) + +/* byte swapping code inspired by: + * https://github.com/rweather/arduinolibs/blob/master/libraries/Crypto/utility/EndianUtil.h + * */ + +#define htobe32(x) (x) +#define be32toh(x) (x) +#define htole32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define le32toh(x) (htole32((x))) + +#define htobe64(x) (x) +#define be64toh(x) (x) +#define htole64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define le64toh(x) (htole64((x))) + +/* ... generic little-endian fallback code */ +#elif defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ + +#define htole32(x) (x) +#define le32toh(x) (x) +#define htobe32(x) \ + (__extension__({ \ + uint32_t _temp = (x); \ + ((_temp >> 24) & 0x000000FF) | ((_temp >> 8) & 0x0000FF00) | \ + ((_temp << 8) & 0x00FF0000) | ((_temp << 24) & 0xFF000000); \ + })) +#define be32toh(x) (htobe32((x))) + +#define htole64(x) (x) +#define le64toh(x) (x) +#define htobe64(x) \ + (__extension__({ \ + uint64_t __temp = (x); \ + uint32_t __low = htobe32((uint32_t)__temp); \ + uint32_t __high = htobe32((uint32_t)(__temp >> 32)); \ + (((uint64_t)__low) << 32) | __high; \ + })) +#define be64toh(x) (htobe64((x))) + +/* ... couldn't determine endian-ness of the target platform */ +#else +#error "Please define __BYTE_ORDER__!" + +#endif /* defined(__linux__) || ... */ + +/* Loads and stores. These avoid undefined behavior due to unaligned memory + * accesses, via memcpy. */ + +inline static uint16_t load16(uint8_t *b) { + uint16_t x; + memcpy(&x, b, 2); + return x; +} + +inline static uint32_t load32(uint8_t *b) { + uint32_t x; + memcpy(&x, b, 4); + return x; +} + +inline static uint64_t load64(uint8_t *b) { + uint64_t x; + memcpy(&x, b, 8); + return x; +} + +inline static void store16(uint8_t *b, uint16_t i) { memcpy(b, &i, 2); } + +inline static void store32(uint8_t *b, uint32_t i) { memcpy(b, &i, 4); } + +inline static void store64(uint8_t *b, uint64_t i) { memcpy(b, &i, 8); } + +/* Legacy accessors so that this header can serve as an implementation of + * C.Endianness */ +#define load16_le(b) (le16toh(load16(b))) +#define store16_le(b, i) (store16(b, htole16(i))) +#define load16_be(b) (be16toh(load16(b))) +#define store16_be(b, i) (store16(b, htobe16(i))) + +#define load32_le(b) (le32toh(load32(b))) +#define store32_le(b, i) (store32(b, htole32(i))) +#define load32_be(b) (be32toh(load32(b))) +#define store32_be(b, i) (store32(b, htobe32(i))) + +#define load64_le(b) (le64toh(load64(b))) +#define store64_le(b, i) (store64(b, htole64(i))) +#define load64_be(b) (be64toh(load64(b))) +#define store64_be(b, i) (store64(b, htobe64(i))) + +/* Co-existence of LowStar.Endianness and FStar.Endianness generates name + * conflicts, because of course both insist on having no prefixes. Until a + * prefix is added, or until we truly retire FStar.Endianness, solve this issue + * in an elegant way. */ +#define load16_le0 load16_le +#define store16_le0 store16_le +#define load16_be0 load16_be +#define store16_be0 store16_be + +#define load32_le0 load32_le +#define store32_le0 store32_le +#define load32_be0 load32_be +#define store32_be0 store32_be + +#define load64_le0 load64_le +#define store64_le0 store64_le +#define load64_be0 load64_be +#define store64_be0 store64_be + +#define load128_le0 load128_le +#define store128_le0 store128_le +#define load128_be0 load128_be +#define store128_be0 store128_be + +#endif diff --git a/libcrux-ml-kem/fuzz/.gitignore b/libcrux-ml-kem/fuzz/.gitignore new file mode 100644 index 000000000..1a45eee77 --- /dev/null +++ b/libcrux-ml-kem/fuzz/.gitignore @@ -0,0 +1,4 @@ +target +corpus +artifacts +coverage diff --git a/libcrux-ml-kem/fuzz/Cargo.toml b/libcrux-ml-kem/fuzz/Cargo.toml new file mode 100644 index 000000000..ccb5bed0d --- /dev/null +++ b/libcrux-ml-kem/fuzz/Cargo.toml @@ -0,0 +1,35 @@ +[package] +name = "libcrux-ml-kem-fuzz" +version = "0.0.0" +publish = false +edition = "2021" + +[package.metadata] +cargo-fuzz = true + +[dependencies] +libfuzzer-sys = "0.4" + +[dependencies.libcrux-ml-kem] +path = ".." + +[[bin]] +name = "keygen" +path = "fuzz_targets/keygen.rs" +test = false +doc = false +bench = false + +[[bin]] +name = "encaps" +path = "fuzz_targets/encaps.rs" +test = false +doc = false +bench = false + +[[bin]] +name = "decaps" +path = "fuzz_targets/decaps.rs" +test = false +doc = false +bench = false diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs new file mode 100644 index 000000000..f2aaa8a28 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/decaps.rs @@ -0,0 +1,25 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE { + // Not enough entropy + return; + } + + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + + let key_pair = mlkem768::generate_key_pair(randomness); + + let mut randomness = [0u8; ENCAPS_SEED_SIZE]; + randomness.copy_from_slice( + &data[KEY_GENERATION_SEED_SIZE..KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE], + ); + + let (ct, _ss) = mlkem768::encapsulate(key_pair.public_key(), randomness); + + let _ = core::hint::black_box(mlkem768::decapsulate(key_pair.private_key(), &ct)); +}); diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs new file mode 100644 index 000000000..84342631c --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/encaps.rs @@ -0,0 +1,23 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, ENCAPS_SEED_SIZE, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE { + // Not enough entropy + return; + } + + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + + let key_pair = mlkem768::generate_key_pair(randomness); + + let mut randomness = [0u8; ENCAPS_SEED_SIZE]; + randomness.copy_from_slice( + &data[KEY_GENERATION_SEED_SIZE..KEY_GENERATION_SEED_SIZE + ENCAPS_SEED_SIZE], + ); + + let _ = core::hint::black_box(mlkem768::encapsulate(key_pair.public_key(), randomness)); +}); diff --git a/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs b/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs new file mode 100644 index 000000000..5af308d21 --- /dev/null +++ b/libcrux-ml-kem/fuzz/fuzz_targets/keygen.rs @@ -0,0 +1,14 @@ +#![no_main] + +use libcrux_ml_kem::{mlkem768, KEY_GENERATION_SEED_SIZE}; +use libfuzzer_sys::fuzz_target; + +fuzz_target!(|data: &[u8]| { + if data.len() < KEY_GENERATION_SEED_SIZE { + // We need enough entropy. + return; + } + let mut randomness = [0u8; KEY_GENERATION_SEED_SIZE]; + randomness.copy_from_slice(&data[..KEY_GENERATION_SEED_SIZE]); + let _ = core::hint::black_box(mlkem768::generate_key_pair(randomness)); +}); diff --git a/libcrux-ml-kem/hax.py b/libcrux-ml-kem/hax.py index d5f025639..b95b864ab 100755 --- a/libcrux-ml-kem/hax.py +++ b/libcrux-ml-kem/hax.py @@ -40,8 +40,6 @@ def __call__(self, parser, args, values, option_string=None) -> None: "-i", include_str, "fstar", - "--z3rlimit", - "80", "--interfaces", interface_include, ] @@ -66,8 +64,6 @@ def __call__(self, parser, args, values, option_string=None) -> None: "-i", include_str, "fstar", - "--z3rlimit", - "80", "--interfaces", interface_include, ] @@ -98,12 +94,9 @@ def __call__(self, parser, args, values, option_string=None) -> None: "simd128,simd256,pre-verification", ";", "into", - "-vv", "-i", include_str, "fstar", - "--z3rlimit", - "100", "--interfaces", interface_include, ] diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst new file mode 100644 index 000000000..cecdf9ad1 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst @@ -0,0 +1,89 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti new file mode 100644 index 000000000..609428969 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti @@ -0,0 +1,56 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst new file mode 100644 index 000000000..91614ab24 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst @@ -0,0 +1,89 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Vector.Neon in + () + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti new file mode 100644 index 000000000..e602961e3 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti @@ -0,0 +1,60 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst new file mode 100644 index 000000000..3d5ed41ba --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst @@ -0,0 +1,89 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Vector.Portable in + () + +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness + +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.unpack_public_key v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) key_pair ciphertext + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti new file mode 100644 index 000000000..ef16fb9d1 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti @@ -0,0 +1,60 @@ +module Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Vector.Portable in + () + +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate a key pair +val generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst new file mode 100644 index 000000000..ca698a11d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst @@ -0,0 +1,108 @@ +module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti new file mode 100644 index 000000000..98114aa20 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti @@ -0,0 +1,86 @@ +module Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst new file mode 100644 index 000000000..3b74c3b27 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst @@ -0,0 +1,108 @@ +module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti new file mode 100644 index 000000000..46f643f14 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti @@ -0,0 +1,94 @@ +module Libcrux_ml_kem.Mlkem1024.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst new file mode 100644 index 000000000..b77d33651 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst @@ -0,0 +1,108 @@ +module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 4) (sz 3168) (sz 1536) + (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1600) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, key_pair:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness + key_pair + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti new file mode 100644 index 000000000..fdc651118 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti @@ -0,0 +1,94 @@ +module Libcrux_ml_kem.Mlkem1024.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 1024 (unpacked) +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem1024PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +/// TODO: The F* prefix opens required modules, it should go away when the following issue is resolved: +/// +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst new file mode 100644 index 000000000..363d3888a --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fst @@ -0,0 +1,51 @@ +module Libcrux_ml_kem.Mlkem1024.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem1024.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = + Libcrux_ml_kem.Mlkem1024.generate_key_pair randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti new file mode 100644 index 000000000..a6890b7d0 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem1024.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 1024 +/// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem1024PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 1024 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem1024KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst new file mode 100644 index 000000000..6fc3cda34 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst @@ -0,0 +1,104 @@ +module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti new file mode 100644 index 000000000..cd0cb965f --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti @@ -0,0 +1,84 @@ +module Libcrux_ml_kem.Mlkem512.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst new file mode 100644 index 000000000..273041027 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst @@ -0,0 +1,104 @@ +module Libcrux_ml_kem.Mlkem512.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) + (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) + (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti new file mode 100644 index 000000000..40ecdcc8d --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti @@ -0,0 +1,92 @@ +module Libcrux_ml_kem.Mlkem512.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst new file mode 100644 index 000000000..54eb129c9 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst @@ -0,0 +1,105 @@ +module Libcrux_ml_kem.Mlkem512.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 2) (sz 1632) (sz 768) + (sz 800) (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) + (sz 128) (sz 800) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti new file mode 100644 index 000000000..2aee55d13 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti @@ -0,0 +1,92 @@ +module Libcrux_ml_kem.Mlkem512.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 512 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] +/// and an [`MlKem512Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair in "unpacked" form +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst new file mode 100644 index 000000000..e0359272f --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fst @@ -0,0 +1,49 @@ +module Libcrux_ml_kem.Mlkem512.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem512.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = + Libcrux_ml_kem.Mlkem512.generate_key_pair randomness + in + rng, hax_temp_output <: (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti new file mode 100644 index 000000000..95ba62654 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem512.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 512 +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem512PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 512 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem512KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst new file mode 100644 index 000000000..1a75cf7bf --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst @@ -0,0 +1,140 @@ +module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + pk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti new file mode 100644 index 000000000..4d8df4bc3 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti @@ -0,0 +1,106 @@ +module Libcrux_ml_kem.Mlkem768.Avx2.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Avx2 in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst new file mode 100644 index 000000000..1b1c3736e --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_kem.Mlkem768.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Neon.Vector_type in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + pk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti new file mode 100644 index 000000000..3c76dc76c --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_kem.Mlkem768.Neon.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Neon.Vector_type in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst new file mode 100644 index 000000000..39960a363 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst @@ -0,0 +1,141 @@ +module Libcrux_ml_kem.Mlkem768.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + () + +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + public_key + serialized + in + serialized + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + unpacked_public_key + +let decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair + in + key_pair + +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () + +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1152) + (sz 1184) + key_pair + serialized + in + serialized + +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + = + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + in + pk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti new file mode 100644 index 000000000..30956fcb9 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti @@ -0,0 +1,117 @@ +module Libcrux_ml_kem.Mlkem768.Portable.Unpacked +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Ind_cca.Unpacked in + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Portable.Vector_type in + () + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 768 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] +/// and an [`MlKem768Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair in "unpacked" form. +val generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst new file mode 100644 index 000000000..df3caf4a2 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fst @@ -0,0 +1,51 @@ +module Libcrux_ml_kem.Mlkem768.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +let encapsulate + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 32)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 32) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = + Libcrux_ml_kem.Mlkem768.encapsulate public_key randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + +let generate_key_pair + (#impl_277843321_: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Rand_core.t_RngCore impl_277843321_) + (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Rand_core.t_CryptoRng impl_277843321_) + (rng: impl_277843321_) + = + let randomness:t_Array u8 (sz 64) = Rust_primitives.Hax.repeat 0uy (sz 64) in + let tmp0, tmp1:(impl_277843321_ & t_Array u8 (sz 64)) = + Rand_core.f_fill_bytes #impl_277843321_ #FStar.Tactics.Typeclasses.solve rng randomness + in + let rng:impl_277843321_ = tmp0 in + let randomness:t_Array u8 (sz 64) = tmp1 in + let _:Prims.unit = () in + let hax_temp_output:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = + Libcrux_ml_kem.Mlkem768.generate_key_pair randomness + in + rng, hax_temp_output + <: + (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti new file mode 100644 index 000000000..6d9fbe622 --- /dev/null +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Rand.fsti @@ -0,0 +1,39 @@ +module Libcrux_ml_kem.Mlkem768.Rand +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul + +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Rand_core in + () + +/// Encapsulate ML-KEM 768 +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an [`MlKem768PublicKey`]. +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +val encapsulate + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (rng: impl_277843321_) + : Prims.Pure + (impl_277843321_ & (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32))) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Generate ML-KEM 768 Key Pair +/// The random number generator `rng` needs to implement `RngCore` and +/// `CryptoRng` to sample the required randomness internally. +/// This function returns an [`MlKem768KeyPair`]. +val generate_key_pair + (#impl_277843321_: Type0) + {| i1: Rand_core.t_RngCore impl_277843321_ |} + {| i2: Rand_core.t_CryptoRng impl_277843321_ |} + (rng: impl_277843321_) + : Prims.Pure (impl_277843321_ & Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/src/constant_time_ops.rs b/libcrux-ml-kem/src/constant_time_ops.rs index 02ea01eca..b37bad7a1 100644 --- a/libcrux-ml-kem/src/constant_time_ops.rs +++ b/libcrux-ml-kem/src/constant_time_ops.rs @@ -11,44 +11,13 @@ use crate::constants::SHARED_SECRET_SIZE; // XXX: We have to disable this for C extraction for now. See eurydice/issues#37 /// Return 1 if `value` is not zero and 0 otherwise. -#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\ - ($value =!= 0uy ==> $result == 1uy)"))] fn inz(value: u8) -> u8 { - let _orig_value = value; let value = value as u16; - let result = ((!value).wrapping_add(1) >> 8) as u8; - let res = result & 1; - hax_lib::fstar!("if v $_orig_value = 0 then ( - assert($value == zero); - lognot_lemma $value; - assert((~.$value +. 1us) == zero); - assert((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) == zero); - logor_lemma $value zero; - assert(($value |. (Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) <: u16) == $value); - assert (v $result == v (($value >>! 8l))); - assert ((v $value / pow2 8) == 0); - assert ($result == 0uy); - logand_lemma 1uy $result; - assert ($res == 0uy)) - else ( - assert (v $value <> 0); - lognot_lemma $value; - assert (v (~.$value) = pow2 16 - 1 - v $value); - assert (v (~.$value) + 1 = pow2 16 - v $value); - assert (v ($value) <= pow2 8 - 1); - assert ((v (~.$value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v $value)); - assert ((v (~.$value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v $value)); - assert ((v (~.$value) + 1)/pow2 8 = (pow2 8 - 1)); - assert (v ((Core.Num.impl__u16__wrapping_add (~.$value <: u16) 1us <: u16) >>! 8l) = pow2 8 - 1); - assert ($result = ones); - logand_lemma 1uy $result; - assert ($res = 1uy))"); - res + let result = ((value | (!value).wrapping_add(1)) >> 8) & 1; + result as u8 } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::ensures(|result| fstar!("($value == 0uy ==> $result == 0uy) /\\ - ($value =!= 0uy ==> $result == 1uy)"))] fn is_non_zero(value: u8) -> u8 { #[cfg(eurydice)] return inz(value); @@ -59,46 +28,13 @@ fn is_non_zero(value: u8) -> u8 { /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. -#[hax_lib::requires(lhs.len() == rhs.len())] -#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\ - ($lhs =!= $rhs ==> $result == 1uy)"))] +#[cfg_attr(hax, hax_lib::requires( + lhs.len() == rhs.len() +))] fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { let mut r: u8 = 0; for i in 0..lhs.len() { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i <= Seq.length $lhs /\\ - (if (Seq.slice $lhs 0 (v $i) = Seq.slice $rhs 0 (v $i)) then - $r == 0uy - else ~ ($r == 0uy))") }); - let nr = r | (lhs[i] ^ rhs[i]); - hax_lib::fstar!("if $r =. 0uy then ( - if (Seq.index $lhs (v $i) = Seq.index $rhs (v $i)) then ( - logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i)); - assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) = zero); - logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert ($nr = $r); - assert (forall j. Seq.index (Seq.slice $lhs 0 (v $i)) j == Seq.index $lhs j); - assert (forall j. Seq.index (Seq.slice $rhs 0 (v $i)) j == Seq.index $rhs j); - eq_intro (Seq.slice $lhs 0 ((v $i) + 1)) (Seq.slice $rhs 0 ((v $i) + 1)) - ) - else ( - logxor_lemma (Seq.index $lhs (v $i)) (Seq.index $rhs (v $i)); - assert (((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8) <> zero); - logor_lemma r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert (v $nr > 0); - assert (Seq.index (Seq.slice $lhs 0 ((v $i)+1)) (v $i) <> - Seq.index (Seq.slice $rhs 0 ((v $i)+1)) (v $i)); - assert (Seq.slice $lhs 0 ((v $i)+1) <> Seq.slice $rhs 0 ((v $i) + 1)) - ) - ) else ( - logor_lemma $r ((${lhs}.[ $i ] <: u8) ^. (${rhs}.[ $i ] <: u8) <: u8); - assert (v $nr >= v $r); - assert (Seq.slice $lhs 0 (v $i) <> Seq.slice $rhs 0 (v $i)); - if (Seq.slice $lhs 0 ((v $i)+1) = Seq.slice $rhs 0 ((v $i) + 1)) then - (assert (forall j. j < (v $i) + 1 ==> Seq.index (Seq.slice $lhs 0 ((v $i)+1)) j == Seq.index (Seq.slice $rhs 0 ((v $i)+1)) j); - eq_intro (Seq.slice $lhs 0 (v $i)) (Seq.slice $rhs 0 (v $i)); - assert(False)) - )"); - r = nr; + r |= lhs[i] ^ rhs[i]; } is_non_zero(r) @@ -106,65 +42,25 @@ fn compare(lhs: &[u8], rhs: &[u8]) -> u8 { /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs.len() == rhs.len() && lhs.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\ - ($selector =!= 0uy ==> $result == $rhs)"))] -#[hax_lib::fstar::options("--ifuel 0 --z3rlimit 50")] +))] fn select_ct(lhs: &[u8], rhs: &[u8], selector: u8) -> [u8; SHARED_SECRET_SIZE] { let mask = is_non_zero(selector).wrapping_sub(1); - hax_lib::fstar!("assert (if $selector = 0uy then $mask = ones else $mask = zero); - lognot_lemma $mask; - assert (if $selector = 0uy then ~.$mask = zero else ~.$mask = ones)"); let mut out = [0u8; SHARED_SECRET_SIZE]; for i in 0..SHARED_SECRET_SIZE { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i <= v $SHARED_SECRET_SIZE /\\ - (forall j. j < v $i ==> (if ($selector =. 0uy) then Seq.index $out j == Seq.index $lhs j else Seq.index $out j == Seq.index $rhs j)) /\\ - (forall j. j >= v $i ==> Seq.index $out j == 0uy)") }); - hax_lib::fstar!("assert ((${out}.[ $i ] <: u8) = 0uy)"); - let outi = (lhs[i] & mask) | (rhs[i] & !mask); - hax_lib::fstar!("if ($selector = 0uy) then ( - logand_lemma (${lhs}.[ $i ] <: u8) $mask; - assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == (${lhs}.[ $i ] <: u8)); - logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask); - assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == zero); - logor_lemma ((${lhs}.[ $i ] <: u8) &. $mask <: u8) ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8); - assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); - logor_lemma (${out}.[ $i ] <: u8) (${lhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${lhs}.[ $i ] <: u8)); - assert ($outi = (${lhs}.[ $i ] <: u8)) - ) - else ( - logand_lemma (${lhs}.[ $i ] <: u8) $mask; - assert (((${lhs}.[ $i ] <: u8) &. $mask <: u8) == zero); - logand_lemma (${rhs}.[ $i ] <: u8) (~.$mask); - assert (((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); - logor_lemma (${rhs}.[ $i ] <: u8) zero; - assert ((logor zero (${rhs}.[ $i ] <: u8)) == (${rhs}.[ $i ] <: u8)); - assert ((((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8)) == (${rhs}.[ $i ] <: u8)); - logor_lemma (${out}.[ $i ] <: u8) (${rhs}.[ $i ] <: u8); - assert (((${out}.[ $i ] <: u8) |. (((${lhs}.[ $i ] <: u8) &. $mask <: u8) |. ((${rhs}.[ $i ] <: u8) &. (~.$mask <: u8) <: u8) <: u8) <: u8) == (${rhs}.[ $i ] <: u8)); - assert ($outi = (${rhs}.[ $i ] <: u8)) - )"); - out[i] = outi; + out[i] = (lhs[i] & mask) | (rhs[i] & !mask); } - hax_lib::fstar!("if ($selector =. 0uy) then ( - eq_intro $out $lhs - ) - else ( - eq_intro $out $rhs - )"); out } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::requires(lhs.len() == rhs.len())] -#[hax_lib::ensures(|result| fstar!("($lhs == $rhs ==> $result == 0uy) /\\ - ($lhs =!= $rhs ==> $result == 1uy)"))] +#[cfg_attr(hax, hax_lib::requires( + lhs.len() == rhs.len() +))] pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 { #[cfg(eurydice)] return compare(lhs, rhs); @@ -174,12 +70,10 @@ pub(crate) fn compare_ciphertexts_in_constant_time(lhs: &[u8], rhs: &[u8]) -> u8 } #[inline(never)] // Don't inline this to avoid that the compiler optimizes this out. -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs.len() == rhs.len() && lhs.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("($selector == 0uy ==> $result == $lhs) /\\ - ($selector =!= 0uy ==> $result == $rhs)"))] +))] pub(crate) fn select_shared_secret_in_constant_time( lhs: &[u8], rhs: &[u8], @@ -192,14 +86,11 @@ pub(crate) fn select_shared_secret_in_constant_time( core::hint::black_box(select_ct(lhs, rhs, selector)) } -#[hax_lib::requires( +#[cfg_attr(hax, hax_lib::requires( lhs_c.len() == rhs_c.len() && lhs_s.len() == rhs_s.len() && lhs_s.len() == SHARED_SECRET_SIZE -)] -#[hax_lib::ensures(|result| fstar!("let selector = if $lhs_c =. $rhs_c then 0uy else 1uy in - ((selector == 0uy ==> $result == $lhs_s) /\\ - (selector =!= 0uy ==> $result == $rhs_s))"))] +))] pub(crate) fn compare_ciphertexts_select_shared_secret_in_constant_time( lhs_c: &[u8], rhs_c: &[u8], diff --git a/libcrux-ml-kem/src/hash_functions.rs b/libcrux-ml-kem/src/hash_functions.rs index d365818ff..3b0e5e290 100644 --- a/libcrux-ml-kem/src/hash_functions.rs +++ b/libcrux-ml-kem/src/hash_functions.rs @@ -26,25 +26,12 @@ pub(crate) const THREE_BLOCKS: usize = BLOCK_SIZE * 3; #[hax_lib::attributes] pub(crate) trait Hash { /// G aka SHA3 512 - #[requires(true)] - #[ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE]; /// H aka SHA3 256 - #[requires(true)] - #[ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE]; /// PRF aka SHAKE256 - #[requires(fstar!("v $LEN < pow2 32"))] - #[ensures(|result| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $result == Spec.Utils.v_PRF $LEN $input")) - ] fn PRF(input: &[u8]) -> [u8; LEN]; /// PRFxN aka N SHAKE256 @@ -57,16 +44,13 @@ pub(crate) trait Hash { fn PRFxN(input: &[[u8; 33]; K]) -> [[u8; LEN]; K]; /// Create a SHAKE128 state and absorb the input. - #[requires(true)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self; + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self; /// Squeeze 3 blocks out of the SHAKE128 state. - #[requires(true)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K]; /// Squeeze 1 block out of the SHAKE128 state. - #[requires(true)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K]; } /// A portable implementation of [`Hash`] @@ -74,7 +58,10 @@ pub(crate) mod portable { use super::*; use libcrux_sha3::portable::{ self, - incremental, + incremental::{ + shake128_absorb_final, shake128_init, shake128_squeeze_first_three_blocks, + shake128_squeeze_next_block, + }, KeccakState, }; @@ -87,9 +74,6 @@ pub(crate) mod portable { shake128_state: [KeccakState; K], } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -97,9 +81,6 @@ pub(crate) mod portable { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -107,10 +88,6 @@ pub(crate) mod portable { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -134,66 +111,52 @@ pub(crate) mod portable { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> PortableHash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> PortableHash { debug_assert!(K == 2 || K == 3 || K == 4); - let mut shake128_state = [incremental::shake128_init(); K]; + let mut shake128_state = [shake128_init(); K]; for i in 0..K { - incremental::shake128_absorb_final(&mut shake128_state[i], &input[i]); + shake128_absorb_final(&mut shake128_state[i], &input[i]); } PortableHash { shake128_state } } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut PortableHash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; THREE_BLOCKS]; K]; for i in 0..K { - incremental::shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]); + shake128_squeeze_first_three_blocks(&mut st.shake128_state[i], &mut out[i]); } out } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut PortableHash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut PortableHash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; for i in 0..K { - incremental::shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); + shake128_squeeze_next_block(&mut st.shake128_state[i], &mut out[i]); } out } #[hax_lib::attributes] impl Hash for PortableHash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -211,18 +174,18 @@ pub(crate) mod portable { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } @@ -245,9 +208,6 @@ pub(crate) mod avx2 { shake128_state: KeccakState, } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -255,9 +215,6 @@ pub(crate) mod avx2 { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -265,10 +222,6 @@ pub(crate) mod avx2 { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -323,7 +276,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Simd256Hash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Simd256Hash { debug_assert!(K == 2 || K == 3 || K == 4); let mut state = x4::incremental::init(); @@ -352,7 +305,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut Simd256Hash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -390,7 +343,7 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut Simd256Hash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; let mut out0 = [0u8; BLOCK_SIZE]; @@ -427,30 +380,16 @@ pub(crate) mod avx2 { #[hax_lib::attributes] impl Hash for Simd256Hash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[hax_lib::ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -468,18 +407,18 @@ pub(crate) mod avx2 { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } @@ -499,9 +438,6 @@ pub(crate) mod neon { shake128_state: [KeccakState; 2], } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { let mut digest = [0u8; G_DIGEST_SIZE]; @@ -509,9 +445,6 @@ pub(crate) mod neon { digest } - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { let mut digest = [0u8; H_DIGEST_SIZE]; @@ -519,10 +452,6 @@ pub(crate) mod neon { digest } - #[hax_lib::requires(fstar!("v $LEN < pow2 32"))] - #[hax_lib::ensures(|result| - fstar!("$result == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { let mut digest = [0u8; LEN]; @@ -570,7 +499,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Simd128Hash { + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Simd128Hash { debug_assert!(K == 2 || K == 3 || K == 4); let mut state = [x2::incremental::init(), x2::incremental::init()]; match K as u8 { @@ -594,7 +523,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_first_three_blocks( + fn shake128_squeeze_three_blocks( st: &mut Simd128Hash, ) -> [[u8; THREE_BLOCKS]; K] { debug_assert!(K == 2 || K == 3 || K == 4); @@ -652,7 +581,7 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_squeeze_next_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { + fn shake128_squeeze_block(st: &mut Simd128Hash) -> [[u8; BLOCK_SIZE]; K] { debug_assert!(K == 2 || K == 3 || K == 4); let mut out = [[0u8; BLOCK_SIZE]; K]; @@ -709,30 +638,16 @@ pub(crate) mod neon { #[hax_lib::attributes] impl Hash for Simd128Hash { - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_G $input")) - ] #[inline(always)] fn G(input: &[u8]) -> [u8; G_DIGEST_SIZE] { G(input) } - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - fstar!("$out == Spec.Utils.v_H $input")) - ] #[inline(always)] fn H(input: &[u8]) -> [u8; H_DIGEST_SIZE] { H(input) } - #[requires(fstar!("v $LEN < pow2 32"))] - // Output name has be `out` https://github.com/hacspec/hax/issues/832 - #[ensures(|out| - // We need to repeat the pre-condition here because of https://github.com/hacspec/hax/issues/784 - fstar!("v $LEN < pow2 32 ==> $out == Spec.Utils.v_PRF $LEN $input")) - ] #[inline(always)] fn PRF(input: &[u8]) -> [u8; LEN] { PRF::(input) @@ -751,18 +666,18 @@ pub(crate) mod neon { } #[inline(always)] - fn shake128_init_absorb_final(input: [[u8; 34]; K]) -> Self { - shake128_init_absorb_final(input) + fn shake128_init_absorb(input: [[u8; 34]; K]) -> Self { + shake128_init_absorb(input) } #[inline(always)] - fn shake128_squeeze_first_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { - shake128_squeeze_first_three_blocks(self) + fn shake128_squeeze_three_blocks(&mut self) -> [[u8; THREE_BLOCKS]; K] { + shake128_squeeze_three_blocks(self) } #[inline(always)] - fn shake128_squeeze_next_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { - shake128_squeeze_next_block(self) + fn shake128_squeeze_block(&mut self) -> [[u8; BLOCK_SIZE]; K] { + shake128_squeeze_block(self) } } } diff --git a/libcrux-ml-kem/src/ind_cca.rs b/libcrux-ml-kem/src/ind_cca.rs index 3d05ce368..8f7bd5bb4 100644 --- a/libcrux-ml-kem/src/ind_cca.rs +++ b/libcrux-ml-kem/src/ind_cca.rs @@ -35,16 +35,6 @@ pub(crate) mod instantiations; /// Serialize the secret key. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - ${private_key.len()} == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - ${public_key.len()} == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - ${implicit_rejection_value.len()} == Spec.MLKEM.v_SHARED_SECRET_SIZE"))] -#[hax_lib::ensures(|result| fstar!("$result == Seq.append $private_key ( - Seq.append $public_key ( - Seq.append (Spec.Utils.v_H $public_key) - $implicit_rejection_value))"))] fn serialize_kem_secret_key>( private_key: &[u8], public_key: &[u8], @@ -60,25 +50,6 @@ fn serialize_kem_secret_key( public_key: &[u8; PUBLIC_KEY_SIZE], ) -> bool { - let deserialized_pk = deserialize_ring_elements_reduced_out::( + let deserialized_pk = deserialize_ring_elements_reduced_out::( &public_key[..RANKED_BYTES_PER_RING_ELEMENT], ); let public_key_serialized = @@ -117,9 +85,6 @@ fn validate_public_key< /// Note that the size checks in 7.2 1 and 2 are covered by the `SECRET_KEY_SIZE` /// and `CIPHERTEXT_SIZE` in the `private_key` and `ciphertext` types. #[inline(always)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -158,7 +123,7 @@ fn generate_keypair< const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, Vector: Operations, @@ -174,7 +139,7 @@ fn generate_keypair< K, CPA_PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, Vector, @@ -219,7 +184,7 @@ fn encapsulate< const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -233,11 +198,8 @@ fn encapsulate< ) -> (MlKemCiphertext, MlKemSharedSecret) { let randomness = Scheme::entropy_preprocess::(&randomness); let mut to_hash: [u8; 2 * H_DIGEST_SIZE] = into_padded_array(&randomness); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $randomness"); to_hash[H_DIGEST_SIZE..].copy_from_slice(&Hasher::H(public_key.as_slice())); - hax_lib::fstar!("assert (Seq.slice to_hash 0 (v $H_DIGEST_SIZE) == $randomness); - lemma_slice_append $to_hash $randomness (Spec.Utils.v_H ${public_key}.f_value); - assert ($to_hash == concat $randomness (Spec.Utils.v_H ${public_key}.f_value))"); + let hashed = Hasher::G(&to_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); @@ -249,7 +211,7 @@ fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -260,6 +222,7 @@ fn encapsulate< let ciphertext = MlKemCiphertext::from(ciphertext); let shared_secret_array = Scheme::kdf::(shared_secret, &ciphertext); + (ciphertext, shared_secret_array) } @@ -308,17 +271,10 @@ pub(crate) fn decapsulate< private_key: &MlKemPrivateKey, ciphertext: &MlKemCiphertext, ) -> MlKemSharedSecret { - hax_lib::fstar!("assert (v $CIPHERTEXT_SIZE == v $IMPLICIT_REJECTION_HASH_INPUT_SIZE - v $SHARED_SECRET_SIZE)"); let (ind_cpa_secret_key, secret_key) = private_key.value.split_at(CPA_SECRET_KEY_SIZE); let (ind_cpa_public_key, secret_key) = secret_key.split_at(PUBLIC_KEY_SIZE); let (ind_cpa_public_key_hash, implicit_rejection_value) = secret_key.split_at(H_DIGEST_SIZE); - hax_lib::fstar!("assert ($ind_cpa_secret_key == slice ${private_key}.f_value (sz 0) $CPA_SECRET_KEY_SIZE); - assert ($ind_cpa_public_key == slice ${private_key}.f_value $CPA_SECRET_KEY_SIZE ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE)); - assert ($ind_cpa_public_key_hash == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE) - ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); - assert ($implicit_rejection_value == slice ${private_key}.f_value ($CPA_SECRET_KEY_SIZE +! $PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) - (length ${private_key}.f_value))"); let decrypted = crate::ind_cpa::decrypt::< K, CIPHERTEXT_SIZE, @@ -329,31 +285,16 @@ pub(crate) fn decapsulate< >(ind_cpa_secret_key, &ciphertext.value); let mut to_hash: [u8; SHARED_SECRET_SIZE + H_DIGEST_SIZE] = into_padded_array(&decrypted); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $decrypted"); to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ind_cpa_public_key_hash); - hax_lib::fstar!("lemma_slice_append to_hash $decrypted $ind_cpa_public_key_hash; - assert ($decrypted == Spec.MLKEM.ind_cpa_decrypt $K $ind_cpa_secret_key ${ciphertext}.f_value); - assert ($to_hash == concat $decrypted $ind_cpa_public_key_hash)"); let hashed = Hasher::G(&to_hash); let (shared_secret, pseudorandomness) = hashed.split_at(SHARED_SECRET_SIZE); - hax_lib::fstar!("assert (($shared_secret , $pseudorandomness) == split $hashed $SHARED_SECRET_SIZE); - assert (length $implicit_rejection_value = $SECRET_KEY_SIZE -! $CPA_SECRET_KEY_SIZE -! $PUBLIC_KEY_SIZE -! $H_DIGEST_SIZE); - assert (length $implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); - assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K)"); let mut to_hash: [u8; IMPLICIT_REJECTION_HASH_INPUT_SIZE] = into_padded_array(implicit_rejection_value); - hax_lib::fstar!("eq_intro (Seq.slice $to_hash 0 32) $implicit_rejection_value"); to_hash[SHARED_SECRET_SIZE..].copy_from_slice(ciphertext.as_ref()); - hax_lib::fstar!("assert_norm (pow2 32 == 0x100000000); - assert (v (sz 32) < pow2 32); - assert (i4.f_PRF_pre (sz 32) $to_hash); - lemma_slice_append $to_hash $implicit_rejection_value ${ciphertext}.f_value"); let implicit_rejection_shared_secret: [u8; SHARED_SECRET_SIZE] = Hasher::PRF(&to_hash); - hax_lib::fstar!("assert ($implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) $to_hash); - assert (Seq.length $ind_cpa_public_key == v $PUBLIC_KEY_SIZE)"); let expected_ciphertext = crate::ind_cpa::encrypt::< K, CIPHERTEXT_SIZE, @@ -375,13 +316,12 @@ pub(crate) fn decapsulate< Scheme::kdf::(&implicit_rejection_shared_secret, ciphertext); let shared_secret = Scheme::kdf::(shared_secret, ciphertext); - let shared_secret = compare_ciphertexts_select_shared_secret_in_constant_time( - ciphertext.as_ref(), - &expected_ciphertext, - &shared_secret, - &implicit_rejection_shared_secret, - ); - shared_secret + compare_ciphertexts_select_shared_secret_in_constant_time( + ciphertext.as_ref(), + &expected_ciphertext, + &shared_secret, + &implicit_rejection_shared_secret, + ) } /// Types for the unpacked API. @@ -445,7 +385,7 @@ pub(crate) mod unpacked { public_key: &MlKemPublicKey, unpacked_public_key: &mut MlKemPublicKeyUnpacked, ) { - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( &public_key.value[..T_AS_NTT_ENCODED_SIZE], &mut unpacked_public_key.ind_cpa_public_key.t_as_ntt, ); diff --git a/libcrux-ml-kem/src/ind_cca/instantiations.rs b/libcrux-ml-kem/src/ind_cca/instantiations.rs index fc2e754e2..8b9806142 100644 --- a/libcrux-ml-kem/src/ind_cca/instantiations.rs +++ b/libcrux-ml-kem/src/ind_cca/instantiations.rs @@ -7,19 +7,12 @@ macro_rules! instantiate { }; /// Portable generate key pair. - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] pub(crate) fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, >( @@ -30,7 +23,7 @@ macro_rules! instantiate { CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, $vector, @@ -144,19 +137,6 @@ macro_rules! instantiate { >(public_key, randomness) } - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] pub(crate) fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -166,7 +146,7 @@ macro_rules! instantiate { const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -184,7 +164,7 @@ macro_rules! instantiate { C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -242,23 +222,6 @@ macro_rules! instantiate { } /// Portable decapsulate - #[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] pub fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, diff --git a/libcrux-ml-kem/src/ind_cca/multiplexing.rs b/libcrux-ml-kem/src/ind_cca/multiplexing.rs index 4a78a567b..88098f375 100644 --- a/libcrux-ml-kem/src/ind_cca/multiplexing.rs +++ b/libcrux-ml-kem/src/ind_cca/multiplexing.rs @@ -52,9 +52,6 @@ use instantiations::portable::{ kyber_generate_keypair as kyber_generate_keypair_neon, }; -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE $K"))] #[inline(always)] pub(crate) fn validate_public_key< const K: usize, @@ -69,9 +66,6 @@ pub(crate) fn validate_public_key< } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K"))] pub(crate) fn validate_private_key< const K: usize, const SECRET_KEY_SIZE: usize, @@ -132,19 +126,12 @@ pub(crate) fn kyber_generate_keypair< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K"))] pub(crate) fn generate_keypair< const K: usize, const CPA_PRIVATE_KEY_SIZE: usize, const PRIVATE_KEY_SIZE: usize, const PUBLIC_KEY_SIZE: usize, - const RANKED_BYTES_PER_RING_ELEMENT: usize, + const BYTES_PER_RING_ELEMENT: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, >( @@ -157,7 +144,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -167,7 +154,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -177,7 +164,7 @@ pub(crate) fn generate_keypair< CPA_PRIVATE_KEY_SIZE, PRIVATE_KEY_SIZE, PUBLIC_KEY_SIZE, - RANKED_BYTES_PER_RING_ELEMENT, + BYTES_PER_RING_ELEMENT, ETA1, ETA1_RANDOMNESS_SIZE, >(randomness) @@ -254,19 +241,6 @@ pub(crate) fn kyber_encapsulate< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K"))] pub(crate) fn encapsulate< const K: usize, const CIPHERTEXT_SIZE: usize, @@ -276,7 +250,7 @@ pub(crate) fn encapsulate< const C2_SIZE: usize, const VECTOR_U_COMPRESSION_FACTOR: usize, const VECTOR_V_COMPRESSION_FACTOR: usize, - const C1_BLOCK_SIZE: usize, + const VECTOR_U_BLOCK_LEN: usize, const ETA1: usize, const ETA1_RANDOMNESS_SIZE: usize, const ETA2: usize, @@ -295,7 +269,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -311,7 +285,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -327,7 +301,7 @@ pub(crate) fn encapsulate< C2_SIZE, VECTOR_U_COMPRESSION_FACTOR, VECTOR_V_COMPRESSION_FACTOR, - C1_BLOCK_SIZE, + VECTOR_U_BLOCK_LEN, ETA1, ETA1_RANDOMNESS_SIZE, ETA2, @@ -418,22 +392,6 @@ pub(crate) fn kyber_decapsulate< } } -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K /\\ - $SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE $K /\\ - $CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE $K /\\ - $PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE $K /\\ - $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ - $T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE $K /\\ - $C1_SIZE == Spec.MLKEM.v_C1_SIZE $K /\\ - $C2_SIZE == Spec.MLKEM.v_C2_SIZE $K /\\ - $VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR $K /\\ - $VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR $K /\\ - $C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ - $ETA1 == Spec.MLKEM.v_ETA1 $K /\\ - $ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE $K /\\ - $ETA2 == Spec.MLKEM.v_ETA2 $K /\\ - $ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE $K /\\ - $IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE $K"))] pub(crate) fn decapsulate< const K: usize, const SECRET_KEY_SIZE: usize, diff --git a/libcrux-ml-kem/src/ind_cpa.rs b/libcrux-ml-kem/src/ind_cpa.rs index 4891caff8..08cd6a687 100644 --- a/libcrux-ml-kem/src/ind_cpa.rs +++ b/libcrux-ml-kem/src/ind_cpa.rs @@ -600,7 +600,6 @@ fn compress_then_serialize_u< $BLOCK_LEN == Spec.MLKEM.v_C1_BLOCK_SIZE $K /\\ $CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE $K /\\ length $randomness == Spec.MLKEM.v_SHARED_SECRET_SIZE"))] - #[hax_lib::ensures(|result| fstar!("$result == Spec.MLKEM.ind_cpa_encrypt_unpacked $K $message $randomness (Libcrux_ml_kem.Polynomial.to_spec_vector_t #$K #$:Vector ${public_key}.f_t_as_ntt) @@ -736,7 +735,7 @@ pub(crate) fn encrypt< let mut unpacked_public_key = IndCpaPublicKeyUnpacked::::default(); // tˆ := Decode_12(pk) - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( &public_key[..T_AS_NTT_ENCODED_SIZE], &mut unpacked_public_key.t_as_ntt, ); diff --git a/libcrux-ml-kem/src/invert_ntt.rs b/libcrux-ml-kem/src/invert_ntt.rs index 49fa7fea5..12b60f3cf 100644 --- a/libcrux-ml-kem/src/invert_ntt.rs +++ b/libcrux-ml-kem/src/invert_ntt.rs @@ -1,152 +1,68 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{PolynomialRingElement, get_zeta}, + polynomial::{PolynomialRingElement, ZETAS_TIMES_MONTGOMERY_R}, vector::{montgomery_multiply_fe, Operations, FIELD_ELEMENTS_IN_VECTOR}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let invert_ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let invert_ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 128 /\\ - invert_ntt_re_range_1 $re"))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 64"))] pub(crate) fn invert_ntt_at_layer_1( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round * 4 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::inv_ntt_layer_1_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i - 1), - get_zeta (*zeta_i - 2), - get_zeta (*zeta_i - 3), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 2], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 3], ); *zeta_i -= 3; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 64 /\\ - invert_ntt_re_range_2 $re "))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 32"))] pub(crate) fn invert_ntt_at_layer_2( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round * 2 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::inv_ntt_layer_2_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i - 1), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i - 1], ); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 32 /\\ - invert_ntt_re_range_2 $re"))] -#[hax_lib::ensures(|result| fstar!("invert_ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 16"))] pub(crate) fn invert_ntt_at_layer_3( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, ) { - hax_lib::fstar!("reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init - v $round /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i -= 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = - Vector::inv_ntt_layer_3_step(re.coefficients[round], get_zeta (*zeta_i)); - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); + Vector::inv_ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } () } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $b) i))) /\\ - Spec.Utils.is_i16b_array 28296 (Libcrux_ml_kem.Vector.Traits.f_to_i16_array - (Libcrux_ml_kem.Vector.Traits.f_add $a $b))"))] pub(crate) fn inv_ntt_layer_int_vec_step_reduce( mut a: Vector, mut b: Vector, @@ -157,10 +73,7 @@ pub(crate) fn inv_ntt_layer_int_vec_step_reduce( b = montgomery_multiply_fe::(a_minus_b, zeta_r); (a, b) } - #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7"))] pub(crate) fn invert_ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, @@ -181,7 +94,7 @@ pub(crate) fn invert_ntt_at_layer_4_plus( let (x, y) = inv_ntt_layer_int_vec_step_reduce( re.coefficients[j], re.coefficients[j + step_vec], - get_zeta (*zeta_i), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); re.coefficients[j] = x; re.coefficients[j + step_vec] = y; @@ -191,7 +104,6 @@ pub(crate) fn invert_ntt_at_layer_4_plus( } #[inline(always)] -#[hax_lib::requires(fstar!("invert_ntt_re_range_1 $re"))] pub(crate) fn invert_ntt_montgomery( re: &mut PolynomialRingElement, ) { diff --git a/libcrux-ml-kem/src/matrix.rs b/libcrux-ml-kem/src/matrix.rs index 01c2d987d..bbdcbe2ba 100644 --- a/libcrux-ml-kem/src/matrix.rs +++ b/libcrux-ml-kem/src/matrix.rs @@ -5,14 +5,6 @@ use crate::{ #[inline(always)] #[allow(non_snake_case)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let (matrix_A, valid) = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice $seed 0 32) in - valid ==> ( - if $transpose then Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == matrix_A - else Libcrux_ml_kem.Polynomial.to_spec_matrix_t ${A_transpose}_future == Spec.MLKEM.matrix_transpose matrix_A)") -)] pub(crate) fn sample_matrix_A>( A_transpose: &mut [[PolynomialRingElement; K]; K], seed: [u8; 34], @@ -45,17 +37,6 @@ pub(crate) fn sample_matrix_A( v: &PolynomialRingElement, secret_as_ntt: &[PolynomialRingElement; K], @@ -76,18 +57,6 @@ pub(crate) fn compute_message( /// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - let tt_spec = to_spec_vector_t $t_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e2_spec = to_spec_poly_t $error_2 in - let m_spec = to_spec_poly_t $message in - let res_spec = to_spec_poly_t $res in - res_spec == Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #$K tt_spec r_spec) e2_spec) m_spec) /\\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range $res") -)] pub(crate) fn compute_ring_element_v( t_as_ntt: &[PolynomialRingElement; K], r_as_ntt: &[PolynomialRingElement; K], @@ -109,18 +78,6 @@ pub(crate) fn compute_ring_element_v( /// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.MLKEM.is_rank $K"))] -#[hax_lib::ensures(|res| - fstar!("let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t $a_as_ntt in - let r_spec = to_spec_vector_t $r_as_ntt in - let e_spec = to_spec_vector_t $error_1 in - let res_spec = to_spec_vector_t $res in - res_spec == Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\\ - (forall (i:nat). i < v $K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index $res i))") -)] pub(crate) fn compute_vector_u( a_as_ntt: &[[PolynomialRingElement; K]; K], r_as_ntt: &[PolynomialRingElement; K], diff --git a/libcrux-ml-kem/src/mlkem1024.rs b/libcrux-ml-kem/src/mlkem1024.rs index 6bc86a8cf..875406268 100644 --- a/libcrux-ml-kem/src/mlkem1024.rs +++ b/libcrux-ml-kem/src/mlkem1024.rs @@ -410,11 +410,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem1024KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem1024_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair( randomness: [u8; KEY_GENERATION_SEED_SIZE], ) -> MlKemKeyPair { @@ -435,12 +430,6 @@ pub fn generate_key_pair( /// The input is a reference to an [`MlKem1024PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem1024_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem1024PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -467,11 +456,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem1024_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem1024PrivateKey, ciphertext: &MlKem1024Ciphertext, diff --git a/libcrux-ml-kem/src/mlkem512.rs b/libcrux-ml-kem/src/mlkem512.rs index cad3bd02b..4fae634c0 100644 --- a/libcrux-ml-kem/src/mlkem512.rs +++ b/libcrux-ml-kem/src/mlkem512.rs @@ -3,31 +3,34 @@ use super::{constants::*, ind_cca::*, types::*, *}; // Kyber 512 parameters const RANK_512: usize = 2; -const RANKED_BYTES_PER_RING_ELEMENT_512: usize = 768; -const T_AS_NTT_ENCODED_SIZE_512: usize = 768; +const RANKED_BYTES_PER_RING_ELEMENT_512: usize = RANK_512 * BITS_PER_RING_ELEMENT / 8; +const T_AS_NTT_ENCODED_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; const VECTOR_U_COMPRESSION_FACTOR_512: usize = 10; // [hax]: hacspec/hacspec-v2#27 stealing error // block_len::() -const C1_BLOCK_SIZE_512: usize = 320; +const C1_BLOCK_SIZE_512: usize = + (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_U_COMPRESSION_FACTOR_512) / 8; // [hax]: hacspec/hacspec-v2#27 stealing error // serialized_len::() -const C1_SIZE_512: usize = 640; +const C1_SIZE_512: usize = C1_BLOCK_SIZE_512 * RANK_512; const VECTOR_V_COMPRESSION_FACTOR_512: usize = 4; // [hax]: hacspec/hacspec-v2#27 stealing error // block_len::() -const C2_SIZE_512: usize = 128; -const CPA_PKE_SECRET_KEY_SIZE_512: usize = 768; -pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = 800; -const CPA_PKE_CIPHERTEXT_SIZE_512: usize = 768; - -pub(crate) const SECRET_KEY_SIZE_512: usize = 1632; +const C2_SIZE_512: usize = (COEFFICIENTS_IN_RING_ELEMENT * VECTOR_V_COMPRESSION_FACTOR_512) / 8; +const CPA_PKE_SECRET_KEY_SIZE_512: usize = + (RANK_512 * COEFFICIENTS_IN_RING_ELEMENT * BITS_PER_COEFFICIENT) / 8; +pub(crate) const CPA_PKE_PUBLIC_KEY_SIZE_512: usize = T_AS_NTT_ENCODED_SIZE_512 + 32; +const CPA_PKE_CIPHERTEXT_SIZE_512: usize = C1_SIZE_512 + C2_SIZE_512; +pub(crate) const SECRET_KEY_SIZE_512: usize = + CPA_PKE_SECRET_KEY_SIZE_512 + CPA_PKE_PUBLIC_KEY_SIZE_512 + H_DIGEST_SIZE + SHARED_SECRET_SIZE; const ETA1: usize = 3; -const ETA1_RANDOMNESS_SIZE: usize = 192; +const ETA1_RANDOMNESS_SIZE: usize = ETA1 * 64; const ETA2: usize = 2; -const ETA2_RANDOMNESS_SIZE: usize = 128; +const ETA2_RANDOMNESS_SIZE: usize = ETA2 * 64; -const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = 800; +const IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = SHARED_SECRET_SIZE + CPA_PKE_CIPHERTEXT_SIZE_512; // Kyber 512 types /// An ML-KEM 512 Ciphertext @@ -400,11 +403,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem512KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem512_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512KeyPair { multiplexing::generate_keypair::< RANK_512, @@ -423,12 +421,6 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem512 /// The input is a reference to an [`MlKem512PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem512_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem512PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -455,11 +447,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem512_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem512PrivateKey, ciphertext: &MlKem512Ciphertext, diff --git a/libcrux-ml-kem/src/mlkem768.rs b/libcrux-ml-kem/src/mlkem768.rs index 17cf7aadf..4f5f114e3 100644 --- a/libcrux-ml-kem/src/mlkem768.rs +++ b/libcrux-ml-kem/src/mlkem768.rs @@ -398,11 +398,6 @@ pub fn validate_private_key( /// /// This function returns an [`MlKem768KeyPair`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((secret_key, public_key), valid) = Spec.MLKEM.Instances.mlkem768_generate_keypair $randomness in - valid ==> (${res}.f_sk.f_value == secret_key /\\ ${res}.f_pk.f_value == public_key)") -)] pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768KeyPair { multiplexing::generate_keypair::< RANK_768, @@ -421,12 +416,6 @@ pub fn generate_key_pair(randomness: [u8; KEY_GENERATION_SEED_SIZE]) -> MlKem768 /// The input is a reference to an [`MlKem768PublicKey`] and [`SHARED_SECRET_SIZE`] /// bytes of `randomness`. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let ((ciphertext, shared_secret), valid) = Spec.MLKEM.Instances.mlkem768_encapsulate ${public_key}.f_value $randomness in - let (res_ciphertext, res_shared_secret) = $res in - valid ==> (res_ciphertext.f_value == ciphertext /\\ res_shared_secret == shared_secret)") -)] pub fn encapsulate( public_key: &MlKem768PublicKey, randomness: [u8; SHARED_SECRET_SIZE], @@ -453,11 +442,6 @@ pub fn encapsulate( /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. #[cfg(not(eurydice))] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|res| - fstar!("let (shared_secret, valid) = Spec.MLKEM.Instances.mlkem768_decapsulate ${private_key}.f_value ${ciphertext}.f_value in - valid ==> $res == shared_secret") -)] pub fn decapsulate( private_key: &MlKem768PrivateKey, ciphertext: &MlKem768Ciphertext, diff --git a/libcrux-ml-kem/src/ntt.rs b/libcrux-ml-kem/src/ntt.rs index 9008f7190..34d225564 100644 --- a/libcrux-ml-kem/src/ntt.rs +++ b/libcrux-ml-kem/src/ntt.rs @@ -1,168 +1,71 @@ use crate::{ hax_utils::hax_debug_assert, - polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, get_zeta}, + polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT, ZETAS_TIMES_MONTGOMERY_R}, vector::{montgomery_multiply_fe, Operations}, }; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 63 /\\ - ntt_re_range_2 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_1 ${re}_future /\\ - v ${*zeta_i}_future == 127"))] pub(crate) fn ntt_at_layer_1( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round * 4 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::ntt_layer_1_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i + 1), - get_zeta (*zeta_i + 2), - get_zeta (*zeta_i + 3), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 2], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 3], ); *zeta_i += 3; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_3 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 31 /\\ - ntt_re_range_3 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_2 ${re}_future /\\ - v ${*zeta_i}_future == 63"))] pub(crate) fn ntt_at_layer_2( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round * 2 /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = Vector::ntt_layer_2_step( re.coefficients[round], - get_zeta (*zeta_i), - get_zeta (*zeta_i + 1), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], + ZETAS_TIMES_MONTGOMERY_R[*zeta_i + 1], ); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); } () } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_re_range_4 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ]))")] -#[hax_lib::requires(fstar!("v ${*zeta_i} == 15 /\\ - ntt_re_range_4 $re"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_3 ${re}_future /\\ - v ${*zeta_i}_future == 31"))] pub(crate) fn ntt_at_layer_3( zeta_i: &mut usize, re: &mut PolynomialRingElement, _layer: usize, _initial_coefficient_bound: usize, ) { - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #$:Vector)"); - hax_lib::fstar!("reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #$:Vector)"); - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..16 { - hax_lib::loop_invariant!(|round: usize| { fstar!("v zeta_i == v $_zeta_i_init + v $round /\\ - (v round < 16 ==> (forall (i:nat). (i >= v round /\\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\\ - (forall (i:nat). i < v $round ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))") }); *zeta_i += 1; - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); re.coefficients[round] = - Vector::ntt_layer_3_step(re.coefficients[round], get_zeta (*zeta_i)); - hax_lib::fstar!("reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ])))"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ $round ])))"); + Vector::ntt_layer_3_step(re.coefficients[round], ZETAS_TIMES_MONTGOMERY_R[*zeta_i]); } () } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta_r /\\ - (let t = ${montgomery_multiply_fe::} $b $zeta_r in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))"))] fn ntt_layer_int_vec_step( mut a: Vector, mut b: Vector, @@ -173,28 +76,16 @@ fn ntt_layer_int_vec_step( a = Vector::add(a, &t); (a, b) } - #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("v $layer >= 4 /\\ v $layer <= 7 /\\ - ((v $layer == 4 ==> v ${*zeta_i} == 7) /\\ - (v $layer == 5 ==> v ${*zeta_i} == 3) /\\ - (v $layer == 6 ==> v ${*zeta_i} == 1) /\\ - (v $layer == 7 ==> v ${*zeta_i} == 0))"))] -#[hax_lib::ensures(|result| fstar!("ntt_re_range_4 ${re}_future /\\ - (v $layer == 4 ==> v ${*zeta_i}_future == 15) /\\ - (v $layer == 5 ==> v ${*zeta_i}_future == 7) /\\ - (v $layer == 6 ==> v ${*zeta_i}_future == 3) /\\ - (v $layer == 7 ==> v ${*zeta_i}_future == 1)"))] pub(crate) fn ntt_at_layer_4_plus( zeta_i: &mut usize, re: &mut PolynomialRingElement, layer: usize, _initial_coefficient_bound: usize, ) { + debug_assert!(layer >= 4); let step = 1 << layer; - let _zeta_i_init = *zeta_i; // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for round in 0..(128 >> layer) { @@ -208,7 +99,7 @@ pub(crate) fn ntt_at_layer_4_plus( let (x, y) = ntt_layer_int_vec_step( re.coefficients[j], re.coefficients[j + step_vec], - get_zeta (*zeta_i), + ZETAS_TIMES_MONTGOMERY_R[*zeta_i], ); re.coefficients[j] = x; re.coefficients[j + step_vec] = y; @@ -218,36 +109,11 @@ pub(crate) fn ntt_at_layer_4_plus( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -//We should make the loops inside this function `opaque_to_smt` to get it work -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"] - let ntt_layer_7_pre (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re_0 re_1: v_Vector) = - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\\ - (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))")] -#[hax_lib::requires(fstar!("forall i. i < 8 ==> ntt_layer_7_pre (${re}.f_coefficients.[ sz i ]) - (${re}.f_coefficients.[ sz i +! sz 8 ])"))] pub(crate) fn ntt_at_layer_7(re: &mut PolynomialRingElement) { let step = VECTORS_IN_RING_ELEMENT / 2; - hax_lib::fstar!("assert (v $step == 8)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..step { - hax_lib::loop_invariant!(|j: usize| { fstar!("(v j < 8 ==> - (forall (i:nat). (i >= v j /\\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))") }); - hax_lib::fstar!("reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #$:Vector)"); let t = Vector::multiply_by_constant(re.coefficients[j + step], -1600); re.coefficients[j + step] = Vector::sub(re.coefficients[j], &t); re.coefficients[j] = Vector::add(re.coefficients[j], &t); @@ -270,12 +136,12 @@ pub(crate) fn ntt_binomially_sampled_ring_element( ntt_at_layer_7(re); let mut zeta_i = 1; - ntt_at_layer_4_plus(&mut zeta_i, re, 6, 11207); - ntt_at_layer_4_plus(&mut zeta_i, re, 5, 11207+3328); - ntt_at_layer_4_plus(&mut zeta_i, re, 4, 11207+2*3328); - ntt_at_layer_3(&mut zeta_i, re, 3, 11207+3*3328); - ntt_at_layer_2(&mut zeta_i, re, 2, 11207+4*3328); - ntt_at_layer_1(&mut zeta_i, re, 1, 11207+5*3328); + ntt_at_layer_4_plus(&mut zeta_i, re, 6, 3); + ntt_at_layer_4_plus(&mut zeta_i, re, 5, 3); + ntt_at_layer_4_plus(&mut zeta_i, re, 4, 3); + ntt_at_layer_3(&mut zeta_i, re, 3, 3); + ntt_at_layer_2(&mut zeta_i, re, 2, 3); + ntt_at_layer_1(&mut zeta_i, re, 1, 3); re.poly_barrett_reduce() } @@ -295,12 +161,12 @@ pub(crate) fn ntt_vector_u i16 { - ZETAS_TIMES_MONTGOMERY_R[i] -} +]; pub(crate) const VECTORS_IN_RING_ELEMENT: usize = super::constants::COEFFICIENTS_IN_RING_ELEMENT / FIELD_ELEMENTS_IN_VECTOR; -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i]))"))] -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r = - createi r (fun i -> to_spec_poly_t #v_Vector (m.[i]))"))] -#[cfg_attr(hax, hax_lib::fstar::after(interface, "let to_spec_poly_t (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial = - admit()"))] // XXX: We don't want to copy this. But for eurydice we have to have this. #[derive(Clone, Copy)] pub(crate) struct PolynomialRingElement { pub(crate) coefficients: [Vector; VECTORS_IN_RING_ELEMENT], } -#[hax_lib::attributes] impl PolynomialRingElement { #[allow(non_snake_case)] pub(crate) fn ZERO() -> Self { @@ -52,7 +30,6 @@ impl PolynomialRingElement { } #[inline(always)] - #[requires(VECTORS_IN_RING_ELEMENT * 16 <= a.len())] pub(crate) fn from_i16_array(a: &[i16]) -> Self { let mut result = PolynomialRingElement::ZERO(); for i in 0..VECTORS_IN_RING_ELEMENT { @@ -65,7 +42,6 @@ impl PolynomialRingElement { /// sum of their constituent coefficients. #[inline(always)] pub(crate) fn add_to_ring_element(&mut self, rhs: &Self) { - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..self.coefficients.len() { @@ -76,8 +52,6 @@ impl PolynomialRingElement { #[inline(always)] pub fn poly_barrett_reduce(&mut self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { @@ -88,8 +62,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn subtract_reduce(&self, mut b: Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient_normal_form = Vector::montgomery_multiply_by_constant(b.coefficients[i], 1441); @@ -101,8 +73,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_message_error_reduce(&self, message: &Self, mut result: Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient_normal_form = Vector::montgomery_multiply_by_constant(result.coefficients[i], 1441); @@ -132,8 +102,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_error_reduce(&mut self, error: &Self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..VECTORS_IN_RING_ELEMENT { @@ -150,8 +118,6 @@ impl PolynomialRingElement { #[inline(always)] pub(crate) fn add_standard_error_reduce(&mut self, error: &Self) { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for j in 0..VECTORS_IN_RING_ELEMENT { @@ -207,8 +173,6 @@ impl PolynomialRingElement { // ))))] #[inline(always)] pub(crate) fn ntt_multiply(&self, rhs: &Self) -> Self { - // Using `hax_lib::fstar::verification_status(lax)` works but produces an error while extracting - hax_lib::fstar!("admit ()"); // hax_debug_debug_assert!(lhs // .coefficients // .into_iter() @@ -220,10 +184,10 @@ impl PolynomialRingElement { out.coefficients[i] = Vector::ntt_multiply( &self.coefficients[i], &rhs.coefficients[i], - get_zeta (64 + 4 * i), - get_zeta (64 + 4 * i + 1), - get_zeta (64 + 4 * i + 2), - get_zeta (64 + 4 * i + 3), + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 1], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 2], + ZETAS_TIMES_MONTGOMERY_R[64 + 4 * i + 3], ); } diff --git a/libcrux-ml-kem/src/sampling.rs b/libcrux-ml-kem/src/sampling.rs index 1a140d1a8..79e4e38e6 100644 --- a/libcrux-ml-kem/src/sampling.rs +++ b/libcrux-ml-kem/src/sampling.rs @@ -1,5 +1,5 @@ use crate::{ - constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, + constants::COEFFICIENTS_IN_RING_ELEMENT, hash_functions::*, hax_utils::hax_debug_assert, helper::cloop, polynomial::PolynomialRingElement, vector::Operations, }; @@ -71,15 +71,14 @@ fn sample_from_uniform_distribution_next>( seeds: [[u8; 34]; K], ) -> [PolynomialRingElement; K] { let mut sampled_coefficients: [usize; K] = [0; K]; let mut out: [[i16; 272]; K] = [[0; 272]; K]; - let mut xof_state = Hasher::shake128_init_absorb_final(seeds); - let randomness = xof_state.shake128_squeeze_first_three_blocks(); + let mut xof_state = Hasher::shake128_init_absorb(seeds); + let randomness = xof_state.shake128_squeeze_three_blocks(); let mut done = sample_from_uniform_distribution_next::( randomness, @@ -93,7 +92,7 @@ pub(super) fn sample_from_xof( randomness, &mut sampled_coefficients, @@ -152,19 +151,16 @@ pub(super) fn sample_from_xof. -#[hax_lib::requires(randomness.len() == 2 * 64)] +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 2 * 64))] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::ensures(|result| // hax_lib::forall(|i:usize| // hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 2 // ))))] #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_2( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (sz 2 *! sz 64) == 128); - assert (Seq.length $randomness == 128)"); let mut sampled_i16s = [0i16; 256]; cloop! { @@ -176,21 +172,12 @@ fn sample_from_binomial_distribution_2( let even_bits = random_bits_as_u32 & 0x55555555; let odd_bits = (random_bits_as_u32 >> 1) & 0x55555555; - hax_lib::fstar!("logand_lemma $random_bits_as_u32 1431655765ul; - logand_lemma ($random_bits_as_u32 >>! 1l) 1431655765ul"); let coin_toss_outcomes = even_bits + odd_bits; cloop! { for outcome_set in (0..u32::BITS).step_by(4) { let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x3) as i16; let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 2)) & 0x3) as i16; - hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 3ul; - logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 2ul <: u32) <: u32) 3ul; - assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 3); - assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 3); - assert (v $chunk_number <= 31); - assert (v (sz 8 *! $chunk_number <: usize) <= 248); - assert (v (cast ($outcome_set >>! 2l <: u32) <: usize) <= 7)"); let offset = (outcome_set >> 2) as usize; sampled_i16s[8 * chunk_number + offset] = outcome_1 - outcome_2; @@ -201,19 +188,16 @@ fn sample_from_binomial_distribution_2( PolynomialRingElement::from_i16_array(&sampled_i16s) } -#[hax_lib::requires(randomness.len() == 3 * 64)] +#[cfg_attr(hax, hax_lib::requires(randomness.len() == 3 * 64))] // TODO: Remove or replace with something that works and is useful for the proof. // #[cfg_attr(hax, hax_lib::ensures(|result| // hax_lib::forall(|i:usize| // hax_lib::implies(i < result.coefficients.len(), || result.coefficients[i].abs() <= 3 // ))))] #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 800")] fn sample_from_binomial_distribution_3( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (sz 3 *! sz 64) == 192); - assert (Seq.length $randomness == 192)"); let mut sampled_i16s = [0i16; 256]; cloop! { @@ -224,9 +208,6 @@ fn sample_from_binomial_distribution_3( let first_bits = random_bits_as_u24 & 0x00249249; let second_bits = (random_bits_as_u24 >> 1) & 0x00249249; let third_bits = (random_bits_as_u24 >> 2) & 0x00249249; - hax_lib::fstar!("logand_lemma $random_bits_as_u24 2396745ul; - logand_lemma ($random_bits_as_u24 >>! 1l <: u32) 2396745ul; - logand_lemma ($random_bits_as_u24 >>! 2l <: u32) 2396745ul"); let coin_toss_outcomes = first_bits + second_bits + third_bits; @@ -234,13 +215,6 @@ fn sample_from_binomial_distribution_3( for outcome_set in (0..24).step_by(6) { let outcome_1 = ((coin_toss_outcomes >> outcome_set) & 0x7) as i16; let outcome_2 = ((coin_toss_outcomes >> (outcome_set + 3)) & 0x7) as i16; - hax_lib::fstar!("logand_lemma ($coin_toss_outcomes >>! $outcome_set <: u32) 7ul; - logand_lemma ($coin_toss_outcomes >>! ($outcome_set +! 3l <: i32) <: u32) 7ul; - assert (v $outcome_1 >= 0 /\\ v $outcome_1 <= 7); - assert (v $outcome_2 >= 0 /\\ v $outcome_2 <= 7); - assert (v $chunk_number <= 63); - assert (v (sz 4 *! $chunk_number <: usize) <= 252); - assert (v (cast ($outcome_set /! 6l <: i32) <: usize) <= 3)"); let offset = (outcome_set / 6) as usize; sampled_i16s[4 * chunk_number + offset] = outcome_1 - outcome_2; @@ -261,9 +235,8 @@ fn sample_from_binomial_distribution_3( pub(super) fn sample_from_binomial_distribution( randomness: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $ETA <: u32) == 2) \\/ - (v (cast $ETA <: u32) == 3))"); + hax_debug_assert!(randomness.len() == ETA * 64); + match ETA as u32 { 2 => sample_from_binomial_distribution_2(randomness), 3 => sample_from_binomial_distribution_3(randomness), diff --git a/libcrux-ml-kem/src/serialize.rs b/libcrux-ml-kem/src/serialize.rs index 18f8444b7..7eb656f13 100644 --- a/libcrux-ml-kem/src/serialize.rs +++ b/libcrux-ml-kem/src/serialize.rs @@ -1,8 +1,9 @@ use crate::{ - constants::{COEFFICIENTS_IN_RING_ELEMENT, BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + constants::{BYTES_PER_RING_ELEMENT, SHARED_SECRET_SIZE}, + hax_utils::hax_debug_assert, helper::cloop, polynomial::{PolynomialRingElement, VECTORS_IN_RING_ELEMENT}, - vector::{decompress_1, to_unsigned_representative, Operations, FIELD_MODULUS}, + vector::{decompress_1, to_unsigned_representative, Operations}, }; #[inline(always)] @@ -23,7 +24,7 @@ let field_modulus_range (#v_Vector: Type0) #[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\\ v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"))] -pub(super) fn to_unsigned_field_modulus( +pub(super) fn to_unsigned_field_element( a: Vector, ) -> Vector { hax_lib::fstar!("reveal_opaque (`%field_modulus_range) (field_modulus_range #$:Vector)"); @@ -42,12 +43,7 @@ pub(super) fn compress_then_serialize_message( ) -> [u8; SHARED_SECRET_SIZE] { let mut serialized = [0u8; SHARED_SECRET_SIZE]; for i in 0..16 { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i < 16 ==> - coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (2 * v $i + 2 <= 32)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); + let coefficient = to_unsigned_field_element::(re.coefficients[i]); let coefficient_compressed = Vector::compress_1(coefficient); let bytes = Vector::serialize_1(coefficient_compressed); @@ -56,7 +52,6 @@ pub(super) fn compress_then_serialize_message( serialized } - #[inline(always)] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::ensures(|result| @@ -84,15 +79,9 @@ pub(super) fn deserialize_then_decompress_message( pub(super) fn serialize_uncompressed_ring_element( re: &PolynomialRingElement, ) -> [u8; BYTES_PER_RING_ELEMENT] { - hax_lib::fstar!("assert_norm (pow2 12 == 4096)"); let mut serialized = [0u8; BYTES_PER_RING_ELEMENT]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (24 * v $i + 24 <= 384)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); - let coefficient = to_unsigned_field_modulus(re.coefficients[i]); + let coefficient = to_unsigned_field_element::(re.coefficients[i]); let bytes = Vector::serialize_12(coefficient); serialized[24 * i..24 * i + 24].copy_from_slice(&bytes); @@ -112,7 +101,8 @@ pub(super) fn serialize_uncompressed_ring_element( pub(super) fn deserialize_to_uncompressed_ring_element( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"); + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -128,14 +118,11 @@ pub(super) fn deserialize_to_uncompressed_ring_element( /// /// This MUST NOT be used with secret inputs, like its caller `deserialize_ring_elements_reduced`. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - serialized.len() == BYTES_PER_RING_ELEMENT -)] fn deserialize_to_reduced_ring_element( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v $BYTES_PER_RING_ELEMENT / 24 == 16)"); + hax_debug_assert!(serialized.len() == BYTES_PER_RING_ELEMENT); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -152,23 +139,15 @@ fn deserialize_to_reduced_ring_element( /// /// This function MUST NOT be used on secret inputs. #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires( - fstar!("Spec.MLKEM.is_rank v_K /\\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)") -)] -#[hax_lib::ensures(|result| - fstar!("forall (i:nat). i < v $K ==> - coefficients_field_modulus_range (Seq.index $result i)") -)] pub(super) fn deserialize_ring_elements_reduced_out< + const PUBLIC_KEY_SIZE: usize, const K: usize, Vector: Operations, >( public_key: &[u8], ) -> [PolynomialRingElement; K] { let mut deserialized_pk = core::array::from_fn(|_i| PolynomialRingElement::::ZERO()); - deserialize_ring_elements_reduced::( + deserialize_ring_elements_reduced::( public_key, &mut deserialized_pk, ); @@ -187,6 +166,7 @@ pub(super) fn deserialize_ring_elements_reduced_out< Spec.MLKEM.vector_decode_12 #$K $public_key") )] pub(super) fn deserialize_ring_elements_reduced< + const PUBLIC_KEY_SIZE: usize, const K: usize, Vector: Operations, >( @@ -205,21 +185,13 @@ pub(super) fn deserialize_ring_elements_reduced< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("v $OUT_LEN == 320 /\\ coefficients_field_modulus_range $re"))] fn compress_then_serialize_10( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { - hax_lib::fstar!("assert_norm (pow2 10 == 1024)"); let mut serialized = [0u8; OUT_LEN]; for i in 0..VECTORS_IN_RING_ELEMENT { - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> coefficients_field_modulus_range $re") }); - hax_lib::fstar!("assert (20 * v $i + 20 <= 320)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); let coefficient = - Vector::compress::<10>(to_unsigned_field_modulus(re.coefficients[i])); + Vector::compress::<10>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_10(coefficient); serialized[20 * i..20 * i + 20].copy_from_slice(&bytes); @@ -228,14 +200,13 @@ fn compress_then_serialize_10( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] fn compress_then_serialize_11( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { let mut serialized = [0u8; OUT_LEN]; for i in 0..VECTORS_IN_RING_ELEMENT { let coefficient = - Vector::compress::<11>(to_unsigned_representative::(re.coefficients[i])); + Vector::compress::<11>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_11(coefficient); serialized[22 * i..22 * i + 22].copy_from_slice(&bytes); @@ -258,10 +229,8 @@ pub(super) fn compress_then_serialize_ring_element_u< >( re: &PolynomialRingElement, ) -> [u8; OUT_LEN] { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"); + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + match COMPRESSION_FACTOR as u32 { 10 => compress_then_serialize_10(re), 11 => compress_then_serialize_11(re), @@ -270,28 +239,15 @@ pub(super) fn compress_then_serialize_ring_element_u< } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::requires(fstar!("Seq.length $serialized == 128 /\\ - coefficients_field_modulus_range $re"))] -#[hax_lib::ensures(|_| - fstar!("${serialized_future.len()} == ${serialized.len()}") -)] fn compress_then_serialize_4( re: PolynomialRingElement, serialized: &mut [u8], ) { - hax_lib::fstar!("assert_norm (pow2 4 == 16)"); // The semicolon and parentheses at the end of loop are a workaround // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { - // NOTE: Using `$serialized` in loop_invariant doesn't work here - hax_lib::loop_invariant!(|i: usize| { fstar!("v $i >= 0 /\\ v $i <= 16 /\\ - v $i < 16 ==> (Seq.length serialized == 128 /\\ coefficients_field_modulus_range $re)") }); - hax_lib::fstar!("assert (8 * v $i + 8 <= 128)"); - hax_lib::fstar!("reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #$:Vector)"); let coefficient = - Vector::compress::<4>(to_unsigned_field_modulus(re.coefficients[i])); + Vector::compress::<4>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_4(coefficient); serialized[8 * i..8 * i + 8].copy_from_slice(&bytes); @@ -300,13 +256,6 @@ fn compress_then_serialize_4( } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires( - serialized.len() == 160 -)] -#[hax_lib::ensures(|_| - fstar!("${serialized_future.len()} == ${serialized.len()}") -)] fn compress_then_serialize_5( re: PolynomialRingElement, serialized: &mut [u8], @@ -315,7 +264,7 @@ fn compress_then_serialize_5( // for the following bug https://github.com/hacspec/hax/issues/720 for i in 0..VECTORS_IN_RING_ELEMENT { let coefficients = - Vector::compress::<5>(to_unsigned_representative::(re.coefficients[i])); + Vector::compress::<5>(to_unsigned_field_element::(re.coefficients[i])); let bytes = Vector::serialize_5(coefficients); serialized[10 * i..10 * i + 10].copy_from_slice(&bytes); @@ -340,10 +289,8 @@ pub(super) fn compress_then_serialize_ring_element_v< re: PolynomialRingElement, out: &mut [u8], ) { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v $COMPRESSION_FACTOR)"); + hax_debug_assert!((COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8 == OUT_LEN); + match COMPRESSION_FACTOR as u32 { 4 => compress_then_serialize_4(re, out), 5 => compress_then_serialize_5(re, out), @@ -352,16 +299,13 @@ pub(super) fn compress_then_serialize_ring_element_v< } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 320 -)] fn deserialize_then_decompress_10( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 10) / 8); + let mut re = PolynomialRingElement::::ZERO(); - let _coefficients_length = re.coefficients.len(); cloop! { for (i, bytes) in serialized.chunks_exact(20).enumerate() { let coefficient = Vector::deserialize_10(bytes); @@ -372,13 +316,11 @@ fn deserialize_then_decompress_10( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 352 -)] fn deserialize_then_decompress_11( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 11) / 8); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -407,9 +349,8 @@ pub(super) fn deserialize_then_decompress_ring_element_u< >( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 10) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 11))"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + match COMPRESSION_FACTOR as u32 { 10 => deserialize_then_decompress_10(serialized), 11 => deserialize_then_decompress_11(serialized), @@ -418,15 +359,11 @@ pub(super) fn deserialize_then_decompress_ring_element_u< } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 128 -)] fn deserialize_then_decompress_4( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 4) / 8); let mut re = PolynomialRingElement::::ZERO(); - cloop! { for (i, bytes) in serialized.chunks_exact(8).enumerate() { let coefficient = Vector::deserialize_4(bytes); @@ -437,13 +374,11 @@ fn deserialize_then_decompress_4( } #[inline(always)] -#[hax_lib::requires( - serialized.len() == 160 -)] fn deserialize_then_decompress_5( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert (v (($COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160)"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * 5) / 8); + let mut re = PolynomialRingElement::::ZERO(); cloop! { @@ -471,9 +406,8 @@ pub(super) fn deserialize_then_decompress_ring_element_v< >( serialized: &[u8], ) -> PolynomialRingElement { - hax_lib::fstar!("assert ( - (v (cast $COMPRESSION_FACTOR <: u32) == 4) \\/ - (v (cast $COMPRESSION_FACTOR <: u32) == 5))"); + hax_debug_assert!(serialized.len() == (COEFFICIENTS_IN_RING_ELEMENT * COMPRESSION_FACTOR) / 8); + match COMPRESSION_FACTOR as u32 { 4 => deserialize_then_decompress_4(serialized), 5 => deserialize_then_decompress_5(serialized), diff --git a/libcrux-ml-kem/src/types.rs b/libcrux-ml-kem/src/types.rs index b1ff9dc03..b13a8e8dd 100644 --- a/libcrux-ml-kem/src/types.rs +++ b/libcrux-ml-kem/src/types.rs @@ -48,10 +48,8 @@ macro_rules! impl_generic_struct { } } - #[hax_lib::attributes] impl $name { /// A reference to the raw byte slice. - #[ensures(|result| fstar!("$result == self.f_value"))] pub fn as_slice(&self) -> &[u8; SIZE] { &self.value } @@ -148,7 +146,6 @@ pub struct MlKemKeyPair, } -#[hax_lib::attributes] impl MlKemKeyPair { @@ -161,7 +158,6 @@ impl } /// Create a new [`MlKemKeyPair`] from the secret and public key. - #[ensures(|result| fstar!("${result}.f_sk == $sk /\\ ${result}.f_pk == $pk"))] pub fn from( sk: MlKemPrivateKey, pk: MlKemPublicKey, diff --git a/libcrux-ml-kem/src/utils.rs b/libcrux-ml-kem/src/utils.rs index 62590aa13..3c3be2bcc 100644 --- a/libcrux-ml-kem/src/utils.rs +++ b/libcrux-ml-kem/src/utils.rs @@ -8,16 +8,9 @@ #[cfg_attr(hax, hax_lib::requires( slice.len() <= LEN ))] -#[cfg_attr(hax, hax_lib::ensures(|result| - fstar!("$result == Seq.append $slice (Seq.create (v $LEN - v (${slice.len()})) 0uy)")))] pub(crate) fn into_padded_array(slice: &[u8]) -> [u8; LEN] { let mut out = [0u8; LEN]; out[0..slice.len()].copy_from_slice(slice); - hax_lib::fstar!("assert (Seq.slice out 0 (Seq.length slice) == slice)"); - hax_lib::fstar!("assert (Seq.slice out (Seq.length slice) (v v_LEN) == Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN))"); - hax_lib::fstar!("assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i)"); - hax_lib::fstar!("assert (forall i. (i >= Seq.length slice && i < v v_LEN) ==> Seq.index out i == Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice))"); - hax_lib::fstar!("Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy))"); out } diff --git a/libcrux-ml-kem/src/variant.rs b/libcrux-ml-kem/src/variant.rs index 080559de4..5b35244a2 100644 --- a/libcrux-ml-kem/src/variant.rs +++ b/libcrux-ml-kem/src/variant.rs @@ -11,14 +11,10 @@ use crate::{constants::CPA_PKE_KEY_GENERATION_SEED_SIZE, hash_functions::Hash, M /// cf. FIPS 203, Appendix C #[hax_lib::attributes] pub(crate) trait Variant { - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!("$res == $shared_secret"))] // We only have post-conditions for ML-KEM, not Kyber fn kdf>( shared_secret: &[u8], ciphertext: &MlKemCiphertext, ) -> [u8; 32]; - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!("$res == $randomness"))] // We only have post-conditions for ML-KEM, not Kyber fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32]; #[requires(seed.len() == 32)] #[ensures(|res| fstar!("Seq.length $seed == 32 ==> $res == Spec.Utils.v_G @@ -72,8 +68,6 @@ pub(crate) struct MlKem {} #[hax_lib::attributes] impl Variant for MlKem { #[inline(always)] - #[requires(shared_secret.len() == 32)] - #[ensures(|res| fstar!("$res == $shared_secret"))] fn kdf>( shared_secret: &[u8], _: &MlKemCiphertext, @@ -84,8 +78,6 @@ impl Variant for MlKem { } #[inline(always)] - #[requires(randomness.len() == 32)] - #[ensures(|res| fstar!("$res == $randomness"))] fn entropy_preprocess>(randomness: &[u8]) -> [u8; 32] { let mut out = [0u8; 32]; out.copy_from_slice(randomness); diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs index 2d6d18798..f673b39b1 100644 --- a/libcrux-ml-kem/src/vector/avx2.rs +++ b/libcrux-ml-kem/src/vector/avx2.rs @@ -1,4 +1,5 @@ use super::traits::Operations; + pub(crate) use libcrux_intrinsics::avx2::*; mod arithmetic; @@ -8,25 +9,19 @@ mod sampling; mod serialize; #[derive(Clone, Copy)] -#[hax_lib::fstar::before(interface, "noeq")] -#[hax_lib::fstar::after(interface,"let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements")] pub struct SIMD256Vector { elements: Vec256, } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == Seq.create 16 0s"))] -fn vec_zero() -> SIMD256Vector { +fn zero() -> SIMD256Vector { SIMD256Vector { elements: mm256_setzero_si256(), } } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] -fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { +fn to_i16_array(v: SIMD256Vector) -> [i16; 16] { let mut output = [0i16; 16]; mm256_storeu_si256_i16(&mut output, v.elements); @@ -34,40 +29,30 @@ fn vec_to_i16_array(v: SIMD256Vector) -> [i16; 16] { } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == ${array}"))] -fn vec_from_i16_array(array: &[i16]) -> SIMD256Vector { +fn from_i16_array(array: &[i16]) -> SIMD256Vector { SIMD256Vector { elements: mm256_loadu_si256_i16(array), } } -#[cfg(hax)] -impl crate::vector::traits::Repr for SIMD256Vector { - fn repr(x: Self) -> [i16; 16] { - vec_to_i16_array(x) - } -} - -#[hax_lib::attributes] impl Operations for SIMD256Vector { #[inline(always)] #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { - vec_zero() + zero() } #[requires(array.len() == 16)] #[ensures(|out| fstar!("impl.f_repr out == $array"))] #[inline(always)] fn from_i16_array(array: &[i16]) -> Self { - vec_from_i16_array(array) + from_i16_array(array) } #[ensures(|out| fstar!("out == impl.f_repr $x"))] #[inline(always)] fn to_i16_array(x: Self) -> [i16; 16] { - vec_to_i16_array(x) + to_i16_array(x) } #[requires(fstar!("forall i. i < 16 ==> @@ -127,7 +112,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $vector)"))] #[inline(always)] fn cond_subtract_3329(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: arithmetic::cond_subtract_3329(vector.elements), } @@ -154,7 +138,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))] #[inline(always)] fn compress_1(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: compress::compress_message_coefficient(vector.elements), } @@ -173,7 +156,6 @@ impl Operations for SIMD256Vector { (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))] #[inline(always)] fn compress(vector: Self) -> Self { - hax_lib::fstar!("admit()"); Self { elements: compress::compress_ciphertext_coefficient::( vector.elements, @@ -198,7 +180,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } @@ -209,7 +190,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_2_step(vector.elements, zeta0, zeta1), } @@ -220,7 +200,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] #[inline(always)] fn ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_layer_3_step(vector.elements, zeta), } @@ -232,7 +211,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_1_step(vector: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_1_step(vector.elements, zeta0, zeta1, zeta2, zeta3), } @@ -243,7 +221,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_2_step(vector: Self, zeta0: i16, zeta1: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_2_step(vector.elements, zeta0, zeta1), } @@ -254,7 +231,6 @@ impl Operations for SIMD256Vector { #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] #[inline(always)] fn inv_ntt_layer_3_step(vector: Self, zeta: i16) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::inv_ntt_layer_3_step(vector.elements, zeta), } @@ -274,7 +250,6 @@ impl Operations for SIMD256Vector { zeta2: i16, zeta3: i16, ) -> Self { - hax_lib::fstar!("admit()"); Self { elements: ntt::ntt_multiply(lhs.elements, rhs.elements, zeta0, zeta1, zeta2, zeta3), } @@ -318,14 +293,12 @@ impl Operations for SIMD256Vector { #[inline(always)] fn serialize_5(vector: Self) -> [u8; 10] { - hax_lib::fstar!("admit()"); serialize::serialize_5(vector.elements) } #[requires(bytes.len() == 10)] #[inline(always)] fn deserialize_5(bytes: &[u8]) -> Self { - hax_lib::fstar!("admit()"); Self { elements: serialize::deserialize_5(bytes), } diff --git a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs index 1032ee28d..a980eb75d 100644 --- a/libcrux-ml-kem/src/vector/avx2/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/avx2/arithmetic.rs @@ -3,95 +3,28 @@ use crate::vector::{traits::INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, FIELD_MODULUS}; use super::*; #[inline(always)] -#[hax_lib::fstar::before(interface, "open Libcrux_intrinsics.Avx2_extract")] -#[hax_lib::fstar::before( - " -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) - (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) + v (get_lane $rhs i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) + v (get_lane $rhs i))"))] pub(crate) fn add(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_add_epi16(lhs, rhs); - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i))"); - result + mm256_add_epi16(lhs, rhs) } #[inline(always)] -#[hax_lib::fstar::before( - " -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $lhs i) - v (get_lane $rhs i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $lhs i) - v (get_lane $rhs i))"))] pub(crate) fn sub(lhs: Vec256, rhs: Vec256) -> Vec256 { - let result = mm256_sub_epi16(lhs, rhs); - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i))"); - result + mm256_sub_epi16(lhs, rhs) } #[inline(always)] -#[hax_lib::fstar::before( - " -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma - (requires (i < 16 /\\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) - (ensures (v (mul_mod (get_lane lhs i) c) == - (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = ()" -)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane $vector i) * v constant)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - v (get_lane $result i) == (v (get_lane $vector i) * v constant)"))] pub(crate) fn multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { - let cv = mm256_set1_epi16(constant); - let result = mm256_mullo_epi16(vector, cv); - hax_lib::fstar!("Seq.lemma_eq_intro (vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x *. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - - hax_lib::fstar!("assert (forall i. get_lane result i == get_lane vector i *. constant); - assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); - assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant)"); - result + mm256_mullo_epi16(vector, mm256_set1_epi16(constant)) } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn bitwise_and_with_constant(vector: Vec256, constant: i16) -> Vec256 { - let cv = mm256_set1_epi16(constant); - let result = mm256_and_si256(vector, cv); - hax_lib::fstar!("Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x &. $constant) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))"); - result + mm256_and_si256(vector, mm256_set1_epi16(constant)) } #[inline(always)] -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result == - Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] pub(crate) fn shift_right(vector: Vec256) -> Vec256 { - let result = mm256_srai_epi16::<{ SHIFT_BY }>(vector); - hax_lib::fstar!( - "Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) - (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector))" - ); - result + mm256_srai_epi16::<{ SHIFT_BY }>(vector) } // #[inline(always)] @@ -100,36 +33,17 @@ pub(crate) fn shift_right(vector: Vec256) -> Vec256 { // } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vector)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - get_lane $result i == - (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i)"))] pub(crate) fn cond_subtract_3329(vector: Vec256) -> Vec256 { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $field_modulus i == 3329s)"); + // Compute v_i - Q and crate a mask from the sign bit of each of these // quantities. let v_minus_field_modulus = mm256_sub_epi16(vector, field_modulus); - hax_lib::fstar!( - "assert (forall i. get_lane $v_minus_field_modulus i == get_lane $vector i -. 3329s)" - ); - let sign_mask = mm256_srai_epi16::<15>(v_minus_field_modulus); - hax_lib::fstar!( - "assert (forall i. get_lane $sign_mask i == (get_lane $v_minus_field_modulus i >>! 15l))" - ); // If v_i - Q < 0 then add back Q to (v_i - Q). let conditional_add_field_modulus = mm256_and_si256(sign_mask, field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $conditional_add_field_modulus i == (get_lane $sign_mask i &. 3329s))"); - - let result = mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $result i == (get_lane $v_minus_field_modulus i +. get_lane $conditional_add_field_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.cond_sub (get_lane $vector i)); - assert (forall i. get_lane $result i == (if (get_lane $vector i) >=. 3329s then get_lane $vector i -! 3329s else get_lane $vector i))"); - - result + mm256_add_epi16(v_minus_field_modulus, conditional_add_field_modulus) } const BARRETT_MULTIPLIER: i16 = 20159; @@ -137,145 +51,57 @@ const BARRETT_MULTIPLIER: i16 = 20159; /// See Section 3.2 of the implementation notes document for an explanation /// of this code. #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${vector})")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - (v (get_lane $vector i) % 3329))")))] pub(crate) fn barrett_reduce(vector: Vec256) -> Vec256 { - let t0 = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); - hax_lib::fstar!("assert (forall i. get_lane $t0 i == (cast (((cast (get_lane $vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) <: i16))"); - let t512 = mm256_set1_epi16(512); - hax_lib::fstar!("assert (forall i. get_lane $t512 i == 512s)"); - let t1 = mm256_add_epi16(t0, t512); - hax_lib::fstar!("assert (forall i. get_lane $t1 i == get_lane $t0 i +. 512s)"); - let quotient = mm256_srai_epi16::<10>(t1); - hax_lib::fstar!( - "assert (forall i. get_lane $quotient i == (((get_lane $t1 i) <: i16) >>! (10l <: i32)))" - ); + let t = mm256_mulhi_epi16(vector, mm256_set1_epi16(BARRETT_MULTIPLIER)); + let t = mm256_add_epi16(t, mm256_set1_epi16(512)); + + let quotient = mm256_srai_epi16::<10>(t); + let quotient_times_field_modulus = mm256_mullo_epi16(quotient, mm256_set1_epi16(FIELD_MODULUS)); - hax_lib::fstar!( - "assert (forall i. get_lane $quotient_times_field_modulus i == - get_lane $quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS)" - ); - let result = mm256_sub_epi16(vector, quotient_times_field_modulus); - hax_lib::fstar!("assert (forall i. get_lane $result i == - get_lane $vector i -. get_lane $quotient_times_field_modulus i); - assert (forall i. get_lane $result i == Spec.Utils.barrett_red (get_lane $vector i)); - assert (forall i. v (get_lane $result i) % 3329 == v (get_lane $vector i) % 3329); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result))"); - result + + mm256_sub_epi16(vector, quotient_times_field_modulus) } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 200"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 constant")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vector i) * v constant * 169) % 3329))")))] pub(crate) fn montgomery_multiply_by_constant(vector: Vec256, constant: i16) -> Vec256 { - let vec_constant = mm256_set1_epi16(constant); - hax_lib::fstar!("assert (forall i. get_lane $vec_constant i == $constant)"); - let value_low = mm256_mullo_epi16(vector, vec_constant); - hax_lib::fstar!("assert (forall i. get_lane $value_low i == get_lane $vector i *. $constant)"); + let constant = mm256_set1_epi16(constant); + let value_low = mm256_mullo_epi16(vector, constant); + let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); - let modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); - let k_times_modulus = mm256_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == - (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm256_mulhi_epi16(vector, vec_constant); - hax_lib::fstar!("assert (forall i. get_lane $value_high i == - (cast (((cast (get_lane $vector i) <: i32) *. (cast (get_lane $vec_constant i) <: i32)) >>! 16l) <: i16))"); + let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS)); - let result = mm256_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vector i) $constant); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vector i) * v $constant * 169) % 3329))"); - result + let value_high = mm256_mulhi_epi16(vector, constant); + + mm256_sub_epi16(value_high, k_times_modulus) } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $constants))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))")))] -pub(crate) fn montgomery_multiply_by_constants(vec: Vec256, constants: Vec256) -> Vec256 { - let value_low = mm256_mullo_epi16(vec, constants); - hax_lib::fstar!( - "assert (forall i. get_lane $value_low i == get_lane $vec i *. get_lane $constants i)" - ); +pub(crate) fn montgomery_multiply_by_constants(v: Vec256, c: Vec256) -> Vec256 { + let value_low = mm256_mullo_epi16(v, c); let k = mm256_mullo_epi16( value_low, mm256_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!("assert (forall i. get_lane $k i == get_lane $value_low i *. (neg 3327s))"); + let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi16(FIELD_MODULUS)); - let modulus = mm256_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane $modulus i == 3329s)"); + let value_high = mm256_mulhi_epi16(v, c); - let k_times_modulus = mm256_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $modulus)); - assert (forall i. get_lane $k_times_modulus i == - (cast (((cast (get_lane $k i) <: i32) *. (cast (get_lane $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm256_mulhi_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane $value_high i == - (cast (((cast (get_lane $vec i) <: i32) *. (cast (get_lane $constants i) <: i32)) >>! 16l) <: i16))"); - - let result = mm256_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane $result i == (get_lane $value_high i) -. (get_lane $k_times_modulus i)); - assert (forall i. get_lane $result i == Spec.Utils.mont_mul_red_i16 (get_lane $vec i) (get_lane $constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)); - assert (forall i. v (get_lane $result i) % 3329 == ((v (get_lane $vec i) * v (get_lane $constants i) * 169) % 3329))"); - result + mm256_sub_epi16(value_high, k_times_modulus) } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (3328 * pow2 16) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (3328 + 1665) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 ${result}) /\\ - (Spec.Utils.is_i16b_array (3328 * pow2 15) (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $vec) ==> - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 $result)) /\\ - (forall i. i < 16 ==> v (get_lane $result i) % 3329 == - ((v (get_lane $vec i) * 169) % 3329))")))] -pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { +pub(crate) fn montgomery_reduce_i32s(v: Vec256) -> Vec256 { let k = mm256_mullo_epi16( - vec, + v, mm256_set1_epi32(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32), ); let k_times_modulus = mm256_mulhi_epi16(k, mm256_set1_epi32(FIELD_MODULUS as i32)); - let value_high = mm256_srli_epi32::<16>(vec); + let value_high = mm256_srli_epi32::<16>(v); let result = mm256_sub_epi16(value_high, k_times_modulus); @@ -285,49 +111,16 @@ pub(crate) fn montgomery_reduce_i32s(vec: Vec256) -> Vec256 { } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::options("--z3rlimit 100"))] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $constants))")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 ${result}) /\\ - (forall i. i < 8 ==> v (get_lane128 $result i) % 3329 == - ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))")))] -pub(crate) fn montgomery_multiply_m128i_by_constants(vec: Vec128, constants: Vec128) -> Vec128 { - let value_low = mm_mullo_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane128 $value_low i == get_lane128 $vec i *. get_lane128 $constants i)"); +pub(crate) fn montgomery_multiply_m128i_by_constants(v: Vec128, c: Vec128) -> Vec128 { + let value_low = mm_mullo_epi16(v, c); let k = mm_mullo_epi16( value_low, mm_set1_epi16(INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i16), ); - hax_lib::fstar!( - "assert (forall i. get_lane128 $k i == get_lane128 $value_low i *. (neg 3327s))" - ); + let k_times_modulus = mm_mulhi_epi16(k, mm_set1_epi16(FIELD_MODULUS)); + + let value_high = mm_mulhi_epi16(v, c); - let modulus = mm_set1_epi16(FIELD_MODULUS); - hax_lib::fstar!("assert (forall i. get_lane128 $modulus i == 3329s)"); - - let k_times_modulus = mm_mulhi_epi16(k, modulus); - hax_lib::fstar!("assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $k) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $modulus)); - assert (forall i. get_lane128 $k_times_modulus i == - (cast (((cast (get_lane128 $k i) <: i32) *. (cast (get_lane128 $modulus i) <: i32)) >>! 16l) <: i16))"); - - let value_high = mm_mulhi_epi16(vec, constants); - hax_lib::fstar!("assert (forall i. get_lane128 $value_high i == - (cast (((cast (get_lane128 $vec i) <: i32) *. (cast (get_lane128 $constants i) <: i32)) >>! 16l) <: i16))"); - - let result = mm_sub_epi16(value_high, k_times_modulus); - hax_lib::fstar!("Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane128 $result i == (get_lane128 $value_high i) -. (get_lane128 $k_times_modulus i)); - assert (forall i. get_lane128 $result i == Spec.Utils.mont_mul_red_i16 (get_lane128 $vec i) (get_lane128 $constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 $result i)); - assert (forall (i:nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 $result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 $result)); - assert (forall i. v (get_lane128 $result i) % 3329 == ((v (get_lane128 $vec i) * v (get_lane128 $constants i) * 169) % 3329))"); - - result + mm_sub_epi16(value_high, k_times_modulus) } diff --git a/libcrux-ml-kem/src/vector/avx2/compress.rs b/libcrux-ml-kem/src/vector/avx2/compress.rs index 9d02e9730..fc5464957 100644 --- a/libcrux-ml-kem/src/vector/avx2/compress.rs +++ b/libcrux-ml-kem/src/vector/avx2/compress.rs @@ -38,8 +38,6 @@ pub(crate) fn compress_message_coefficient(vector: Vec256) -> Vec256 { } #[inline(always)] -#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype /\\ - range (v (1l <( vector: Vec256, ) -> Vec256 { @@ -105,7 +103,6 @@ pub(crate) fn compress_ciphertext_coefficient( } #[inline(always)] -#[hax_lib::requires(fstar!("v $COEFFICIENT_BITS >= 0 /\\ v $COEFFICIENT_BITS < bits i32_inttype"))] pub(crate) fn decompress_ciphertext_coefficient( vector: Vec256, ) -> Vec256 { diff --git a/libcrux-ml-kem/src/vector/avx2/ntt.rs b/libcrux-ml-kem/src/vector/avx2/ntt.rs index 437c6a473..b571b0ee7 100644 --- a/libcrux-ml-kem/src/vector/avx2/ntt.rs +++ b/libcrux-ml-kem/src/vector/avx2/ntt.rs @@ -1,7 +1,6 @@ use super::*; #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn ntt_layer_1_step( vector: Vec256, zeta0: i16, @@ -23,7 +22,6 @@ pub(crate) fn ntt_layer_1_step( } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))] pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let zetas = mm256_set_epi16( -zeta1, -zeta1, -zeta1, -zeta1, zeta1, zeta1, zeta1, zeta1, -zeta0, -zeta0, -zeta0, -zeta0, @@ -39,7 +37,6 @@ pub(crate) fn ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))] pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let rhs = mm256_extracti128_si256::<1>(vector); let rhs = arithmetic::montgomery_multiply_m128i_by_constants(rhs, mm_set1_epi16(zeta)); @@ -56,8 +53,6 @@ pub(crate) fn ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn inv_ntt_layer_1_step( vector: Vec256, zeta0: i16, @@ -87,7 +82,6 @@ pub(crate) fn inv_ntt_layer_1_step( } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1"))] pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Vec256 { let lhs = mm256_permute4x64_epi64::<0b11_11_01_01>(vector); @@ -109,7 +103,6 @@ pub(crate) fn inv_ntt_layer_2_step(vector: Vec256, zeta0: i16, zeta1: i16) -> Ve } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta"))] pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { let lhs = mm256_extracti128_si256::<1>(vector); let rhs = mm256_castsi256_si128(vector); @@ -127,7 +120,6 @@ pub(crate) fn inv_ntt_layer_3_step(vector: Vec256, zeta: i16) -> Vec256 { } #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3"))] pub(crate) fn ntt_multiply( lhs: Vec256, rhs: Vec256, diff --git a/libcrux-ml-kem/src/vector/avx2/sampling.rs b/libcrux-ml-kem/src/vector/avx2/sampling.rs index 1f3565b40..9ce5c20f8 100644 --- a/libcrux-ml-kem/src/vector/avx2/sampling.rs +++ b/libcrux-ml-kem/src/vector/avx2/sampling.rs @@ -5,11 +5,6 @@ use super::{ }; #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(input.len() == 24 && output.len() == 16)] -#[hax_lib::ensures(|res| - fstar!("Seq.length $output_future == Seq.length $output /\\ v $res <= 16") - )] pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { let field_modulus = mm256_set1_epi16(FIELD_MODULUS); @@ -31,14 +26,6 @@ pub(crate) fn rejection_sample(input: &[u8], output: &mut [i16]) -> usize { // each lane in the register to tell us what coefficients to keep and what // to throw-away. Combine all the bits (there are 16) into two bytes. let good = serialize_1(compare_with_field_modulus); - hax_lib::fstar!("assert (v (cast (${good}.[ sz 0 ] <: u8) <: usize) < 256); - assert (v (cast (${good}.[ sz 1 ] <: u8) <: usize) < 256); - // We need to provide a definition or post-condition for Core.Num.impl__u8__count_ones - assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) <= 8); - assume (v (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 1 ]) <: usize) <= 8); - assume (Core.Ops.Index.f_index_pre output ({ - Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize; - Core.Ops.Range.f_end = (cast (Core.Num.impl__u8__count_ones ${good}.[ sz 0 ]) <: usize) +! sz 8 }))"); // Each bit (and its corresponding position) represents an element we // want to sample. We'd like all such elements to be next to each other starting diff --git a/libcrux-ml-kem/src/vector/avx2/serialize.rs b/libcrux-ml-kem/src/vector/avx2/serialize.rs index 693bb1bf8..5b2a4fae5 100644 --- a/libcrux-ml-kem/src/vector/avx2/serialize.rs +++ b/libcrux-ml-kem/src/vector/avx2/serialize.rs @@ -2,9 +2,6 @@ use super::*; use crate::vector::portable::PortableVector; #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --compat_pre_core 0")] -#[hax_lib::requires(fstar!("forall i. i % 16 >= 1 ==> vector i == 0"))] -#[hax_lib::ensures(|result| fstar!("forall i. bit_vec_of_int_t_array $result 8 i == $vector (i * 16)"))] pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // Suppose |vector| is laid out as follows (superscript number indicates the // corresponding bit is duplicated that many times): @@ -46,139 +43,79 @@ pub(crate) fn serialize_1(vector: Vec256) -> [u8; 2] { // 0xFF 0x00 0x00 0x00 | 0xFF 0x00 0x00 0x00 | 0x00 0x00 0x00 0x00 | 0x00 0x00 0x00 0xFF let msbs = mm_packs_epi16(low_msbs, high_msbs); - hax_lib::fstar!( - r#" -let bits_packed' = BitVec.Intrinsics.mm_movemask_epi8_bv msbs in - assert (forall (i: nat{i < 16}). bits_packed' i = $vector ((i / 1) * 16 + i % 1)) - by ( - Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync () - ) - ) -"# - ); - // Now that every element is either 0xFF or 0x00, we just extract the most // significant bit from each element and collate them into two bytes. let bits_packed = mm_movemask_epi8(msbs); - let result = [bits_packed as u8, (bits_packed >> 8) as u8]; + let mut serialized = [0u8; 2]; + serialized[0] = bits_packed as u8; + serialized[1] = (bits_packed >> 8) as u8; - hax_lib::fstar!( - r#" -assert (forall (i: nat {i < 8}). get_bit ($bits_packed >>! 8l <: i32) (sz i) == get_bit $bits_packed (sz (i + 8))) -"# - ); - - result + serialized } #[inline(always)] -#[hax_lib::requires(bytes.len() == 2)] -#[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 2)) 8 j)) -"# -))] -#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_1(bytes: &[u8]) -> Vec256 { - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) -"# - ))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - #[inline(always)] - pub(crate) fn deserialize_1_u8s(a: u8, b: u8) -> Vec256 { - deserialize_1_i16s(a as i16, b as i16) - } - - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 >= 1 then 0 - else let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit $a (sz j) else get_bit $b (sz (j - 8))) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - pub(crate) fn deserialize_1_i16s(a: i16, b: i16) -> Vec256 { - // We need to take each bit from the 2 bytes of input and put them - // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, - // duplicate them, and right-shift the 0th element by 0 bits, - // the first element by 1 bit, the second by 2 bits and so on before AND-ing - // with 0x1 to leave only the least signifinicant bit. - // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a - // workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bit we're interested in becomes the most - // significant bit. - // The coefficients are loaded as follows: - let coefficients = mm256_set_epi16(b, b, b, b, b, b, b, b, a, a, a, a, a, a, a, a); - - // And this vector, when multiplied with the previous one, ensures that the - // bit we'd like to keep in each lane becomes the most significant bit upon - // multiplication. - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - 1 << 8, - 1 << 9, - 1 << 10, - 1 << 11, - 1 << 12, - 1 << 13, - 1 << 14, - -32768, - ), - ); - - // Now that they're all in the most significant bit position, shift them - // down to the least significant bit. - mm256_srli_epi16::<15>(coefficients_in_msb) - } - - deserialize_1_u8s(bytes[0], bytes[1]) -} + // We need to take each bit from the 2 bytes of input and put them + // into their own 16-bit lane. Ideally, we'd load the two bytes into the vector, + // duplicate them, and right-shift the 0th element by 0 bits, + // the first element by 1 bit, the second by 2 bits and so on before AND-ing + // with 0x1 to leave only the least signifinicant bit. + // But since |_mm256_srlv_epi16| does not exist, so we have to resort to a + // workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bit we're interested in becomes the most + // significant bit. + + // The coefficients are loaded as follows: + let coefficients = mm256_set_epi16( + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + bytes[0] as i16, + ); -/// `mm256_concat_pairs_n(n, x)` is then a sequence of 32 bits packets -/// of the shape `0b0…0b₁…bₙa₁…aₙ`, if `x` is a sequence of pairs of -/// 16 bits, of the shape `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` (where the last -/// `n` bits are non-zero). -#[hax_lib::fstar::replace(interface, "include BitVec.Intrinsics {mm256_concat_pairs_n}")] -#[inline(always)] -fn mm256_concat_pairs_n(n: u8, x: Vec256) -> Vec256 { - let n = 1 << n; - mm256_madd_epi16( - x, - mm256_set_epi16(n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1, n, 1), - ) + // And this vector, when multiplied with the previous one, ensures that the + // bit we'd like to keep in each lane becomes the most significant bit upon + // multiplication. + let shift_lsb_to_msb = mm256_set_epi16( + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + 1 << 8, + 1 << 9, + 1 << 10, + 1 << 11, + 1 << 12, + 1 << 13, + 1 << 14, + -32768, + ); + let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsb_to_msb); + + // Now that they're all in the most significant bit position, shift them + // down to the least significant bit. + mm256_srli_epi16::<15>(coefficients_in_msb) } -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires( - fstar!( - r#"forall (i: nat{i < 256}). i % 16 < 4 || $vector i = 0"# - ) -)] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 64}). bit_vec_of_int_t_array $r 8 i == $vector ((i/4) * 16 + i%4)"))] #[inline(always)] pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { let mut serialized = [0u8; 16]; @@ -191,7 +128,27 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // as follows: // // 0x00_00_00_BA 0x00_00_00_DC | 0x00_00_00_FE 0x00_00_00_HG | ... - let adjacent_2_combined = mm256_concat_pairs_n(4, vector); + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + 1 << 4, + 1, + ), + ); // Recall that |adjacent_2_combined| goes as follows: // @@ -219,131 +176,71 @@ pub(crate) fn serialize_4(vector: Vec256) -> [u8; 8] { // ... so that we can read them out in one go. mm_storeu_bytes_si128(&mut serialized, combined); - hax_lib::fstar!( - r#" -assert (forall (i: nat{i < 64}). $combined i == bit_vec_of_int_t_array serialized 8 i); - introduce forall (i: nat {i < 64}). $combined i = vector ((i / 4) * 16 + i % 4) - with assert_norm (BitVec.Utils.forall64 (fun i -> $combined i = $vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). bit_vec_of_int_t_array serialized 8 i == $vector ((i / 4) * 16 + i % 4)) -"# - ); - serialized[0..8].try_into().unwrap() } #[inline(always)] -#[hax_lib::requires(bytes.len() == 8)] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 4 then 0 - else let j = (i / 16) * 4 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 8)) 8 j)"#))] -#[hax_lib::fstar::before("#restart-solver")] pub(crate) fn deserialize_4(bytes: &[u8]) -> Vec256 { - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 < 4 - then let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit $b0 (sz j) - | 1 -> get_bit $b1 (sz (j - 8)) - | 2 -> get_bit $b2 (sz (j - 16)) - | 3 -> get_bit $b3 (sz (j - 24)) - | 4 -> get_bit $b4 (sz (j - 32)) - | 5 -> get_bit $b5 (sz (j - 40)) - | 6 -> get_bit $b6 (sz (j - 48)) - | 7 -> get_bit $b7 (sz (j - 56))) - else 0) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_4_u8s(b0: u8, b1: u8, b2: u8, b3: u8, b4: u8, b5: u8, b6: u8, b7: u8) -> Vec256 { - deserialize_4_i16s( - b0 as i16, b1 as i16, b2 as i16, b3 as i16, b4 as i16, b5 as i16, b6 as i16, b7 as i16, - ) - } - - #[hax_lib::ensures(|coefficients| fstar!( - r#"forall (i:nat{i < 256}). - $coefficients i - = ( if i % 16 < 4 - then let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit $b0 (sz j) - | 1 -> get_bit $b1 (sz (j - 8)) - | 2 -> get_bit $b2 (sz (j - 16)) - | 3 -> get_bit $b3 (sz (j - 24)) - | 4 -> get_bit $b4 (sz (j - 32)) - | 5 -> get_bit $b5 (sz (j - 40)) - | 6 -> get_bit $b6 (sz (j - 48)) - | 7 -> get_bit $b7 (sz (j - 56))) - else 0) -"# - ))] - #[inline(always)] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_4_i16s( - b0: i16, - b1: i16, - b2: i16, - b3: i16, - b4: i16, - b5: i16, - b6: i16, - b7: i16, - ) -> Vec256 { - // Every 4 bits from each byte of input should be put into its own 16-bit lane. - // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. - // - // Rather than shifting each element by a different amount, we'll multiply - // each element by a value such that the bits we're interested in become the most - // significant bits (of an 8-bit value). - let coefficients = mm256_set_epi16( - // In this lane, the 4 bits we need to put are already the most - // significant bits of |bytes[7]| (that is, b7). - b7, - // In this lane, the 4 bits we need to put are the least significant bits, - // so we need to shift the 4 least-significant bits of |b7| to the - // most significant bits (of an 8-bit value). - b7, // and so on ... - b6, b6, b5, b5, b4, b4, b3, b3, b2, b2, b1, b1, b0, b0, - ); - let coefficients_in_msb = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - // These constants are chosen to shift the bits of the values - // that we loaded into |coefficients|. - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - - // Once the 4-bit coefficients are in the most significant positions (of - // an 8-bit value), shift them all down by 4. - let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); - - // Zero the remaining bits. - mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) - } - - deserialize_4_u8s( - bytes[0], bytes[1], bytes[2], bytes[3], bytes[4], bytes[5], bytes[6], bytes[7], - ) + // Every 4 bits from each byte of input should be put into its own 16-bit lane. + // Since |_mm256_srlv_epi16| does not exist, we have to resort to a workaround. + // + // Rather than shifting each element by a different amount, we'll multiply + // each element by a value such that the bits we're interested in become the most + // significant bits (of an 8-bit value). + let coefficients = mm256_set_epi16( + // In this lane, the 4 bits we need to put are already the most + // significant bits of |bytes[7]|. + bytes[7] as i16, + // In this lane, the 4 bits we need to put are the least significant bits, + // so we need to shift the 4 least-significant bits of |bytes[7]| to the + // most significant bits (of an 8-bit value). + bytes[7] as i16, + // and so on ... + bytes[6] as i16, + bytes[6] as i16, + bytes[5] as i16, + bytes[5] as i16, + bytes[4] as i16, + bytes[4] as i16, + bytes[3] as i16, + bytes[3] as i16, + bytes[2] as i16, + bytes[2] as i16, + bytes[1] as i16, + bytes[1] as i16, + bytes[0] as i16, + bytes[0] as i16, + ); + + let shift_lsbs_to_msbs = mm256_set_epi16( + // These constants are chosen to shift the bits of the values + // that we loaded into |coefficients|. + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ); + + let coefficients_in_msb = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + + // Once the 4-bit coefficients are in the most significant positions (of + // an 8-bit value), shift them all down by 4. + let coefficients_in_lsb = mm256_srli_epi16::<4>(coefficients_in_msb); + + // Zero the remaining bits. + mm256_and_si256(coefficients_in_lsb, mm256_set1_epi16((1 << 4) - 1)) } #[inline(always)] @@ -443,31 +340,15 @@ pub(crate) fn serialize_5(vector: Vec256) -> [u8; 10] { serialized[0..10].try_into().unwrap() } -/// We cannot model `mm256_inserti128_si256` on its own: it produces a -/// Vec256 where the upper 128 bits are undefined. Thus -/// `mm256_inserti128_si256` is not pure. -/// -/// Luckily, we always call `mm256_castsi128_si256` right after -/// `mm256_inserti128_si256`: this composition sets the upper bits, -/// making the whole computation pure again. -#[inline(always)] -#[hax_lib::fstar::replace( - interface, - "include BitVec.Intrinsics {mm256_si256_from_two_si128 as ${mm256_si256_from_two_si128}}" -)] -fn mm256_si256_from_two_si128(lower: Vec128, upper: Vec128) -> Vec256 { - mm256_inserti128_si256::<1>(mm256_castsi128_si256(lower), upper) -} - #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 10"#))] pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { let coefficients = mm_set_epi8( bytes[9], bytes[8], bytes[8], bytes[7], bytes[7], bytes[6], bytes[6], bytes[5], bytes[4], bytes[3], bytes[3], bytes[2], bytes[2], bytes[1], bytes[1], bytes[0], ); - let coefficients_loaded = mm256_si256_from_two_si128(coefficients, coefficients); + let coefficients_loaded = mm256_castsi128_si256(coefficients); + let coefficients_loaded = mm256_inserti128_si256::<1>(coefficients_loaded, coefficients); let coefficients = mm256_shuffle_epi8( coefficients_loaded, @@ -502,172 +383,137 @@ pub(crate) fn deserialize_5(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i/10) * 16 + i%10)"))] pub(crate) fn serialize_10(vector: Vec256) -> [u8; 20] { - #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] - #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0"))] - #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( - r#" - forall (i: nat{i < 160}). - vector ((i/10) * 16 + i%10) == (if i < 80 then $lower_8 i else $upper_8 (i - 80)) - ) - "# - ))] - fn serialize_10_vec(vector: Vec256) -> (Vec128, Vec128) { - // If |vector| is laid out as follows (superscript number indicates the - // corresponding bit is duplicated that many times): - // - // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ - // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ - // ... - // - // |adjacent_2_combined| will be laid out as a series of 32-bit integers, - // as follows: - // - // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // .... - let adjacent_2_combined = mm256_concat_pairs_n(10, vector); - - // Shifting up the values at the even indices by 12, we get: - // - // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ - // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ - // ... - let adjacent_4_combined = mm256_sllv_epi32( - adjacent_2_combined, - mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), - ); - - // Viewing this as a set of 64-bit integers we get: - // - // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ - // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ - // ... - // - // Shifting down by 12 gives us: - // - // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ - // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ - // ... - let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); - - // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped - // into bytes, looks like: - // - // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ - // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ - // - // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after - // bytes 0, 1, 2, 3 to allow for sequential reading. - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, - 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, - ), - ); - // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - // and 64 bits starting at position 0 in the upper 128-bit lane. - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - introduce forall (i:nat{i < 80}). lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i:nat{i < 80}). upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - "# - ); - (lower_8, upper_8) - } - - let (lower_8, upper_8) = serialize_10_vec(vector); - let mut serialized = [0u8; 32]; + + // If |vector| is laid out as follows (superscript number indicates the + // corresponding bit is duplicated that many times): + // + // 0⁶a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0⁶b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀ 0⁶c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ 0⁶d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀ | ↩ + // 0⁶e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0⁶f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀ 0⁶g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ 0⁶h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀ | ↩ + // ... + // + // |adjacent_2_combined| will be laid out as a series of 32-bit integers, + // as follows: + // + // 0¹²b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // 0¹²f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // .... + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + 1 << 10, + 1, + ), + ); + + // Shifting up the values at the even indices by 12, we get: + // + // b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀ | ↩ + // f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀ | ↩ + // ... + let adjacent_4_combined = mm256_sllv_epi32( + adjacent_2_combined, + mm256_set_epi32(0, 12, 0, 12, 0, 12, 0, 12), + ); + + // Viewing this as a set of 64-bit integers we get: + // + // 0¹²d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀0¹² | ↩ + // 0¹²h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀0¹² | ↩ + // ... + // + // Shifting down by 12 gives us: + // + // 0²⁴d₉d₈d₇d₆d₅d₄d₃d₂d₁d₀c₉c₈c₇c₆c₅c₄c₃c₂c₁c₀b₉b₈b₇b₆b₅b₄b₃b₂b₁b₀a₉a₈a₇a₆a₅a₄a₃a₂a₁a₀ | ↩ + // 0²⁴h₉h₈h₇h₆h₅h₄h₃h₂h₁h₀g₉g₈g₇g₆g₅g₄g₃g₂g₁g₀f₉f₈f₇f₆f₅f₄f₃f₂f₁f₀e₉e₈e₇e₆e₅e₄e₃e₂e₁e₀ | ↩ + // ... + let adjacent_4_combined = mm256_srli_epi64::<12>(adjacent_4_combined); + + // |adjacent_4_combined|, when the bottom and top 128 bit-lanes are grouped + // into bytes, looks like: + // + // 0₇0₆0₅B₄B₃B₂B₁B₀ | ↩ + // 0₁₅0₁₄0₁₃B₁₂B₁₁B₁₀B₉B₈ | ↩ + // + // In each 128-bit lane, we want to put bytes 8, 9, 10, 11, 12 after + // bytes 0, 1, 2, 3 to allow for sequential reading. + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, -1, -1, 12, 11, 10, 9, 8, 4, 3, 2, 1, 0, -1, -1, -1, -1, -1, -1, 12, + 11, 10, 9, 8, 4, 3, 2, 1, 0, + ), + ); + + // We now have 64 bits starting at position 0 in the lower 128-bit lane, ... + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); + + // and 64 bits starting at position 0 in the upper 128-bit lane. + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); mm_storeu_bytes_si128(&mut serialized[10..26], upper_8); serialized[0..20].try_into().unwrap() } #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 20"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 10 then 0 - else let j = (i / 16) * 10 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 20)) 8 j)"#))] pub(crate) fn deserialize_10(bytes: &[u8]) -> Vec256 { - #[inline(always)] - #[hax_lib::ensures(|coefficients| fstar!(r#" -forall (i: nat {i < 256}). - $coefficients i - = ( if i % 16 >= 10 then 0 - else let j = (i / 16) * 10 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32))) -"#))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_10_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, - mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), - ); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, - mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), - ); - - let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - 1 << 0, - 1 << 2, - 1 << 4, - 1 << 6, - ), - ); - let coefficients = mm256_srli_epi16::<6>(coefficients); - // Here I can prove this `and` is not useful - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); - hax_lib::fstar!( - r#" -assert_norm(BitVec.Utils.forall256 (fun i -> - $coefficients i - = ( if i % 16 < 10 - then let j = (i / 16) * 10 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 32) - else 0))) -"# - ); - coefficients - } - - let lower_coefficients = &bytes[0..16]; - let upper_coefficients = &bytes[4..20]; - deserialize_10_vec( - mm_loadu_si128(lower_coefficients), - mm_loadu_si128(upper_coefficients), - ) + let shift_lsbs_to_msbs = mm256_set_epi16( + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + 1 << 0, + 1 << 2, + 1 << 4, + 1 << 6, + ); + + let lower_coefficients = mm_loadu_si128(&bytes[0..16]); + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients, + mm_set_epi8(9, 8, 8, 7, 7, 6, 6, 5, 4, 3, 3, 2, 2, 1, 1, 0), + ); + let upper_coefficients = mm_loadu_si128(&bytes[4..20]); + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients, + mm_set_epi8(15, 14, 14, 13, 13, 12, 12, 11, 10, 9, 9, 8, 8, 7, 7, 6), + ); + + let coefficients = mm256_castsi128_si256(lower_coefficients); + let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + let coefficients = mm256_srli_epi16::<6>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 10) - 1)); + + coefficients } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { let mut array = [0i16; 16]; mm256_storeu_si256_i16(&mut array, vector); @@ -676,7 +522,6 @@ pub(crate) fn serialize_11(vector: Vec256) -> [u8; 22] { } #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { let output = PortableVector::deserialize_11(bytes); let array = PortableVector::to_i16_array(output); @@ -684,49 +529,46 @@ pub(crate) fn deserialize_11(bytes: &[u8]) -> Vec256 { } #[inline(always)] -#[hax_lib::fstar::options("--ext context_pruning --split_queries always")] -#[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] -#[hax_lib::ensures(|r| fstar!("forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i/12) * 16 + i%12)"))] pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { - #[inline(always)] - #[hax_lib::fstar::options("--ext context_pruning --split_queries always")] - #[hax_lib::requires(fstar!("forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0"))] - #[hax_lib::ensures(|(lower_8, upper_8)| fstar!( - r#" - forall (i: nat{i < 192}). - vector ((i/12) * 16 + i%12) == (if i < 96 then $lower_8 i else $upper_8 (i - 96)) - ) - "# - ))] - fn serialize_12_vec(vector: Vec256) -> (Vec128, Vec128) { - let adjacent_2_combined = mm256_concat_pairs_n(12, vector); - let adjacent_4_combined = - mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); - let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); - - let adjacent_8_combined = mm256_shuffle_epi8( - adjacent_4_combined, - mm256_set_epi8( - -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, - 10, 9, 8, 5, 4, 3, 2, 1, 0, - ), - ); - - let lower_8 = mm256_castsi256_si128(adjacent_8_combined); - let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); - hax_lib::fstar!( - r#" - introduce forall (i:nat{i < 96}). lower_8_ i = vector ((i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 (fun i -> lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i:nat{i < 96}). upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) - "# - ); - (lower_8, upper_8) - } - let mut serialized = [0u8; 32]; - let (lower_8, upper_8) = serialize_12_vec(vector); + + let adjacent_2_combined = mm256_madd_epi16( + vector, + mm256_set_epi16( + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + 1 << 12, + 1, + ), + ); + + let adjacent_4_combined = + mm256_sllv_epi32(adjacent_2_combined, mm256_set_epi32(0, 8, 0, 8, 0, 8, 0, 8)); + let adjacent_4_combined = mm256_srli_epi64::<8>(adjacent_4_combined); + + let adjacent_8_combined = mm256_shuffle_epi8( + adjacent_4_combined, + mm256_set_epi8( + -1, -1, -1, -1, 13, 12, 11, 10, 9, 8, 5, 4, 3, 2, 1, 0, -1, -1, -1, -1, 13, 12, 11, 10, + 9, 8, 5, 4, 3, 2, 1, 0, + ), + ); + + let lower_8 = mm256_castsi256_si128(adjacent_8_combined); + let upper_8 = mm256_extracti128_si256::<1>(adjacent_8_combined); + mm_storeu_bytes_si128(&mut serialized[0..16], lower_8); mm_storeu_bytes_si128(&mut serialized[12..28], upper_8); @@ -734,69 +576,43 @@ pub(crate) fn serialize_12(vector: Vec256) -> [u8; 24] { } #[inline(always)] -#[hax_lib::requires(fstar!(r#"Seq.length bytes == 24"#))] -#[hax_lib::ensures(|result| fstar!(r#"forall (i: nat{i < 256}). - $result i = (if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - bit_vec_of_int_t_array ($bytes <: t_Array _ (sz 24)) 8 j)"#))] pub(crate) fn deserialize_12(bytes: &[u8]) -> Vec256 { - #[inline(always)] - #[hax_lib::ensures(|coefficients| fstar!(r#" -forall (i: nat {i < 256}). - $coefficients i - = ( if i % 16 >= 12 then 0 - else let j = (i / 16) * 12 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64))) -"#))] - #[hax_lib::fstar::before(r#"[@@"opaque_to_smt"]"#)] - fn deserialize_12_vec(lower_coefficients0: Vec128, upper_coefficients0: Vec128) -> Vec256 { - let lower_coefficients = mm_shuffle_epi8( - lower_coefficients0, - mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), - ); - let upper_coefficients = mm_shuffle_epi8( - upper_coefficients0, - mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), - ); - - let coefficients = mm256_si256_from_two_si128(lower_coefficients, upper_coefficients); - - let coefficients = mm256_mullo_epi16( - coefficients, - mm256_set_epi16( - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - 1 << 0, - 1 << 4, - ), - ); - let coefficients = mm256_srli_epi16::<4>(coefficients); - let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); - hax_lib::fstar!( - r#" -assert_norm(BitVec.Utils.forall256 (fun i -> - $coefficients i - = ( if i % 16 < 12 - then let j = (i / 16) * 12 + i % 16 in - if i < 128 then $lower_coefficients0 j else $upper_coefficients0 (j - 64) - else 0))) -"# - ); - coefficients - } + let shift_lsbs_to_msbs = mm256_set_epi16( + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + 1 << 0, + 1 << 4, + ); + let lower_coefficients = mm_loadu_si128(&bytes[0..16]); + let lower_coefficients = mm_shuffle_epi8( + lower_coefficients, + mm_set_epi8(11, 10, 10, 9, 8, 7, 7, 6, 5, 4, 4, 3, 2, 1, 1, 0), + ); let upper_coefficients = mm_loadu_si128(&bytes[8..24]); - deserialize_12_vec(lower_coefficients, upper_coefficients) + let upper_coefficients = mm_shuffle_epi8( + upper_coefficients, + mm_set_epi8(15, 14, 14, 13, 12, 11, 11, 10, 9, 8, 8, 7, 6, 5, 5, 4), + ); + + let coefficients = mm256_castsi128_si256(lower_coefficients); + let coefficients = mm256_inserti128_si256::<1>(coefficients, upper_coefficients); + + let coefficients = mm256_mullo_epi16(coefficients, shift_lsbs_to_msbs); + let coefficients = mm256_srli_epi16::<4>(coefficients); + let coefficients = mm256_and_si256(coefficients, mm256_set1_epi16((1 << 12) - 1)); + + coefficients } diff --git a/libcrux-ml-kem/src/vector/neon.rs b/libcrux-ml-kem/src/vector/neon.rs index bd3be862a..68539971e 100644 --- a/libcrux-ml-kem/src/vector/neon.rs +++ b/libcrux-ml-kem/src/vector/neon.rs @@ -16,28 +16,16 @@ use serialize::*; pub(crate) use vector_type::SIMD128Vector; use vector_type::*; -#[cfg(hax)] -impl crate::vector::traits::Repr for SIMD128Vector { - fn repr(x: Self) -> [i16; 16] { - to_i16_array(x) - } -} - -#[hax_lib::attributes] impl Operations for SIMD128Vector { #[inline(always)] - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { ZERO() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] fn from_i16_array(array: &[i16]) -> Self { from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] fn to_i16_array(x: Self) -> [i16; 16] { to_i16_array(x) } diff --git a/libcrux-ml-kem/src/vector/neon/vector_type.rs b/libcrux-ml-kem/src/vector/neon/vector_type.rs index d711e7d6e..61b4d319d 100644 --- a/libcrux-ml-kem/src/vector/neon/vector_type.rs +++ b/libcrux-ml-kem/src/vector/neon/vector_type.rs @@ -1,15 +1,20 @@ use libcrux_intrinsics::arm64::*; #[derive(Clone, Copy)] -#[hax_lib::fstar::after(interface,"val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16)")] -#[hax_lib::fstar::after("let repr (x:t_SIMD128Vector) = admit()")] pub struct SIMD128Vector { pub low: _int16x8_t, pub high: _int16x8_t, } +#[allow(non_snake_case)] +#[inline(always)] +pub(crate) fn ZERO() -> SIMD128Vector { + SIMD128Vector { + low: _vdupq_n_s16(0), + high: _vdupq_n_s16(0), + } +} + #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("${result} == repr ${v}"))] pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { let mut out = [0i16; 16]; _vst1q_s16(&mut out[0..8], v.low); @@ -18,22 +23,9 @@ pub(crate) fn to_i16_array(v: SIMD128Vector) -> [i16; 16] { } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr ${result} == $array"))] pub(crate) fn from_i16_array(array: &[i16]) -> SIMD128Vector { SIMD128Vector { low: _vld1q_s16(&array[0..8]), high: _vld1q_s16(&array[8..16]), } } - -#[allow(non_snake_case)] -#[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::ensures(|result| fstar!("repr result == Seq.create 16 0s"))] -pub(crate) fn ZERO() -> SIMD128Vector { - SIMD128Vector { - low: _vdupq_n_s16(0), - high: _vdupq_n_s16(0), - } -} \ No newline at end of file diff --git a/libcrux-ml-kem/src/vector/portable.rs b/libcrux-ml-kem/src/vector/portable.rs index b8e46b460..2ed759d54 100644 --- a/libcrux-ml-kem/src/vector/portable.rs +++ b/libcrux-ml-kem/src/vector/portable.rs @@ -1,4 +1,5 @@ use super::Operations; + mod arithmetic; mod compress; mod ntt; @@ -10,250 +11,92 @@ use arithmetic::*; use compress::*; use ntt::*; use sampling::*; +use serialize::*; use vector_type::*; pub(crate) use vector_type::PortableVector; -#[cfg(hax)] -impl crate::vector::traits::Repr for PortableVector { - fn repr(x: Self) -> [i16; 16] { - to_i16_array(x) - } -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))] -fn serialize_1(a: PortableVector) -> [u8; 2] { - hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 1)"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_lemma $a"); - serialize::serialize_1(a) -} - -#[hax_lib::requires(a.len() == 2)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))] -fn deserialize_1(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_bounded_lemma $a"); - serialize::deserialize_1(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))] -fn serialize_4(a: PortableVector) -> [u8; 8] { - hax_lib::fstar!("assert (forall i. Rust_primitives.bounded (Seq.index ${a}.f_elements i) 4)"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_lemma $a"); - serialize::serialize_4(a) -} - -#[hax_lib::requires(a.len() == 8)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))] -fn deserialize_4(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_bounded_lemma $a"); - serialize::deserialize_4(a) -} - -fn serialize_5(a: PortableVector) -> [u8; 10] { - serialize::serialize_5(a) -} - -#[hax_lib::requires(a.len() == 10)] -fn deserialize_5(a: &[u8]) -> PortableVector { - serialize::deserialize_5(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))] -fn serialize_10(a: PortableVector) -> [u8; 20] { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_lemma $a"); - serialize::serialize_10(a) -} - -#[hax_lib::requires(a.len() == 20)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))] -fn deserialize_10(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_bounded_lemma $a"); - serialize::deserialize_10(a) -} - -fn serialize_11(a: PortableVector) -> [u8; 22] { - serialize::serialize_11(a) -} - -#[hax_lib::requires(a.len() == 22)] -fn deserialize_11(a: &[u8]) -> PortableVector { - serialize::deserialize_11(a) -} - -#[hax_lib::requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))] -#[hax_lib::ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))] -fn serialize_12(a: PortableVector) -> [u8; 24] { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_lemma $a"); - serialize::serialize_12(a) -} - -#[hax_lib::requires(a.len() == 24)] -#[hax_lib::ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))] -fn deserialize_12(a: &[u8]) -> PortableVector { - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_lemma $a"); - hax_lib::fstar!("Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_bounded_lemma $a"); - serialize::deserialize_12(a) -} - -#[hax_lib::fstar::before(interface, r#"#push-options "--z3rlimit 400 --split_queries always""#)] -#[hax_lib::fstar::after(interface, r#"#pop-options"#)] -#[hax_lib::attributes] impl Operations for PortableVector { - #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] fn ZERO() -> Self { zero() } - #[requires(array.len() == 16)] - #[ensures(|out| fstar!("impl.f_repr out == $array"))] fn from_i16_array(array: &[i16]) -> Self { from_i16_array(array) } - #[ensures(|out| fstar!("out == impl.f_repr $x"))] fn to_i16_array(x: Self) -> [i16; 16] { to_i16_array(x) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] fn add(lhs: Self, rhs: &Self) -> Self { add(lhs, rhs) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] fn sub(lhs: Self, rhs: &Self) -> Self { sub(lhs, rhs) } - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${vec}.f_elements i) * v c)"))] - fn multiply_by_constant(vec: Self, c: i16) -> Self { - multiply_by_constant(vec, c) + fn multiply_by_constant(v: Self, c: i16) -> Self { + multiply_by_constant(v, c) } - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr $v)"))] fn bitwise_and_with_constant(v: Self, c: i16) -> Self { bitwise_and_with_constant(v, c) } - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|out| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (impl.f_repr $v)"))] fn shift_right(v: Self) -> Self { shift_right::<{ SHIFT_BY }>(v) } - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr $v)"))] - #[ensures(|out| fstar!("impl.f_repr out == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr $v)"))] fn cond_subtract_3329(v: Self) -> Self { cond_subtract_3329(v) } - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (impl.f_repr ${v})"))] fn barrett_reduce(v: Self) -> Self { barrett_reduce(v) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 $r"))] fn montgomery_multiply_by_constant(v: Self, r: i16) -> Self { montgomery_multiply_by_constant(v, r) } - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\ - v (Seq.index (impl.f_repr $a) i) < 3329"))] - #[ensures(|out| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) 1"))] - fn compress_1(a: Self) -> Self { - compress_1(a) + fn compress_1(v: Self) -> Self { + compress_1(v) } - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (impl.f_repr $a) i) >= 0 /\\ - v (Seq.index (impl.f_repr $a) i) < 3329)"))] - #[ensures(|out| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (impl.f_repr $out) i) (v $COEFFICIENT_BITS))"))] - fn compress(a: Self) -> Self { - compress::(a) + fn compress(v: Self) -> Self { + compress::(v) } - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] fn decompress_ciphertext_coefficient(v: Self) -> Self { decompress_ciphertext_coefficient::(v) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (impl.f_repr $out)"))] fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (impl.f_repr $out)"))] fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { ntt_layer_2_step(a, zeta0, zeta1) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (impl.f_repr $out)"))] fn ntt_layer_3_step(a: Self, zeta: i16) -> Self { ntt_layer_3_step(a, zeta) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self { inv_ntt_layer_1_step(a, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self { inv_ntt_layer_2_step(a, zeta0, zeta1) } - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self { inv_ntt_layer_3_step(a, zeta) } - - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr ${rhs})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (impl.f_repr $out)"))] fn ntt_multiply( lhs: &Self, rhs: &Self, @@ -265,26 +108,18 @@ impl Operations for PortableVector { ntt_multiply(lhs, rhs, zeta0, zeta1, zeta2, zeta3) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 1 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 1 (impl.f_repr $a) $out"))] fn serialize_1(a: Self) -> [u8; 2] { serialize_1(a) } - #[requires(a.len() == 2)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (impl.f_repr $out)"))] fn deserialize_1(a: &[u8]) -> Self { deserialize_1(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 4 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 4 (impl.f_repr $a) $out"))] fn serialize_4(a: Self) -> [u8; 8] { - serialize_4(a) + serialize_4(a) } - #[requires(a.len() == 8)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (impl.f_repr $out)"))] fn deserialize_4(a: &[u8]) -> Self { deserialize_4(a) } @@ -293,19 +128,14 @@ impl Operations for PortableVector { serialize_5(a) } - #[requires(a.len() == 10)] fn deserialize_5(a: &[u8]) -> Self { deserialize_5(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 10 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 10 (impl.f_repr $a) $out"))] fn serialize_10(a: Self) -> [u8; 20] { serialize_10(a) } - #[requires(a.len() == 20)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (impl.f_repr $out)"))] fn deserialize_10(a: &[u8]) -> Self { deserialize_10(a) } @@ -314,27 +144,18 @@ impl Operations for PortableVector { serialize_11(a) } - #[requires(a.len() == 22)] fn deserialize_11(a: &[u8]) -> Self { deserialize_11(a) } - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a)"))] - #[ensures(|out| fstar!("Spec.MLKEM.serialize_pre 12 (impl.f_repr $a) ==> Spec.MLKEM.serialize_post 12 (impl.f_repr $a) $out"))] fn serialize_12(a: Self) -> [u8; 24] { serialize_12(a) } - #[requires(a.len() == 24)] - #[ensures(|out| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (impl.f_repr $out)"))] fn deserialize_12(a: &[u8]) -> Self { deserialize_12(a) } - #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16") - )] fn rej_sample(a: &[u8], out: &mut [i16]) -> usize { rej_sample(a, out) } diff --git a/libcrux-ml-kem/src/vector/portable/arithmetic.rs b/libcrux-ml-kem/src/vector/portable/arithmetic.rs index 54a7b150f..ec2a1cbe7 100644 --- a/libcrux-ml-kem/src/vector/portable/arithmetic.rs +++ b/libcrux-ml-kem/src/vector/portable/arithmetic.rs @@ -1,5 +1,7 @@ use super::vector_type::*; -use crate::vector::traits::{FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, BARRETT_SHIFT, BARRETT_R, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R}; +use crate::vector::{ + traits::FIELD_ELEMENTS_IN_VECTOR, FIELD_MODULUS, INVERSE_OF_MODULUS_MOD_MONTGOMERY_R, +}; /// If 'x' denotes a value of type `fe`, values having this type hold a /// representative y ≡ x·MONTGOMERY_R^(-1) (mod FIELD_MODULUS). @@ -14,145 +16,83 @@ pub type FieldElementTimesMontgomeryR = i16; pub(crate) const MONTGOMERY_SHIFT: u8 = 16; pub(crate) const MONTGOMERY_R: i32 = 1 << MONTGOMERY_SHIFT; +pub(crate) const BARRETT_SHIFT: i32 = 26; +pub(crate) const BARRETT_R: i32 = 1 << BARRETT_SHIFT; /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ pub(crate) const BARRETT_MULTIPLIER: i32 = 20159; -#[hax_lib::fstar::options("--z3rlimit 150 --split_queries always")] -#[cfg_attr(hax, hax_lib::requires(n <= 16))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("v result == v value % pow2(v n)")))] +#[cfg_attr(hax, hax_lib::requires(n == 4 || n == 5 || n == 10 || n == 11 || n == MONTGOMERY_SHIFT))] +#[cfg_attr(hax, hax_lib::ensures(|result| result < 2u32.pow(n.into())))] #[inline(always)] pub(crate) fn get_n_least_significant_bits(n: u8, value: u32) -> u32 { - let res = value & ((1 << n) - 1); - hax_lib::fstar!("calc (==) { - v res; - (==) { } - v (logand value ((1ul < - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"))] pub fn add(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { - let _lhs0 = lhs; for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == - (Seq.index ${_lhs0}.f_elements j) +! (Seq.index ${rhs}.f_elements j)) /\\ - (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))") }); lhs.elements[i] += rhs.elements[i]; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${lhs}.f_elements i) == - v (Seq.index ${_lhs0}.f_elements i) + v (Seq.index ${rhs}.f_elements i))"); + lhs } #[inline(always)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${lhs}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"))] pub fn sub(mut lhs: PortableVector, rhs: &PortableVector) -> PortableVector { - let _lhs0 = lhs; for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${lhs}.f_elements j) == - (Seq.index ${_lhs0}.f_elements j) -! (Seq.index ${rhs}.f_elements j)) /\\ - (forall j. j >= v i ==> (Seq.index ${lhs}.f_elements j) == (Seq.index ${_lhs0}.f_elements j))") }); lhs.elements[i] -= rhs.elements[i]; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${lhs}.f_elements i) == - v (Seq.index ${_lhs0}.f_elements i) - v (Seq.index ${rhs}.f_elements i))"); + lhs } #[inline(always)] -#[hax_lib::requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index ${vec}.f_elements i) * v c)"))] -#[hax_lib::ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) == - v (Seq.index ${vec}.f_elements i) * v c)"))] -pub fn multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub fn multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Seq.index ${vec}.f_elements j) == - (Seq.index ${_vec0}.f_elements j) *! c) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))") }); - vec.elements[i] *= c; + v.elements[i] *= c; } - hax_lib::fstar!("assert (forall i. v (Seq.index ${vec}.f_elements i) == - v (Seq.index ${_vec0}.f_elements i) * v c)"); - vec + + v } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array (fun x -> x &. c) (${vec}.f_elements)"))] -pub fn bitwise_and_with_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub fn bitwise_and_with_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (Seq.index ${_vec0}.f_elements j &. c)) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - vec.elements[i] &= c; + v.elements[i] &= c; } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x &. c) ${_vec0}.f_elements)"); - vec + + v } #[inline(always)] -#[hax_lib::requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] -#[hax_lib::ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> - ${result}.f_elements == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (${vec}.f_elements)"))] -pub fn shift_right(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub fn shift_right(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (Seq.index ${_vec0}.f_elements j >>! ${SHIFT_BY})) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - vec.elements[i] = vec.elements[i] >> SHIFT_BY; + v.elements[i] = v.elements[i] >> SHIFT_BY; } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) ${_vec0}.f_elements)"); - vec + + v } -/// Note: This function is not secret independent -/// Only use with public values. +// #[inline(always)] +// pub fn shift_left(mut lhs: PortableVector) -> PortableVector { +// for i in 0..FIELD_ELEMENTS_IN_VECTOR { +// lhs.elements[i] = lhs.elements[i] << SHIFT_BY; +// } + +// lhs +// } + #[inline(always)] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Spec.Utils.map_array - (fun x -> if x >=. 3329s then x -! 3329s else x) (${vec}.f_elements)"))] -pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub fn cond_subtract_3329(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> Seq.index ${vec}.f_elements j == - (let x = Seq.index ${_vec0}.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\\ - (forall j. j >= v i ==> Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j)") }); - if vec.elements[i] >= 3329 { - vec.elements[i] -= 3329 + debug_assert!(v.elements[i] >= 0 && v.elements[i] < 4096); + if v.elements[i] >= 3329 { + v.elements[i] -= 3329 } } - hax_lib::fstar!("Seq.lemma_eq_intro ${vec}.f_elements (Spec.Utils.map_array - (fun x -> if x >=. 3329s then x -! 3329s else x) ${_vec0}.f_elements)"); - vec + v } /// Signed Barrett Reduction @@ -164,60 +104,36 @@ pub fn cond_subtract_3329(mut vec: PortableVector) -> PortableVector { /// - the absolute value of `result` is bound as follows: /// /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) -/// -/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS -/// -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 28296 value")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\ - v result % 3329 == v value % 3329")))] +/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. +#[cfg_attr(hax, hax_lib::requires((i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R)))] +#[cfg_attr(hax, hax_lib::ensures(|result| result > -FIELD_MODULUS && result < FIELD_MODULUS))] pub(crate) fn barrett_reduce_element(value: FieldElement) -> FieldElement { + // hax_debug_assert!( + // i32::from(value) > -BARRETT_R && i32::from(value) < BARRETT_R, + // "value is {value}" + // ); + let t = (i32::from(value) * BARRETT_MULTIPLIER) + (BARRETT_R >> 1); - hax_lib::fstar!("assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2*3329)); - assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25)"); - hax_lib::fstar!("assert (v t / pow2 26 < 9)"); - hax_lib::fstar!("assert (v t / pow2 26 > - 9)"); let quotient = (t >> BARRETT_SHIFT) as i16; - hax_lib::fstar!("assert (v quotient = v t / pow2 26)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 9 quotient)"); + let result = value - (quotient * FIELD_MODULUS); - hax_lib::fstar!("calc (==) { - v result % 3329; - (==) { } - (v value - (v quotient * 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329} - (v value - (v quotient * 3329) % 3329) % 3329; - (==) {Math.Lemmas.cancel_mul_mod (v quotient) 3329} - (v value - 0) % 3329; - (==) {} - (v value) % 3329; - }"); + + // hax_debug_assert!( + // result > -FIELD_MODULUS && result < FIELD_MODULUS, + // "value is {value}" + // ); + result } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b_array 28296 ${vec}.f_elements")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ - (forall i. (v (Seq.index ${result}.f_elements i) % 3329) == - (v (Seq.index ${vec}.f_elements i) % 3329))")))] -pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { - let _vec0 = vec; +pub(crate) fn barrett_reduce(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements j) /\\ - v (Seq.index ${vec}.f_elements j) % 3329 == (v (Seq.index ${_vec0}.f_elements j) % 3329))) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j == Seq.index ${_vec0}.f_elements j /\\ - Spec.Utils.is_i16b 28296 (Seq.index ${vec}.f_elements j)))") }); - let vi = barrett_reduce_element(vec.elements[i]); - vec.elements[i] = vi; - hax_lib::fstar!("assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert(Spec.Utils.is_i16b 3328 vi); - assert(Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j))"); + v.elements[i] = barrett_reduce_element(v.elements[i]); } - vec + + v } /// Signed Montgomery Reduction @@ -228,84 +144,29 @@ pub(crate) fn barrett_reduce(mut vec: PortableVector) -> PortableVector { /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) /// - the absolute value of `o` is bound as follows: /// -/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) /// -/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`. -/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664 -/// -#[hax_lib::fstar::options("--z3rlimit 500 --split_queries always")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i32b (3328 * pow2 16) value ")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b (3328 + 1665) result /\\ - (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\\ - v result % 3329 == (v value * 169) % 3329")))] +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. +#[cfg_attr(hax, hax_lib::requires(value >= -(FIELD_MODULUS as i32) * MONTGOMERY_R && value <= (FIELD_MODULUS as i32) * MONTGOMERY_R))] +#[cfg_attr(hax, hax_lib::ensures(|result| result >= -(3 * FIELD_MODULUS) / 2 && result <= (3 * FIELD_MODULUS) / 2))] pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement { // This forces hax to extract code for MONTGOMERY_R before it extracts code // for this function. The removal of this line is being tracked in: // https://github.com/cryspen/libcrux/issues/134 let _ = MONTGOMERY_R; + //hax_debug_assert!( + // value >= -FIELD_MODULUS * MONTGOMERY_R && value <= FIELD_MODULUS * MONTGOMERY_R, + // "value is {value}" + //); + let k = (value as i16) as i32 * (INVERSE_OF_MODULUS_MOD_MONTGOMERY_R as i32); - hax_lib::fstar!("assert(v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16); - assert(v k == (v value @% pow2 16) * 62209); - assert(v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16); - assert(v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15); - assert(v (cast (cast (k <: i32) <: i16) <: i32) >= -pow2 15); - assert(v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329)"); let k_times_modulus = (k as i16 as i32) * (FIELD_MODULUS as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (3329) (cast (k <: i32) <: i16) Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS; - assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus)"); + let c = (k_times_modulus >> MONTGOMERY_SHIFT) as i16; - hax_lib::fstar!("assert (v k_times_modulus < pow2 31); - assert (v k_times_modulus / pow2 16 < pow2 15); - assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert(v c == v k_times_modulus / pow2 16); - assert(Spec.Utils.is_i16b 1665 c)"); let value_high = (value >> MONTGOMERY_SHIFT) as i16; - hax_lib::fstar!("assert (v value < pow2 31); - assert (v value / pow2 16 < pow2 15); - assert (v value_high == (v value / pow2 16) @% pow2 16); - Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); - assert(Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); - assert(Spec.Utils.is_i16b 3328 value_high)"); - let res = value_high - c; - hax_lib::fstar!("assert(Spec.Utils.is_i16b (3328 + 1665) res)"); - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res)"); - hax_lib::fstar!("calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v k @% pow2 16) * 3329) % pow2 16; - ( == ) { assert (v k = (v value @% pow2 16) * 62209) } - ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) (pow2 16) 3329 } - ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) } - ((((v value @% pow2 16) * 62209) * 3329) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) } - ((v value @% pow2 16) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 } - (v value) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus); - assert ((v value - v k_times_modulus) % pow2 16 == 0)"); - hax_lib::fstar!("calc ( == ) { - v res % 3329; - ( == ) { assert (v res == v value_high - v c) } - (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329 ; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) (pow2 16 * 169) 3329} - (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16)} - ((v value - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169)} - (v value * 169) % 3329; - }"); - res + + value_high - c } /// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to @@ -317,37 +178,17 @@ pub(crate) fn montgomery_reduce_element(value: i32) -> MontgomeryFieldElement { /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 300")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 fer")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b 3328 result /\\ - v result % 3329 == (v fe * v fer * 169) % 3329")))] pub(crate) fn montgomery_multiply_fe_by_fer( fe: FieldElement, fer: FieldElementTimesMontgomeryR, ) -> FieldElement { - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer"); - let product = (fe as i32) * (fer as i32); - montgomery_reduce_element(product) + montgomery_reduce_element((fe as i32) * (fer as i32)) } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 150")] -#[cfg_attr(hax, hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 c")))] -#[cfg_attr(hax, hax_lib::ensures(|result| fstar!(" -Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ -(forall i. i < 16 ==> - (v (Seq.index ${result}.f_elements i) % 3329 == - (v (Seq.index ${vec}.f_elements i) * v c * 169) %3329))")))] -pub(crate) fn montgomery_multiply_by_constant(mut vec: PortableVector, c: i16) -> PortableVector { - let _vec0 = vec; +pub(crate) fn montgomery_multiply_by_constant(mut v: PortableVector, c: i16) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!(" - (forall j. j < v i ==> - (let vecj = Seq.index ${vec}.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\\ - v vecj % 3329 == (v (Seq.index ${_vec0}.f_elements j) * v c * 169) % 3329))) /\\ - (forall j. j >= v i ==> (Seq.index ${vec}.f_elements j) == (Seq.index ${_vec0}.f_elements j))") }); - vec.elements[i] = montgomery_multiply_fe_by_fer(vec.elements[i], c) + v.elements[i] = montgomery_multiply_fe_by_fer(v.elements[i], c) } - vec + v } diff --git a/libcrux-ml-kem/src/vector/portable/compress.rs b/libcrux-ml-kem/src/vector/portable/compress.rs index ae3be0ab3..a81414120 100644 --- a/libcrux-ml-kem/src/vector/portable/compress.rs +++ b/libcrux-ml-kem/src/vector/portable/compress.rs @@ -109,36 +109,12 @@ pub(crate) fn compress_ciphertext_coefficient(coefficient_bits: u8, fe: u16) -> } #[inline(always)] -#[cfg_attr(hax, hax_lib::fstar::before(" -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\\ - v (cast (compress_message_coefficient fe) <: i16) < 2) -"))] -#[hax_lib::fstar::options("--fuel 0 --ifuel 0 --z3rlimit 2000")] -#[hax_lib::requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index ${a}.f_elements i) >= 0 /\\ - v (Seq.index ${a}.f_elements i) < 3329"))] -#[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (${result}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${result}.f_elements.[ sz i ] <: i16) < 2"))] -pub(crate) fn compress_1(mut a: PortableVector) -> PortableVector { - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. - (cast ($FIELD_MODULUS) <: u16))"); +pub(crate) fn compress_1(mut v: PortableVector) -> PortableVector { for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==> - v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\ - (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz j ] <: i16) < 2)") }); - hax_lib::fstar!("compress_message_coefficient_range_helper (cast (${a}.f_elements.[ $i ]) <: u16)"); - a.elements[i] = compress_message_coefficient(a.elements[i] as u16) as i16; - hax_lib::fstar!("assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ $i ] <: i16) < 2)"); + v.elements[i] = compress_message_coefficient(v.elements[i] as u16) as i16; } - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz i ] <: i16) < 2)"); - a + v } #[inline(always)] @@ -158,17 +134,9 @@ pub(crate) fn compress(mut a: PortableVector) -> Po hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> (cast (${a}.f_elements.[ sz i ]) <: u16) <. (cast ($FIELD_MODULUS) <: u16))"); for i in 0..FIELD_ELEMENTS_IN_VECTOR { - hax_lib::loop_invariant!(|i: usize| { fstar!("(v $i < 16 ==> (forall (j:nat). (j >= v $i /\\ j < 16) ==> - v (cast (${a}.f_elements.[ sz j ]) <: u16) < v (cast ($FIELD_MODULUS) <: u16))) /\\ - (forall (j:nat). j < v $i ==> v (${a}.f_elements.[ sz j ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz j ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))") }); a.elements[i] = compress_ciphertext_coefficient(COEFFICIENT_BITS as u8, a.elements[i] as u16) as i16; - hax_lib::fstar!("assert (v (${a}.f_elements.[ $i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ $i ] <: i16) < pow2 (v (cast ($COEFFICIENT_BITS) <: u32)))"); } - hax_lib::fstar!("assert (forall (i:nat). i < 16 ==> v (${a}.f_elements.[ sz i ] <: i16) >= 0 /\\ - v (${a}.f_elements.[ sz i ] <: i16) < pow2 (v $COEFFICIENT_BITS))"); a } diff --git a/libcrux-ml-kem/src/vector/portable/ntt.rs b/libcrux-ml-kem/src/vector/portable/ntt.rs index 35abf02ce..d6eb66396 100644 --- a/libcrux-ml-kem/src/vector/portable/ntt.rs +++ b/libcrux-ml-kem/src/vector/portable/ntt.rs @@ -2,229 +2,111 @@ use super::arithmetic::*; use super::vector_type::*; #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ - Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\\ - Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[i] /\\ - Spec.Utils.is_i16b (11207 + 5*3328) vec.f_elements.[j]"))] -#[hax_lib::ensures(|result| fstar!("(forall k. (k <> v i /\\ k <> v j) ==> - Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\ - (forall b. (Spec.Utils.is_i16b b ${vec}.f_elements.[i] /\\ - Spec.Utils.is_i16b b ${vec}.f_elements.[j]) ==> - (Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[i] /\\ - Spec.Utils.is_i16b (b+3328) ${vec}_future.f_elements.[j])) /\\ - Spec.Utils.ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))] -pub(crate) fn ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) { - let t = montgomery_multiply_fe_by_fer(vec.elements[j], zeta); - hax_lib::fstar!("assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329))"); - let a_minus_t = vec.elements[i] - t; - hax_lib::fstar!(" - calc (==) { - v $a_minus_t % 3329; - (==) {} - (v (Seq.index vec.f_elements (v i)) - v ${t}) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329} - (v (Seq.index vec.f_elements (v $i)) - (v $t % 3329)) % 3329; - (==) {} - (v (Seq.index vec.f_elements (v i)) - ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329} - (v (Seq.index vec.f_elements (v $i)) - (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329; - }"); - let a_plus_t = vec.elements[i] + t; - hax_lib::fstar!(" - calc (==) { - v a_plus_t % 3329; - (==) {} - (v (Seq.index vec.f_elements (v $i)) + v $t) % 3329; - (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v $t) 3329} - (v (Seq.index vec.f_elements (v $i)) + (v $t % 3329)) % 3329; - (==) {} - (v (Seq.index vec.f_elements (v $i)) + ((v (Seq.index vec.f_elements (v $j)) * v $zeta * 169) % 3329)) % 3329; - (==) {Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v $i))) (v (Seq.index vec.f_elements (v $j)) * v zeta * 169) 3329} - (v (Seq.index vec.f_elements (v $i)) + (v (Seq.index vec.f_elements (v $j)) * v $zeta * 169)) % 3329; - }"); - vec.elements[j] = a_minus_t; - vec.elements[i] = a_plus_t; - hax_lib::fstar!("assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t)"); +pub(crate) fn ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) { + let t = montgomery_multiply_fe_by_fer(v.elements[j], zeta); + v.elements[j] = v.elements[i] - t; + v.elements[i] = v.elements[i] + t; } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) ${result}.f_elements"))] pub(crate) fn ntt_layer_1_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, ) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 2); - ntt_step(&mut vec, zeta0, 1, 3); - ntt_step(&mut vec, zeta1, 4, 6); - ntt_step(&mut vec, zeta1, 5, 7); - ntt_step(&mut vec, zeta2, 8, 10); - ntt_step(&mut vec, zeta2, 9, 11); - ntt_step(&mut vec, zeta3, 12, 14); - ntt_step(&mut vec, zeta3, 13, 15); - vec + ntt_step(&mut v, zeta0, 0, 2); + ntt_step(&mut v, zeta0, 1, 3); + ntt_step(&mut v, zeta1, 4, 6); + ntt_step(&mut v, zeta1, 5, 7); + ntt_step(&mut v, zeta2, 8, 10); + ntt_step(&mut v, zeta2, 9, 11); + ntt_step(&mut v, zeta3, 12, 14); + ntt_step(&mut v, zeta3, 13, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) ${result}.f_elements"))] -pub(crate) fn ntt_layer_2_step(mut vec: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { - ntt_step(&mut vec, zeta0, 0, 4); - ntt_step(&mut vec, zeta0, 1, 5); - ntt_step(&mut vec, zeta0, 2, 6); - ntt_step(&mut vec, zeta0, 3, 7); - ntt_step(&mut vec, zeta1, 8, 12); - ntt_step(&mut vec, zeta1, 9, 13); - ntt_step(&mut vec, zeta1, 10, 14); - ntt_step(&mut vec, zeta1, 11, 15); - vec +pub(crate) fn ntt_layer_2_step(mut v: PortableVector, zeta0: i16, zeta1: i16) -> PortableVector { + ntt_step(&mut v, zeta0, 0, 4); + ntt_step(&mut v, zeta0, 1, 5); + ntt_step(&mut v, zeta0, 2, 6); + ntt_step(&mut v, zeta0, 3, 7); + ntt_step(&mut v, zeta1, 8, 12); + ntt_step(&mut v, zeta1, 9, 13); + ntt_step(&mut v, zeta1, 10, 14); + ntt_step(&mut v, zeta1, 11, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) ${result}.f_elements"))] -pub(crate) fn ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - ntt_step(&mut vec, zeta, 0, 8); - ntt_step(&mut vec, zeta, 1, 9); - ntt_step(&mut vec, zeta, 2, 10); - ntt_step(&mut vec, zeta, 3, 11); - ntt_step(&mut vec, zeta, 4, 12); - ntt_step(&mut vec, zeta, 5, 13); - ntt_step(&mut vec, zeta, 6, 14); - ntt_step(&mut vec, zeta, 7, 15); - vec +pub(crate) fn ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector { + ntt_step(&mut v, zeta, 0, 8); + ntt_step(&mut v, zeta, 1, 9); + ntt_step(&mut v, zeta, 2, 10); + ntt_step(&mut v, zeta, 3, 11); + ntt_step(&mut v, zeta, 4, 12); + ntt_step(&mut v, zeta, 5, 13); + ntt_step(&mut v, zeta, 6, 14); + ntt_step(&mut v, zeta, 7, 15); + v } #[inline(always)] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 16 /\\ v j < 16 /\\ v i <> v j /\\ - Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array (4*3328) ${vec}_future.f_elements /\\ - (forall k. (k <> v i /\\ k <> v j) ==> - Seq.index ${vec}_future.f_elements k == Seq.index ${vec}.f_elements k) /\\ - Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v i)) /\\ - Spec.Utils.is_i16b 3328 (Seq.index ${vec}_future.f_elements (v j)) /\\ - Spec.Utils.inv_ntt_spec ${vec}.f_elements (v $zeta) (v $i) (v $j) ${vec}_future.f_elements"))] -pub(crate) fn inv_ntt_step(vec: &mut PortableVector, zeta: i16, i: usize, j: usize) { - let a_minus_b = vec.elements[j] - vec.elements[i]; - let a_plus_b = vec.elements[j] + vec.elements[i]; - hax_lib::fstar!("assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))); - assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i)))"); - let o0 = barrett_reduce_element(a_plus_b); - let o1 = montgomery_multiply_fe_by_fer(a_minus_b, zeta); - hax_lib::fstar!(" - calc (==) { - v o0 % 3329; - (==) { } - v a_plus_b % 3329; - (==) { } - (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329; - }; - calc (==) { - v o1 % 3329; - (==) { } - (v a_minus_b * v zeta * 169) % 3329; - (==) { } - ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % 3329; - }"); - vec.elements[i] = o0; - vec.elements[j] = o1; - hax_lib::fstar!("assert (Seq.index vec.f_elements (v i) == o0); - assert (Seq.index vec.f_elements (v j) == o1)"); +pub(crate) fn inv_ntt_step(v: &mut PortableVector, zeta: i16, i: usize, j: usize) { + let a_minus_b = v.elements[j] - v.elements[i]; + v.elements[i] = barrett_reduce_element(v.elements[i] + v.elements[j]); + v.elements[j] = montgomery_multiply_fe_by_fer(a_minus_b, zeta); } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 200")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4*3328) ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] pub(crate) fn inv_ntt_layer_1_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16, ) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 2); - inv_ntt_step(&mut vec, zeta0, 1, 3); - inv_ntt_step(&mut vec, zeta1, 4, 6); - inv_ntt_step(&mut vec, zeta1, 5, 7); - inv_ntt_step(&mut vec, zeta2, 8, 10); - inv_ntt_step(&mut vec, zeta2, 9, 11); - inv_ntt_step(&mut vec, zeta3, 12, 14); - inv_ntt_step(&mut vec, zeta3, 13, 15); - hax_lib::fstar!( - "assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 13)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 15)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 12)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 14)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 9)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 11)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 8)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 10)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 5)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 7)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 4)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 6)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 1)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 3)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 0)); - assert (Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements 2)); - assert (forall (i:nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index ${vec}.f_elements i))"); - vec + inv_ntt_step(&mut v, zeta0, 0, 2); + inv_ntt_step(&mut v, zeta0, 1, 3); + inv_ntt_step(&mut v, zeta1, 4, 6); + inv_ntt_step(&mut v, zeta1, 5, 7); + inv_ntt_step(&mut v, zeta2, 8, 10); + inv_ntt_step(&mut v, zeta2, 9, 11); + inv_ntt_step(&mut v, zeta3, 12, 14); + inv_ntt_step(&mut v, zeta3, 13, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] pub(crate) fn inv_ntt_layer_2_step( - mut vec: PortableVector, + mut v: PortableVector, zeta0: i16, zeta1: i16, ) -> PortableVector { - inv_ntt_step(&mut vec, zeta0, 0, 4); - inv_ntt_step(&mut vec, zeta0, 1, 5); - inv_ntt_step(&mut vec, zeta0, 2, 6); - inv_ntt_step(&mut vec, zeta0, 3, 7); - inv_ntt_step(&mut vec, zeta1, 8, 12); - inv_ntt_step(&mut vec, zeta1, 9, 13); - inv_ntt_step(&mut vec, zeta1, 10, 14); - inv_ntt_step(&mut vec, zeta1, 11, 15); - vec + inv_ntt_step(&mut v, zeta0, 0, 4); + inv_ntt_step(&mut v, zeta0, 1, 5); + inv_ntt_step(&mut v, zeta0, 2, 6); + inv_ntt_step(&mut v, zeta0, 3, 7); + inv_ntt_step(&mut v, zeta1, 8, 12); + inv_ntt_step(&mut v, zeta1, 9, 13); + inv_ntt_step(&mut v, zeta1, 10, 14); + inv_ntt_step(&mut v, zeta1, 11, 15); + v } #[inline(always)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array 3328 ${vec}.f_elements"))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements"))] -pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> PortableVector { - inv_ntt_step(&mut vec, zeta, 0, 8); - inv_ntt_step(&mut vec, zeta, 1, 9); - inv_ntt_step(&mut vec, zeta, 2, 10); - inv_ntt_step(&mut vec, zeta, 3, 11); - inv_ntt_step(&mut vec, zeta, 4, 12); - inv_ntt_step(&mut vec, zeta, 5, 13); - inv_ntt_step(&mut vec, zeta, 6, 14); - inv_ntt_step(&mut vec, zeta, 7, 15); - vec +pub(crate) fn inv_ntt_layer_3_step(mut v: PortableVector, zeta: i16) -> PortableVector { + inv_ntt_step(&mut v, zeta, 0, 8); + inv_ntt_step(&mut v, zeta, 1, 9); + inv_ntt_step(&mut v, zeta, 2, 10); + inv_ntt_step(&mut v, zeta, 3, 11); + inv_ntt_step(&mut v, zeta, 4, 12); + inv_ntt_step(&mut v, zeta, 5, 13); + inv_ntt_step(&mut v, zeta, 6, 14); + inv_ntt_step(&mut v, zeta, 7, 15); + v } /// Compute the product of two Kyber binomials with respect to the @@ -248,109 +130,25 @@ pub(crate) fn inv_ntt_layer_3_step(mut vec: PortableVector, zeta: i16) -> Portab /// The NIST FIPS 203 standard can be found at /// . #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::fstar::options("--z3rlimit 250 --split_queries always --query_stats --ext context_prune")] -#[hax_lib::fstar::before(interface, "[@@ \"opaque_to_smt\"]")] -#[hax_lib::requires(fstar!("v i < 8 /\\ Spec.Utils.is_i16b 1664 $zeta /\\ - Spec.Utils.is_i16b_array 3328 ${a}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${b}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${out}.f_elements "))] -#[hax_lib::ensures(|()| fstar!(" - Spec.Utils.is_i16b_array 3328 ${out}_future.f_elements /\\ - (forall k. (k <> 2 * v $i /\\ k <> 2 * v $i + 1) ==> - Seq.index ${out}_future.f_elements k == Seq.index ${out}.f_elements k) /\\ - (let ai = Seq.index ${a}.f_elements (2 * v $i) in - let aj = Seq.index ${a}.f_elements (2 * v $i + 1) in - let bi = Seq.index ${b}.f_elements (2 * v $i) in - let bj = Seq.index ${b}.f_elements (2 * v $i + 1) in - let oi = Seq.index out_future.f_elements (2 * v $i) in - let oj = Seq.index out_future.f_elements (2 * v $i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))"))] pub(crate) fn ntt_multiply_binomials( a: &PortableVector, b: &PortableVector, zeta: FieldElementTimesMontgomeryR, i: usize, + j: usize, out: &mut PortableVector, ) { - let ai = a.elements[2*i]; - let bi = b.elements[2*i]; - let aj = a.elements[2*i+1]; - let bj = b.elements[2*i+1]; - hax_lib::fstar!("assert(Spec.Utils.is_i16b 3328 $ai); - assert(Spec.Utils.is_i16b 3328 $bi); - assert(Spec.Utils.is_i16b 3328 $aj); - assert(Spec.Utils.is_i16b 3328 $bj); - assert_norm (3328 * 3328 < pow2 31)"); - - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bi"); - let ai_bi = (ai as i32) * (bi as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bj"); - let aj_bj_ = (aj as i32) * (bj as i32); - hax_lib::fstar!("assert_norm (3328 * 3328 <= 3328 * pow2 15)"); - let aj_bj = montgomery_reduce_element(aj_bj_); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 1664 $aj_bj $zeta"); - let aj_bj_zeta = (aj_bj as i32) * (zeta as i32); - let ai_bi_aj_bj = ai_bi + aj_bj_zeta; - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*1664) $ai_bi_aj_bj)"); - hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15)"); - let o0 = montgomery_reduce_element(ai_bi_aj_bj); - hax_lib::fstar!("calc ( == ) { - v $o0 % 3329; - ( == ) { () } - (v $ai_bi_aj_bj * 169) % 3329; - ( == ) { assert(v $ai_bi_aj_bj == v $ai_bi + v $aj_bj_zeta) } - ((v $ai_bi + v $aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v $ai_bi == v $ai * v $bi) } - (((v $ai * v $bi) + v $aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v $aj_bj_zeta == v $aj_bj * v $zeta) } - (((v $ai * v $bi) + (v $aj_bj * v $zeta)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 } - ((((v $ai * v $bi) + (v $aj_bj * v $zeta)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 } - (((v $ai * v $bi) + ((v $aj_bj * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 } - (((v $ai * v $bi) + ((v $aj_bj % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { assert(v aj_bj % 3329 == (v $aj_bj_ * 169) % 3329) } - (((v $ai * v $bi) + (((v $aj_bj_ * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { assert(v $aj_bj_ == v $aj * v $bj) } - (((v $ai * v $bi) + (((v $aj * v $bj * 169) % 3329 * v $zeta) % 3329)) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v $aj * v $bj * 169) (v $zeta) 3329 } - (((v $ai * v $bi) + (((v $aj * v $bj * 169 * v $zeta) % 3329))) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v $ai * v $bi) (v $aj * v $bj * 169 * v $zeta) 3329 } - (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) % 3329 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) 169 3329 } - (((v $ai * v $bi) + ((v $aj * v $bj * 169 * v $zeta))) * 169) % 3329; - }"); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $ai $bj"); - let ai_bj = (ai as i32) * (bj as i32); - hax_lib::fstar!("Spec.Utils.lemma_mul_i16b 3328 3328 $aj $bi"); - let aj_bi = (aj as i32) * (bi as i32); - let ai_bj_aj_bi = ai_bj + aj_bi; - hax_lib::fstar!("assert(Spec.Utils.is_i32b (3328*3328 + 3328*3328) ai_bj_aj_bi) "); - hax_lib::fstar!("assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15)"); - let o1 = montgomery_reduce_element(ai_bj_aj_bi); - hax_lib::fstar!("calc ( == ) { - v $o1 % 3329; - ( == ) { () } - (v $ai_bj_aj_bi * 169) % 3329; - ( == ) { assert(v $ai_bj_aj_bi == v $ai_bj + v $aj_bi) } - ((v $ai_bj + v $aj_bi) * 169) % 3329; - ( == ) { assert (v ai_bj == v ai * v bj) } - ((v ai * v bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v aj_bi == v aj * v bi) } - ((v ai * v bj + v aj * v bi) * 169) % 3329; - }"); - let _out0 = out.elements; - out.elements[2*i] = o0; - out.elements[2*i+1] = o1; - hax_lib::fstar!("assert (Seq.index out.f_elements (2 * v i) == o0); - assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); - assert (forall k. (k <> 2 * v i /\\ k <> 2 * v i + 1) ==> - Seq.index out.f_elements k == - Seq.index ${_out0} k)"); + let o0 = montgomery_reduce_element( + (a.elements[i] as i32) * (b.elements[i] as i32) + + (montgomery_reduce_element((a.elements[j] as i32) * (b.elements[j] as i32)) as i32) + * (zeta as i32), + ); + let o1 = montgomery_reduce_element( + (a.elements[i] as i32) * (b.elements[j] as i32) + + (a.elements[j] as i32) * (b.elements[i] as i32), + ); + out.elements[i] = o0; + out.elements[j] = o1; } // #[inline(always)] @@ -369,25 +167,6 @@ pub(crate) fn ntt_multiply_binomials( // } #[inline(always)] -#[hax_lib::fstar::verification_status(panic_free)] -#[hax_lib::fstar::options("--z3rlimit 100")] -#[hax_lib::requires(fstar!("Spec.Utils.is_i16b 1664 $zeta0 /\\ - Spec.Utils.is_i16b 1664 $zeta1 /\\ - Spec.Utils.is_i16b 1664 $zeta2 /\\ - Spec.Utils.is_i16b 1664 $zeta3 /\\ - Spec.Utils.is_i16b_array 3328 ${lhs}.f_elements /\\ - Spec.Utils.is_i16b_array 3328 ${rhs}.f_elements "))] -#[hax_lib::ensures(|result| fstar!("Spec.Utils.is_i16b_array 3328 ${result}.f_elements /\\ - (let zetas = Seq.seq_of_list [v zeta0; - v zeta0; v zeta1; - v zeta1; v zeta2; - v zeta2; v zeta3; - v zeta3] in - (forall (i:nat). i < 8 ==> - (let ai = Seq.index lhs.f_elements (2 * i) in - let aj = Seq.index lhs.f_elements (2 * i + 1) in - let bi = Seq.index rhs.f_elements (2 * i) in - let bj = Seq.index rhs.f_elements (2 * i + 1) in - let oi = Seq.index result.f_elements (2 * i) in - let oj = Seq.index result.f_elements (2 * i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))"))] pub(crate) fn ntt_multiply( lhs: &PortableVector, rhs: &PortableVector, @@ -396,31 +175,14 @@ pub(crate) fn ntt_multiply( zeta2: i16, zeta3: i16, ) -> PortableVector { - let nzeta0 = -zeta0; - let nzeta1 = -zeta1; - let nzeta2 = -zeta2; - let nzeta3 = -zeta3; - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta0)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta1)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta2)"); - hax_lib::fstar!("assert (Spec.Utils.is_i16b 1664 nzeta3)"); let mut out = zero(); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta0, 0, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta0, 1, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta1, 2, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta1, 3, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta2, 4, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta2, 5, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, zeta3, 6, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); - ntt_multiply_binomials(lhs, rhs, nzeta3, 7, &mut out); - hax_lib::fstar!("assert (Spec.Utils.is_i16b_array 3328 out.f_elements)"); + ntt_multiply_binomials(lhs, rhs, zeta0, 0, 1, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta0, 2, 3, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta1, 4, 5, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta1, 6, 7, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta2, 8, 9, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta2, 10, 11, &mut out); + ntt_multiply_binomials(lhs, rhs, zeta3, 12, 13, &mut out); + ntt_multiply_binomials(lhs, rhs, -zeta3, 14, 15, &mut out); out } diff --git a/libcrux-ml-kem/src/vector/portable/sampling.rs b/libcrux-ml-kem/src/vector/portable/sampling.rs index 13f6f9f33..87dacce97 100644 --- a/libcrux-ml-kem/src/vector/portable/sampling.rs +++ b/libcrux-ml-kem/src/vector/portable/sampling.rs @@ -1,11 +1,6 @@ use crate::vector::FIELD_MODULUS; #[inline(always)] -#[hax_lib::fstar::verification_status(lax)] -#[hax_lib::requires(a.len() == 24 && result.len() == 16)] -#[hax_lib::ensures(|res| - fstar!("Seq.length $result_future == Seq.length $result /\\ v $res <= 16") - )] pub(crate) fn rej_sample(a: &[u8], result: &mut [i16]) -> usize { let mut sampled = 0; for i in 0..a.len() / 3 { diff --git a/libcrux-ml-kem/src/vector/portable/serialize.rs b/libcrux-ml-kem/src/vector/portable/serialize.rs index 151c1b31b..e0818dc28 100644 --- a/libcrux-ml-kem/src/vector/portable/serialize.rs +++ b/libcrux-ml-kem/src/vector/portable/serialize.rs @@ -13,135 +13,33 @@ // and code that updates arrays (in the outer functions). use super::vector_type::*; +use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR; -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (${serialize_1} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_1_lemma inputs = - serialize_1_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_1} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 1)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_1_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 1)) - : squash ( - let inputs = bit_vec_of_int_t_array v 1 in - let outputs = bit_vec_of_int_t_array (${serialize_1} ({ f_elements = v })) 8 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_1(v: PortableVector) -> [u8; 2] { - let result0 = (v.elements[0] as u8) | ((v.elements[1] as u8) << 1) | - ((v.elements[2] as u8) << 2) | ((v.elements[3] as u8) << 3) | - ((v.elements[4] as u8) << 4) | ((v.elements[5] as u8) << 5) | - ((v.elements[6] as u8) << 6) | ((v.elements[7] as u8) << 7); - let result1 = (v.elements[8] as u8) | ((v.elements[9] as u8) << 1) | - ((v.elements[10] as u8) << 2) | ((v.elements[11] as u8) << 3) | - ((v.elements[12] as u8) << 4) | ((v.elements[13] as u8) << 5) | - ((v.elements[14] as u8) << 6) | ((v.elements[15] as u8) << 7); - [ - result0, - result1 - ] + let mut result = [0u8; 2]; + for i in 0..8 { + result[0] |= (v.elements[i] as u8) << i; + } + for i in 8..16 { + result[1] |= (v.elements[i] as u8) << (i - 8); + } + result } -//deserialize_1_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_1} inputs).f_elements i) 1) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_1_bounded_lemma inputs = - admit() -"))] -//deserialize_1_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_1} inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_1_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_1} v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 2} -"#))] #[inline(always)] pub(crate) fn deserialize_1(v: &[u8]) -> PortableVector { - let result0 = (v[0] & 0x1) as i16; - let result1 = ((v[0] >> 1) & 0x1) as i16; - let result2 = ((v[0] >> 2) & 0x1) as i16; - let result3 = ((v[0] >> 3) & 0x1) as i16; - let result4 = ((v[0] >> 4) & 0x1) as i16; - let result5 = ((v[0] >> 5) & 0x1) as i16; - let result6 = ((v[0] >> 6) & 0x1) as i16; - let result7 = ((v[0] >> 7) & 0x1) as i16; - let result8 = (v[1] & 0x1) as i16; - let result9 = ((v[1] >> 1) & 0x1) as i16; - let result10 = ((v[1] >> 2) & 0x1) as i16; - let result11 = ((v[1] >> 3) & 0x1) as i16; - let result12 = ((v[1] >> 4) & 0x1) as i16; - let result13 = ((v[1] >> 5) & 0x1) as i16; - let result14 = ((v[1] >> 6) & 0x1) as i16; - let result15 = ((v[1] >> 7) & 0x1) as i16; - PortableVector { elements: [ - result0, - result1, - result2, - result3, - result4, - result5, - result6, - result7, - result8, - result9, - result10, - result11, - result12, - result13, - result14, - result15, - ] } + let mut result = zero(); + for i in 0..8 { + result.elements[i] = ((v[0] >> i) & 0x1) as i16; + } + for i in 8..FIELD_ELEMENTS_IN_VECTOR { + result.elements[i] = ((v[1] >> (i - 8)) & 0x1) as i16; + } + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) { let result0 = ((v[1] as u8) << 4) | (v[0] as u8); let result1 = ((v[3] as u8) << 4) | (v[2] as u8); @@ -150,55 +48,23 @@ pub(crate) fn serialize_4_int(v: &[i16]) -> (u8, u8, u8, u8) { (result0, result1, result2, result3) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (${serialize_4} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_4_lemma inputs = - serialize_4_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_4} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 4)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_4_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 4)) - : squash ( - let inputs = bit_vec_of_int_t_array v 4 in - let outputs = bit_vec_of_int_t_array (${serialize_4} ({ f_elements = v })) 8 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_4(v: PortableVector) -> [u8; 8] { let result0_3 = serialize_4_int(&v.elements[0..8]); let result4_7 = serialize_4_int(&v.elements[8..16]); - [ - result0_3.0, - result0_3.1, - result0_3.2, - result0_3.3, - result4_7.0, - result4_7.1, - result4_7.2, - result4_7.3, - ] + let mut result = [0u8; 8]; + result[0] = result0_3.0; + result[1] = result0_3.1; + result[2] = result0_3.2; + result[3] = result0_3.3; + result[4] = result4_7.0; + result[5] = result4_7.1; + result[6] = result4_7.2; + result[7] = result4_7.3; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 4} -"#))] pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let v0 = (bytes[0] & 0x0F) as i16; let v1 = ((bytes[0] >> 4) & 0x0F) as i16; @@ -211,75 +77,31 @@ pub(crate) fn deserialize_4_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (v0, v1, v2, v3, v4, v5, v6, v7) } -//deserialize_4_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_4} inputs).f_elements i) 4) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_4_bounded_lemma inputs = - admit() -"))] -//deserialize_4_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_4} inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_4_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_4} v).f_elements 4 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 8} -"#))] #[inline(always)] pub(crate) fn deserialize_4(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_4_int(&bytes[0..4]); let v8_15 = deserialize_4_int(&bytes[4..8]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] | v[1] << 5) as u8; let r1 = (v[1] >> 3 | v[2] << 2 | v[3] << 7) as u8; @@ -289,57 +111,25 @@ pub(crate) fn serialize_5_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { (r0, r1, r2, r3, r4) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val serialize_5_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma -// (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 5)) -// (ensures bit_vec_of_int_t_array (${serialize_5} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 5) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let serialize_5_lemma inputs = -// serialize_5_bit_vec_lemma inputs.f_elements (); -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_5} inputs) 8) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 5)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let serialize_5_bit_vec_lemma (v: t_Array i16 (sz 16)) -// (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 5)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 5 in -// let outputs = bit_vec_of_int_t_array (${serialize_5} ({ f_elements = v })) 8 in -// (forall (i: nat {i < 80}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] #[inline(always)] pub(crate) fn serialize_5(v: PortableVector) -> [u8; 10] { let r0_4 = serialize_5_int(&v.elements[0..8]); let r5_9 = serialize_5_int(&v.elements[8..16]); - [ - r0_4.0, - r0_4.1, - r0_4.2, - r0_4.3, - r0_4.4, - r5_9.0, - r5_9.1, - r5_9.2, - r5_9.3, - r5_9.4, - ] + let mut result = [0u8; 10]; + result[0] = r0_4.0; + result[1] = r0_4.1; + result[2] = r0_4.2; + result[3] = r0_4.3; + result[4] = r0_4.4; + result[5] = r5_9.0; + result[6] = r5_9.1; + result[7] = r5_9.2; + result[8] = r5_9.3; + result[9] = r5_9.4; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 5} -"#))] pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let v0 = (bytes[0] & 0x1F) as i16; let v1 = ((bytes[1] & 0x3) << 3 | (bytes[0] >> 5)) as i16; @@ -352,64 +142,31 @@ pub(crate) fn deserialize_5_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (v0, v1, v2, v3, v4, v5, v6, v7) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val deserialize_5_lemma (inputs: t_Array u8 (sz 10)) : Lemma -// (ensures bit_vec_of_int_t_array (${deserialize_5} inputs).f_elements 5 == bit_vec_of_int_t_array inputs 8) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let deserialize_5_lemma inputs = -// deserialize_5_bit_vec_lemma inputs; -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_5} inputs).f_elements 5) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let deserialize_5_bit_vec_lemma (v: t_Array u8 (sz 10)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 8 in -// let outputs = bit_vec_of_int_t_array (${deserialize_5} v).f_elements 5 in -// (forall (i: nat {i < 80}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 10} -"#))] #[inline(always)] pub(crate) fn deserialize_5(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_5_int(&bytes[0..5]); let v8_15 = deserialize_5_int(&bytes[5..10]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 4} -"#))] pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { let r0 = (v[0] & 0xFF) as u8; let r1 = ((v[1] & 0x3F) as u8) << 2 | ((v[0] >> 8) & 0x03) as u8; @@ -419,51 +176,43 @@ pub(crate) fn serialize_10_int(v: &[i16]) -> (u8, u8, u8, u8, u8) { (r0, r1, r2, r3, r4) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (${serialize_10} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_10_lemma inputs = - serialize_10_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_10} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 10)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_10_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 10)) - : squash ( - let inputs = bit_vec_of_int_t_array v 10 in - let outputs = bit_vec_of_int_t_array (${serialize_10} ({ f_elements = v })) 8 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_10(v: PortableVector) -> [u8; 20] { let r0_4 = serialize_10_int(&v.elements[0..4]); let r5_9 = serialize_10_int(&v.elements[4..8]); let r10_14 = serialize_10_int(&v.elements[8..12]); let r15_19 = serialize_10_int(&v.elements[12..16]); - [ - r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, r10_14.0, - r10_14.1, r10_14.2, r10_14.3, r10_14.4, r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4, - ] + // Here we could also do, the following, but it slows F* down: + // [r0_4.0, r0_4.1, r0_4.2, r0_4.3, r0_4.4, + // r5_9.0, r5_9.1, r5_9.2, r5_9.3, r5_9.4, + // r10_14.0, r10_14.1, r10_14.2, r10_14.3, r10_14.4, + // r15_19.0, r15_19.1, r15_19.2, r15_19.3, r15_19.4 ] + // If we can fix the F* for this, the code would be more compact. + let mut result = [0u8; 20]; + result[0] = r0_4.0; + result[1] = r0_4.1; + result[2] = r0_4.2; + result[3] = r0_4.3; + result[4] = r0_4.4; + result[5] = r5_9.0; + result[6] = r5_9.1; + result[7] = r5_9.2; + result[8] = r5_9.3; + result[9] = r5_9.4; + result[10] = r10_14.0; + result[11] = r10_14.1; + result[12] = r10_14.2; + result[13] = r10_14.3; + result[14] = r10_14.4; + result[15] = r15_19.0; + result[16] = r15_19.1; + result[17] = r15_19.2; + result[18] = r15_19.3; + result[19] = r15_19.4; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 10} -"#))] pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { let r0 = ((bytes[1] as i16 & 0x03) << 8 | (bytes[0] as i16 & 0xFF)) as i16; let r1 = ((bytes[2] as i16 & 0x0F) << 6 | (bytes[1] as i16 >> 2)) as i16; @@ -476,75 +225,31 @@ pub(crate) fn deserialize_10_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, (r0, r1, r2, r3, r4, r5, r6, r7) } -//deserialize_10_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_10} inputs).f_elements i) 10) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_10_bounded_lemma inputs = - admit() -"))] -//deserialize_10_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_10} inputs).f_elements 10) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_10_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_10} v).f_elements 10 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 20} -"#))] #[inline(always)] pub(crate) fn deserialize_10(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_10_int(&bytes[0..10]); let v8_15 = deserialize_10_int(&bytes[10..20]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 8} -"#))] pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8, u8, u8) { let r0 = v[0] as u8; let r1 = ((v[1] & 0x1F) as u8) << 3 | ((v[0] >> 8) as u8); @@ -560,119 +265,76 @@ pub(crate) fn serialize_11_int(v: &[i16]) -> (u8, u8, u8, u8, u8, u8, u8, u8, u8 (r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val serialize_11_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma -// (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 11)) -// (ensures bit_vec_of_int_t_array (${serialize_11} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 11) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let serialize_11_lemma inputs = -// serialize_11_bit_vec_lemma inputs.f_elements (); -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_11} inputs) 8) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 11)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let serialize_11_bit_vec_lemma (v: t_Array i16 (sz 16)) -// (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 11)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 11 in -// let outputs = bit_vec_of_int_t_array (${serialize_11} ({ f_elements = v })) 8 in -// (forall (i: nat {i < 176}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] #[inline(always)] pub(crate) fn serialize_11(v: PortableVector) -> [u8; 22] { let r0_10 = serialize_11_int(&v.elements[0..8]); let r11_21 = serialize_11_int(&v.elements[8..16]); - [ - r0_10.0, r0_10.1, r0_10.2, r0_10.3, r0_10.4, r0_10.5, r0_10.6, r0_10.7, r0_10.8, r0_10.9, r0_10.10, - r11_21.0, r11_21.1, r11_21.2, r11_21.3, r11_21.4, r11_21.5, r11_21.6, r11_21.7, r11_21.8, r11_21.9, r11_21.10, - ] + let mut result = [0u8; 22]; + result[0] = r0_10.0; + result[1] = r0_10.1; + result[2] = r0_10.2; + result[3] = r0_10.3; + result[4] = r0_10.4; + result[5] = r0_10.5; + result[6] = r0_10.6; + result[7] = r0_10.7; + result[8] = r0_10.8; + result[9] = r0_10.9; + result[10] = r0_10.10; + result[11] = r11_21.0; + result[12] = r11_21.1; + result[13] = r11_21.2; + result[14] = r11_21.3; + result[15] = r11_21.4; + result[16] = r11_21.5; + result[17] = r11_21.6; + result[18] = r11_21.7; + result[19] = r11_21.8; + result[20] = r11_21.9; + result[21] = r11_21.10; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 11} -"#))] pub(crate) fn deserialize_11_int(bytes: &[u8]) -> (i16, i16, i16, i16, i16, i16, i16, i16) { - let r0 = (bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16; - let r1 = (bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3); - let r2 = (bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6); - let r3 = (bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1); - let r4 = (bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4); - let r5 = (bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7); - let r6 = (bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2); - let r7 = ((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5); + let r0 = ((bytes[1] as i16 & 0x7) << 8 | bytes[0] as i16) as i16; + let r1 = ((bytes[2] as i16 & 0x3F) << 5 | (bytes[1] as i16 >> 3)) as i16; + let r2 = ((bytes[4] as i16 & 0x1) << 10 | ((bytes[3] as i16) << 2) | ((bytes[2] as i16) >> 6)) + as i16; + let r3 = ((bytes[5] as i16 & 0xF) << 7 | (bytes[4] as i16 >> 1)) as i16; + let r4 = ((bytes[6] as i16 & 0x7F) << 4 | (bytes[5] as i16 >> 4)) as i16; + let r5 = + ((bytes[8] as i16 & 0x3) << 9 | ((bytes[7] as i16) << 1) | ((bytes[6] as i16) >> 7)) as i16; + let r6 = ((bytes[9] as i16 & 0x1F) << 6 | (bytes[8] as i16 >> 2)) as i16; + let r7 = (((bytes[10] as i16) << 3) | (bytes[9] as i16 >> 5)) as i16; (r0, r1, r2, r3, r4, r5, r6, r7) } -// #[cfg_attr(hax, hax_lib::fstar::after(interface, " -// val deserialize_11_lemma (inputs: t_Array u8 (sz 22)) : Lemma -// (ensures bit_vec_of_int_t_array (${deserialize_11} inputs).f_elements 11 == bit_vec_of_int_t_array inputs 8) -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--z3rlimit 300\" - -// let deserialize_11_lemma inputs = -// deserialize_11_bit_vec_lemma inputs; -// BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_11} inputs).f_elements 11) -// (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -// #pop-options -// "))] -// #[cfg_attr(hax, hax_lib::fstar::after(" -// #push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -// let deserialize_11_bit_vec_lemma (v: t_Array u8 (sz 22)) -// : squash ( -// let inputs = bit_vec_of_int_t_array v 8 in -// let outputs = bit_vec_of_int_t_array (${deserialize_11} v).f_elements 11 in -// (forall (i: nat {i < 176}). inputs i == outputs i) -// ) = -// _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -// #pop-options -// "))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 22} -"#))] #[inline(always)] pub(crate) fn deserialize_11(bytes: &[u8]) -> PortableVector { let v0_7 = deserialize_11_int(&bytes[0..11]); let v8_15 = deserialize_11_int(&bytes[11..22]); - PortableVector { elements: [ - v0_7.0, - v0_7.1, - v0_7.2, - v0_7.3, - v0_7.4, - v0_7.5, - v0_7.6, - v0_7.7, - v8_15.0, - v8_15.1, - v8_15.2, - v8_15.3, - v8_15.4, - v8_15.5, - v8_15.6, - v8_15.7, - ] } + let mut v = zero(); + v.elements[0] = v0_7.0; + v.elements[1] = v0_7.1; + v.elements[2] = v0_7.2; + v.elements[3] = v0_7.3; + v.elements[4] = v0_7.4; + v.elements[5] = v0_7.5; + v.elements[6] = v0_7.6; + v.elements[7] = v0_7.7; + v.elements[8] = v8_15.0; + v.elements[9] = v8_15.1; + v.elements[10] = v8_15.2; + v.elements[11] = v8_15.3; + v.elements[12] = v8_15.4; + v.elements[13] = v8_15.5; + v.elements[14] = v8_15.6; + v.elements[15] = v8_15.7; + v } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${v.len() == 2} -"#))] pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) { let r0 = (v[0] & 0xFF) as u8; let r1 = ((v[0] >> 8) | ((v[1] & 0x0F) << 4)) as u8; @@ -680,35 +342,6 @@ pub(crate) fn serialize_12_int(v: &[i16]) -> (u8, u8, u8) { (r0, r1, r2) } -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (${serialize_12} inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let serialize_12_lemma inputs = - serialize_12_bit_vec_lemma inputs.f_elements (); - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${serialize_12} inputs) 8) - (BitVecEq.retype (bit_vec_of_int_t_array inputs.f_elements 12)) - -#pop-options -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let serialize_12_bit_vec_lemma (v: t_Array i16 (sz 16)) - (_: squash (forall i. Rust_primitives.bounded (Seq.index v i) 12)) - : squash ( - let inputs = bit_vec_of_int_t_array v 12 in - let outputs = bit_vec_of_int_t_array (${serialize_12} ({ f_elements = v })) 8 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] #[inline(always)] pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] { let r0_2 = serialize_12_int(&v.elements[0..2]); @@ -719,22 +352,35 @@ pub(crate) fn serialize_12(v: PortableVector) -> [u8; 24] { let r15_17 = serialize_12_int(&v.elements[10..12]); let r18_20 = serialize_12_int(&v.elements[12..14]); let r21_23 = serialize_12_int(&v.elements[14..16]); - [ - r0_2.0, r0_2.1, r0_2.2, - r3_5.0, r3_5.1, r3_5.2, - r6_8.0, r6_8.1, r6_8.2, - r9_11.0, r9_11.1, r9_11.2, - r12_14.0, r12_14.1, r12_14.2, - r15_17.0, r15_17.1, r15_17.2, - r18_20.0, r18_20.1, r18_20.2, - r21_23.0, r21_23.1, r21_23.2, - ] + let mut result = [0u8; 24]; + result[0] = r0_2.0; + result[1] = r0_2.1; + result[2] = r0_2.2; + result[3] = r3_5.0; + result[4] = r3_5.1; + result[5] = r3_5.2; + result[6] = r6_8.0; + result[7] = r6_8.1; + result[8] = r6_8.2; + result[9] = r9_11.0; + result[10] = r9_11.1; + result[11] = r9_11.2; + result[12] = r12_14.0; + result[13] = r12_14.1; + result[14] = r12_14.2; + result[15] = r15_17.0; + result[16] = r15_17.1; + result[17] = r15_17.2; + result[18] = r18_20.0; + result[19] = r18_20.1; + result[20] = r18_20.2; + result[21] = r21_23.0; + result[22] = r21_23.1; + result[23] = r21_23.2; + result } #[inline(always)] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 3} -"#))] pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) { let byte0 = bytes[0] as i16; let byte1 = bytes[1] as i16; @@ -744,47 +390,6 @@ pub(crate) fn deserialize_12_int(bytes: &[u8]) -> (i16, i16) { (r0, r1) } -//deserialize_12_bounded_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (${deserialize_12} inputs).f_elements i) 12) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -let deserialize_12_bounded_lemma inputs = - admit() -"))] -//deserialize_12_lemma -#[cfg_attr(hax, hax_lib::fstar::after(interface, " -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) -"))] -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--z3rlimit 300\" - -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (${deserialize_12} inputs).f_elements 12) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options -"))] -//deserialize_12_bit_vec_lemma -#[cfg_attr(hax, hax_lib::fstar::after(" -#push-options \"--compat_pre_core 2 --z3rlimit 300 --z3refresh\" - -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (${deserialize_12} v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options -"))] -#[hax_lib::requires(fstar!(r#" - ${bytes.len() == 24} -"#))] #[inline(always)] pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector { let v0_1 = deserialize_12_int(&bytes[0..3]); @@ -795,22 +400,22 @@ pub(crate) fn deserialize_12(bytes: &[u8]) -> PortableVector { let v10_11 = deserialize_12_int(&bytes[15..18]); let v12_13 = deserialize_12_int(&bytes[18..21]); let v14_15 = deserialize_12_int(&bytes[21..24]); - PortableVector { elements: [ - v0_1.0, - v0_1.1, - v2_3.0, - v2_3.1, - v4_5.0, - v4_5.1, - v6_7.0, - v6_7.1, - v8_9.0, - v8_9.1, - v10_11.0, - v10_11.1, - v12_13.0, - v12_13.1, - v14_15.0, - v14_15.1, - ] } + let mut re = zero(); + re.elements[0] = v0_1.0; + re.elements[1] = v0_1.1; + re.elements[2] = v2_3.0; + re.elements[3] = v2_3.1; + re.elements[4] = v4_5.0; + re.elements[5] = v4_5.1; + re.elements[6] = v6_7.0; + re.elements[7] = v6_7.1; + re.elements[8] = v8_9.0; + re.elements[9] = v8_9.1; + re.elements[10] = v10_11.0; + re.elements[11] = v10_11.1; + re.elements[12] = v12_13.0; + re.elements[13] = v12_13.1; + re.elements[14] = v14_15.0; + re.elements[15] = v14_15.1; + re } diff --git a/libcrux-ml-kem/src/vector/portable/vector_type.rs b/libcrux-ml-kem/src/vector/portable/vector_type.rs index 94dde4e71..266b738e8 100644 --- a/libcrux-ml-kem/src/vector/portable/vector_type.rs +++ b/libcrux-ml-kem/src/vector/portable/vector_type.rs @@ -1,6 +1,6 @@ use crate::vector::traits::FIELD_ELEMENTS_IN_VECTOR; -/// Values having this type hold a representative 'x' of the Kyber field. +/// Values having this type hold a representative 'x' of the ML-DSA field. /// We use 'fe' as a shorthand for this type. pub(crate) type FieldElement = i16; @@ -9,8 +9,8 @@ pub struct PortableVector { pub(crate) elements: [FieldElement; FIELD_ELEMENTS_IN_VECTOR], } +#[allow(non_snake_case)] #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == Seq.create 16 0s"))] pub fn zero() -> PortableVector { PortableVector { elements: [0i16; FIELD_ELEMENTS_IN_VECTOR], @@ -18,16 +18,13 @@ pub fn zero() -> PortableVector { } #[inline(always)] -#[hax_lib::ensures(|result| fstar!("${result} == ${x}.f_elements"))] -pub fn to_i16_array(x: PortableVector) -> [i16; 16] { - x.elements -} - -#[inline(always)] -#[hax_lib::requires(array.len() == 16)] -#[hax_lib::ensures(|result| fstar!("${result}.f_elements == $array"))] pub fn from_i16_array(array: &[i16]) -> PortableVector { PortableVector { elements: array[0..16].try_into().unwrap(), } } + +#[inline(always)] +pub fn to_i16_array(x: PortableVector) -> [i16; 16] { + x.elements +} diff --git a/libcrux-ml-kem/src/vector/traits.rs b/libcrux-ml-kem/src/vector/traits.rs index 208e58b51..6d4654377 100644 --- a/libcrux-ml-kem/src/vector/traits.rs +++ b/libcrux-ml-kem/src/vector/traits.rs @@ -2,214 +2,65 @@ pub const MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS: i16 = 1353; pub const FIELD_MODULUS: i16 = 3329; pub const FIELD_ELEMENTS_IN_VECTOR: usize = 16; pub const INVERSE_OF_MODULUS_MOD_MONTGOMERY_R: u32 = 62209; // FIELD_MODULUS^{-1} mod MONTGOMERY_R -pub const BARRETT_SHIFT: i32 = 26; -pub const BARRETT_R: i32 = 1 << BARRETT_SHIFT; -#[cfg(hax)] -#[hax_lib::attributes] -pub trait Repr: Copy + Clone { - #[requires(true)] - fn repr(x: Self) -> [i16; 16]; -} - -#[cfg(hax)] -#[hax_lib::attributes] -pub trait Operations: Copy + Clone + Repr { +pub trait Operations: Copy + Clone { #[allow(non_snake_case)] - #[requires(true)] - #[ensures(|result| fstar!("f_repr $result == Seq.create 16 0s"))] fn ZERO() -> Self; - - #[requires(array.len() == 16)] - #[ensures(|result| fstar!("f_repr $result == $array"))] + fn from_i16_array(array: &[i16]) -> Self; - - #[requires(true)] - #[ensures(|result| fstar!("f_repr $x == $result"))] fn to_i16_array(x: Self) -> [i16; 16]; // Basic arithmetic - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) + v (Seq.index (f_repr ${rhs}) i))"))] fn add(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${lhs}) i) - v (Seq.index (f_repr ${rhs}) i))"))] fn sub(lhs: Self, rhs: &Self) -> Self; - - #[requires(fstar!("forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr ${vec}) i) * v c)"))] - #[ensures(|result| fstar!("forall i. i < 16 ==> - (v (Seq.index (f_repr ${result}) i) == - v (Seq.index (f_repr ${vec}) i) * v c)"))] - fn multiply_by_constant(vec: Self, c: i16) -> Self; + fn multiply_by_constant(v: Self, c: i16) -> Self; // Bitwise operations - #[requires(true)] - #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> x &. c) (f_repr $v)"))] fn bitwise_and_with_constant(v: Self, c: i16) -> Self; - - #[requires(SHIFT_BY >= 0 && SHIFT_BY < 16)] - #[ensures(|result| fstar!("(v_SHIFT_BY >=. 0l /\\ v_SHIFT_BY <. 16l) ==> f_repr $result == Spec.Utils.map_array (fun x -> x >>! ${SHIFT_BY}) (f_repr $v)"))] fn shift_right(v: Self) -> Self; // fn shift_left(v: Self) -> Self; // Modular operations - #[requires(fstar!("Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr $v)"))] - #[ensures(|result| fstar!("f_repr $result == Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr $v)"))] fn cond_subtract_3329(v: Self) -> Self; - - #[requires(fstar!("Spec.Utils.is_i16b_array 28296 (f_repr $vector)"))] - fn barrett_reduce(vector: Self) -> Self; - - #[requires(fstar!("Spec.Utils.is_i16b 1664 c"))] + fn barrett_reduce(v: Self) -> Self; fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self; // Compression - #[requires(fstar!("forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\ - v (Seq.index (f_repr $a) i) < 3329"))] - #[ensures(|result| fstar!("forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) 1"))] - fn compress_1(a: Self) -> Self; - #[requires(fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) /\\ - (forall (i:nat). i < 16 ==> v (Seq.index (f_repr $a) i) >= 0 /\\ - v (Seq.index (f_repr $a) i) < 3329)"))] - #[ensures(|result| fstar!("(v $COEFFICIENT_BITS == 4 \\/ - v $COEFFICIENT_BITS == 5 \\/ - v $COEFFICIENT_BITS == 10 \\/ - v $COEFFICIENT_BITS == 11) ==> - (forall (i:nat). i < 16 ==> bounded (Seq.index (f_repr $result) i) (v $COEFFICIENT_BITS))"))] - fn compress(a: Self) -> Self; - #[requires(COEFFICIENT_BITS == 4 || COEFFICIENT_BITS == 5 || - COEFFICIENT_BITS == 10 || COEFFICIENT_BITS == 11)] + fn compress_1(v: Self) -> Self; + fn compress(v: Self) -> Self; fn decompress_ciphertext_coefficient(v: Self) -> Self; // NTT - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (11207+5*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+6*3328) (f_repr $out)"))] fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array (11207+4*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+5*3328) (f_repr $out)"))] fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta /\\ - Spec.Utils.is_i16b_array (11207+3*3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array (11207+4*3328) (f_repr $out)"))] fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta/\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${a})"))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - #[requires(fstar!("Spec.Utils.is_i16b 1664 zeta0 /\\ Spec.Utils.is_i16b 1664 zeta1 /\\ - Spec.Utils.is_i16b 1664 zeta2 /\\ Spec.Utils.is_i16b 1664 zeta3 /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${lhs}) /\\ - Spec.Utils.is_i16b_array 3328 (f_repr ${rhs}) "))] - #[ensures(|out| fstar!("Spec.Utils.is_i16b_array 3328 (f_repr $out)"))] fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; // Serialization and deserialization - #[requires(fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 1 (f_repr $a) ==> Spec.MLKEM.serialize_post 1 (f_repr $a) $result"))] fn serialize_1(a: Self) -> [u8; 2]; - #[requires(a.len() == 2)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 $a (f_repr $result)"))] fn deserialize_1(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 4 (f_repr $a) ==> Spec.MLKEM.serialize_post 4 (f_repr $a) $result"))] fn serialize_4(a: Self) -> [u8; 8]; - #[requires(a.len() == 8)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 $a (f_repr $result)"))] fn deserialize_4(a: &[u8]) -> Self; fn serialize_5(a: Self) -> [u8; 10]; - #[requires(a.len() == 10)] fn deserialize_5(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 10 (f_repr $a) ==> Spec.MLKEM.serialize_post 10 (f_repr $a) $result"))] fn serialize_10(a: Self) -> [u8; 20]; - #[requires(a.len() == 20)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 $a (f_repr $result)"))] fn deserialize_10(a: &[u8]) -> Self; fn serialize_11(a: Self) -> [u8; 22]; - #[requires(a.len() == 22)] fn deserialize_11(a: &[u8]) -> Self; - #[requires(fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a)"))] - #[ensures(|result| fstar!("Spec.MLKEM.serialize_pre 12 (f_repr $a) ==> Spec.MLKEM.serialize_post 12 (f_repr $a) $result"))] fn serialize_12(a: Self) -> [u8; 24]; - #[requires(a.len() == 24)] - #[ensures(|result| fstar!("sz (Seq.length $a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 $a (f_repr $result)"))] fn deserialize_12(a: &[u8]) -> Self; - #[requires(a.len() == 24 && out.len() == 16)] - #[ensures(|result| - fstar!("Seq.length $out_future == Seq.length $out /\\ v $result <= 16") - )] - fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; -} - -#[cfg(not(hax))] -pub trait Operations: Copy + Clone { - #[allow(non_snake_case)] - fn ZERO() -> Self; - fn from_i16_array(array: &[i16]) -> Self; - fn to_i16_array(x: Self) -> [i16; 16]; - fn add(lhs: Self, rhs: &Self) -> Self; - fn sub(lhs: Self, rhs: &Self) -> Self; - fn multiply_by_constant(v: Self, c: i16) -> Self; - fn bitwise_and_with_constant(v: Self, c: i16) -> Self; - fn shift_right(v: Self) -> Self; - fn cond_subtract_3329(v: Self) -> Self; - fn barrett_reduce(vector: Self) -> Self; - fn montgomery_multiply_by_constant(v: Self, c: i16) -> Self; - fn compress_1(v: Self) -> Self; - fn compress(v: Self) -> Self; - fn decompress_ciphertext_coefficient(v: Self) -> Self; - fn ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - fn ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - fn ntt_layer_3_step(a: Self, zeta: i16) -> Self; - fn inv_ntt_layer_1_step(a: Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) -> Self; - fn inv_ntt_layer_2_step(a: Self, zeta0: i16, zeta1: i16) -> Self; - fn inv_ntt_layer_3_step(a: Self, zeta: i16) -> Self; - fn ntt_multiply(lhs: &Self, rhs: &Self, zeta0: i16, zeta1: i16, zeta2: i16, zeta3: i16) - -> Self; - fn serialize_1(a: Self) -> [u8; 2]; - fn deserialize_1(a: &[u8]) -> Self; - fn serialize_4(a: Self) -> [u8; 8]; - fn deserialize_4(a: &[u8]) -> Self; - fn serialize_5(a: Self) -> [u8; 10]; - fn deserialize_5(a: &[u8]) -> Self; - fn serialize_10(a: Self) -> [u8; 20]; - fn deserialize_10(a: &[u8]) -> Self; - fn serialize_11(a: Self) -> [u8; 22]; - fn deserialize_11(a: &[u8]) -> Self; - fn serialize_12(a: Self) -> [u8; 24]; - fn deserialize_12(a: &[u8]) -> Self; fn rej_sample(a: &[u8], out: &mut [i16]) -> usize; } diff --git a/libcrux-sha3/Cargo.toml b/libcrux-sha3/Cargo.toml index d76bbd9ca..85ed0be95 100644 --- a/libcrux-sha3/Cargo.toml +++ b/libcrux-sha3/Cargo.toml @@ -20,7 +20,7 @@ libcrux-intrinsics = { version = "0.0.2-beta.2", path = "../libcrux-intrinsics" # This is only required for verification. # The hax config is set by the hax toolchain. [target.'cfg(hax)'.dependencies] -hax-lib.workspace = true +hax-lib = { version = "0.1.0-alpha.1", git = "https://github.com/hacspec/hax/" } [features] simd128 = [] diff --git a/libcrux-sha3/proofs/fstar/extraction/Makefile b/libcrux-sha3/proofs/fstar/extraction/Makefile deleted file mode 100644 index ec420d509..000000000 --- a/libcrux-sha3/proofs/fstar/extraction/Makefile +++ /dev/null @@ -1 +0,0 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template diff --git a/proofs/fstar/extraction-edited/Makefile b/proofs/fstar/extraction-edited/Makefile index ec420d509..6b294a42d 100644 --- a/proofs/fstar/extraction-edited/Makefile +++ b/proofs/fstar/extraction-edited/Makefile @@ -1 +1,150 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + +ifeq ($(OTHERFLAGS),$(subst --admit_smt_queries true,,$(OTHERFLAGS))) +FSTAR_HINTS ?= --use_hints --use_hint_hashes --record_hints +else +FSTAR_HINTS ?= --use_hints --use_hint_hashes +endif + +VERIFIED = \ + Libcrux.Digest.fsti \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.Kyber768.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fsti \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fsti \ + Libcrux.Kem.Kyber.Kyber512.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fsti \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.fsti \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Compress.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fsti \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Kem.Kyber.Matrix.fsti \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fsti \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fsti \ + Libcrux.Kem.Kyber.Serialize.fst + +UNVERIFIED = + + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) + +FSTAR_FLAGS = $(FSTAR_HINTS) \ + --cmi \ + --warn_error -331 \ + --warn_error -321 \ + --warn_error -274 \ + --query_stats \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +# --log_queries \ +# --z3version 4.12.3 \ +# --smtencoding.l_arith_repr native \ +# --smtencoding.nl_arith_repr native \ + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* diff --git a/proofs/fstar/extraction-secret-independent/Makefile b/proofs/fstar/extraction-secret-independent/Makefile index ec420d509..3c4a3f008 100644 --- a/proofs/fstar/extraction-secret-independent/Makefile +++ b/proofs/fstar/extraction-secret-independent/Makefile @@ -1 +1,134 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar-secret-integers +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + + +SECRET_INDEPENDENT = \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Digest.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Kyber768.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fsti \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fsti \ + Libcrux.Kem.Kyber.Kyber512.fst \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.fsti \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fsti \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Compress.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fsti \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Kem.Kyber.Matrix.fsti \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fsti \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fsti \ + Libcrux.Kem.Kyber.Serialize.fst + +SECRET_INDEPENDENT_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(SECRET_INDEPENDENT))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(SECRET_INDEPENDENT) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --admit_smt_queries true \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(SECRET_INDEPENDENT_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(SECRET_INDEPENDENT_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/proofs/fstar/extraction/Makefile b/proofs/fstar/extraction/Makefile index ec420d509..763274af1 100644 --- a/proofs/fstar/extraction/Makefile +++ b/proofs/fstar/extraction/Makefile @@ -1 +1,127 @@ -include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.template +# This is a generically useful Makefile for F* that is self-contained +# +# It is tempting to factor this out into multiple Makefiles but that +# makes it less portable, so resist temptation, or move to a more +# sophisticated build system. +# +# We expect FSTAR_HOME to be set to your FSTAR repo/install directory +# We expect HACL_HOME to be set to your HACL* repo location +# We expect HAX_LIBS_HOME to be set to the folder containing core, rust_primitives etc. +# +# ROOTS contains all the top-level F* files you wish to verify +# The default target `verify` verified ROOTS and its dependencies +# To lax-check instead, set `OTHERFLAGS="--lax"` on the command-line +# +# +# To make F* emacs mode use the settings in this file, you need to +# add the following lines to your .emacs +# +# (setq-default fstar-executable "/bin/fstar.exe") +# (setq-default fstar-smt-executable "/bin/z3") +# +# (defun my-fstar-compute-prover-args-using-make () +# "Construct arguments to pass to F* by calling make." +# (with-demoted-errors "Error when constructing arg string: %S" +# (let* ((fname (file-name-nondirectory buffer-file-name)) +# (target (concat fname "-in")) +# (argstr (car (process-lines "make" "--quiet" target)))) +# (split-string argstr)))) +# (setq fstar-subp-prover-args #'my-fstar-compute-prover-args-using-make) +# + +WORKSPACE_ROOT ?= $(shell git rev-parse --show-toplevel)/.. + +HAX_HOME ?= $(WORKSPACE_ROOT)/hax +HAX_PROOF_LIBS_HOME ?= $(HAX_HOME)/proof-libs/fstar +HAX_LIBS_HOME ?= $(HAX_HOME)/hax-lib/proofs/fstar/extraction +FSTAR_HOME ?= $(WORKSPACE_ROOT)/FStar +HACL_HOME ?= $(WORKSPACE_ROOT)/hacl-star +FSTAR_BIN ?= $(shell command -v fstar.exe 1>&2 2> /dev/null && echo "fstar.exe" || echo "$(FSTAR_HOME)/bin/fstar.exe") + +CACHE_DIR ?= .cache +HINT_DIR ?= .hints + +.PHONY: all verify verify-lax clean + +all: + rm -f .depend && $(MAKE) .depend + $(MAKE) verify + + +VERIFIED = \ + Libcrux.Kem.Kyber.Constants.fsti \ + Libcrux.Kem.Kyber.Kyber768.fst \ + Libcrux.Kem.Kyber.Kyber1024.fst \ + Libcrux.Kem.Kyber.Kyber512.fst + + +UNVERIFIED = \ + Libcrux.Kem.Kyber.Types.fst \ + Libcrux.Kem.Kyber.fst \ + Libcrux.Kem.Kyber.Ind_cpa.fst \ + Libcrux.Kem.Kyber.Arithmetic.fst \ + Libcrux.Kem.Kyber.Arithmetic.fsti \ + Libcrux.Kem.Kyber.Compress.fst \ + Libcrux.Kem.Kyber.Constant_time_ops.fst \ + Libcrux.Digest.fsti \ + Libcrux.Digest.Incremental_x4.fsti \ + Libcrux.Kem.Kyber.Hash_functions.fst \ + Libcrux.Kem.Kyber.Matrix.fst \ + Libcrux.Kem.Kyber.Ntt.fst \ + Libcrux.Kem.Kyber.Sampling.fst \ + Libcrux.Kem.Kyber.Serialize.fst + +VERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(VERIFIED))) +UNVERIFIED_CHECKED = $(addsuffix .checked, $(addprefix $(CACHE_DIR)/,$(UNVERIFIED))) + +# By default, we process all the files in the current directory. Here, we +# *extend* the set of relevant files with the tests. +ROOTS = $(UNVERIFIED) $(VERIFIED) + +FSTAR_INCLUDE_DIRS = $(HACL_HOME)/lib $(HAX_PROOF_LIBS_HOME)/rust_primitives $(HAX_PROOF_LIBS_HOME)/core $(HAX_LIBS_HOME) ../../../sys/platform/proofs/fstar/extraction/ + +FSTAR_FLAGS = --cmi \ + --warn_error -331-321-274 \ + --cache_checked_modules --cache_dir $(CACHE_DIR) \ + --already_cached "+Prims+FStar+LowStar+C+Spec.Loops+TestLib" \ + $(addprefix --include ,$(FSTAR_INCLUDE_DIRS)) + +FSTAR = $(FSTAR_BIN) $(FSTAR_FLAGS) + + +.depend: $(HINT_DIR) $(CACHE_DIR) $(ROOTS) + $(info $(ROOTS)) + $(FSTAR) --cmi --dep full $(ROOTS) --extract '* -Prims -LowStar -FStar' > $@ + +include .depend + +$(HINT_DIR): + mkdir -p $@ + +$(CACHE_DIR): + mkdir -p $@ + +$(UNVERIFIED_CHECKED): OTHERFLAGS=--admit_smt_queries true +$(CACHE_DIR)/%.checked: | .depend $(HINT_DIR) $(CACHE_DIR) + $(FSTAR) $(OTHERFLAGS) $< $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(notdir $*).hints + +verify: $(UNVERIFIED_CHECKED) $(VERIFIED_CHECKED) + +# Targets for interactive mode + +%.fst-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fst.hints) + +%.fsti-in: + $(info $(FSTAR_FLAGS) \ + $(ENABLE_HINTS) --hint_file $(HINT_DIR)/$(basename $@).fsti.hints) + + +# Clean targets + +SHELL=/usr/bin/env bash + +clean: + rm -rf $(CACHE_DIR)/* + rm *.fst diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst deleted file mode 100644 index 0e4db4e49..000000000 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fst +++ /dev/null @@ -1,69 +0,0 @@ -module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" -open Core -open FStar.Mul - -(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } -Last available AST for this item: - -#[inline(never)] -#[inline(always)] -#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] -#[allow(non_upper_case_globals)] -#[no_std()] -#[feature(register_tool)] -#[register_tool(_hax)] -unsafe fn init__cpuid(leaf: int) -> core::core_arch::x86::cpuid::t_CpuidResult { - rust_primitives::hax::dropped_body -} - - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_platform"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "cpuid"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) - -(* item error backend: (reject_Unsafe) ExplicitRejection { reason: "a node of kind [Unsafe] have been found in the AST" } -Last available AST for this item: - -#[inline(never)] -#[inline(always)] -#[cfg(any(target_arch = "x86", target_arch = "x86_64"))] -#[allow(non_upper_case_globals)] -#[no_std()] -#[feature(register_tool)] -#[register_tool(_hax)] -unsafe fn init__cpuid_count( - leaf: int, - sub_leaf: int, -) -> core::core_arch::x86::cpuid::t_CpuidResult { - rust_primitives::hax::dropped_body -} - - -Last AST: -/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = - { Concrete_ident.Imported.krate = "libcrux_platform"; - path = - [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "x86"); - disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "init"); disambiguator = 0 }; - { Concrete_ident.Imported.data = - (Concrete_ident.Imported.ValueNs "cpuid_count"); disambiguator = 0 } - ] - }; - kind = Concrete_ident.Kind.Value }) */ -const _: () = (); - *) diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti index 968a5585c..0b77def1e 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.X86.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.X86 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/sys/pqclean/src/bindings.rs b/sys/pqclean/src/bindings.rs index 5f6602af9..9c1755073 100644 --- a/sys/pqclean/src/bindings.rs +++ b/sys/pqclean/src/bindings.rs @@ -1,4 +1,4 @@ -/* automatically generated by rust-bindgen 0.69.4 */ +/* automatically generated by rust-bindgen 0.69.5 */ pub const SHAKE128_RATE: u32 = 168; pub const SHAKE256_RATE: u32 = 136; From bdd8a689bbe4e1645c81bd944fddd33178b14c24 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 8 Nov 2024 09:49:50 +0100 Subject: [PATCH 69/74] merge fixes for hax-lib attributes --- libcrux-ml-kem/proofs/fstar/extraction/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index b054ead79..a3e9b243b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -16,4 +16,5 @@ ADMIT_MODULES = Libcrux_ml_kem.Vector.Avx2.fsti \ Libcrux_ml_kem.Vector.Neon.Serialize.fst \ Libcrux_ml_kem.Vector.Neon.Vector_type.fst +FSTAR_INCLUDE_DIRS_EXTRA += ../spec include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base From a31e411ce57494f7a7e8c5962c9951a52a62c770 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 8 Nov 2024 08:56:13 +0000 Subject: [PATCH 70/74] inline ntt --- libcrux-ml-dsa/src/simd/avx2.rs | 3 +-- libcrux-ml-dsa/src/simd/avx2/ntt.rs | 16 +++++++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/libcrux-ml-dsa/src/simd/avx2.rs b/libcrux-ml-dsa/src/simd/avx2.rs index f4236caa2..608f37add 100644 --- a/libcrux-ml-dsa/src/simd/avx2.rs +++ b/libcrux-ml-dsa/src/simd/avx2.rs @@ -129,9 +129,8 @@ impl Operations for AVX2SIMDUnit { } #[inline(always)] - #[allow(unsafe_code)] fn ntt(simd_units: [Self; SIMD_UNITS_IN_RING_ELEMENT]) -> [Self; SIMD_UNITS_IN_RING_ELEMENT] { - let result = unsafe { ntt::ntt(simd_units.map(|x| x.coefficients)) }; + let result = ntt::ntt(simd_units.map(|x| x.coefficients)); result.map(|x| x.into()) } diff --git a/libcrux-ml-dsa/src/simd/avx2/ntt.rs b/libcrux-ml-dsa/src/simd/avx2/ntt.rs index 8ae3c9d68..cb84a2933 100644 --- a/libcrux-ml-dsa/src/simd/avx2/ntt.rs +++ b/libcrux-ml-dsa/src/simd/avx2/ntt.rs @@ -488,16 +488,18 @@ unsafe fn ntt_at_layer_5_to_3(re: &mut [Vec256; SIMD_UNITS_IN_RING_ELEMENT]) { () } -#[cfg_attr(not(hax), target_feature(enable = "avx2"))] #[allow(unsafe_code)] -pub(crate) unsafe fn ntt( +#[inline(always)] +pub(crate) fn ntt( mut re: [Vec256; SIMD_UNITS_IN_RING_ELEMENT], ) -> [Vec256; SIMD_UNITS_IN_RING_ELEMENT] { - ntt_at_layer_7_and_6(&mut re); - ntt_at_layer_5_to_3(&mut re); - ntt_at_layer_2(&mut re); - ntt_at_layer_1(&mut re); - ntt_at_layer_0(&mut re); + unsafe { + ntt_at_layer_7_and_6(&mut re); + ntt_at_layer_5_to_3(&mut re); + ntt_at_layer_2(&mut re); + ntt_at_layer_1(&mut re); + ntt_at_layer_0(&mut re); + } re } From 13e47cbdc6f6bd61154004794ff6eecf54e0f387 Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 8 Nov 2024 10:23:26 +0100 Subject: [PATCH 71/74] added bitvec --- .../fstar-bitvec/BitVec.Equality.fst | 48 + .../fstar-bitvec/BitVec.Equality.fsti | 17 + .../BitVec.Intrinsics.Constants.fst | 264 ++ .../BitVec.Intrinsics.TestShuffle.fst | 203 ++ .../fstar-bitvec/BitVec.Intrinsics.fsti | 425 +++ fstar-helpers/fstar-bitvec/BitVec.Utils.fst | 67 + fstar-helpers/fstar-bitvec/BitVecEq.fst | 12 + fstar-helpers/fstar-bitvec/BitVecEq.fsti | 293 +++ fstar-helpers/fstar-bitvec/Makefile | 1 + fstar-helpers/fstar-bitvec/MkSeq.fst | 59 + fstar-helpers/fstar-bitvec/RwLemmas.fst | 71 + fstar-helpers/fstar-bitvec/Tactics.Folds.fst | 82 + fstar-helpers/fstar-bitvec/Tactics.GetBit.fst | 66 + .../fstar-bitvec/Tactics.MachineInts.fst | 273 ++ fstar-helpers/fstar-bitvec/Tactics.Pow2.fst | 58 + fstar-helpers/fstar-bitvec/Tactics.Seq.fst | 123 + fstar-helpers/fstar-bitvec/Tactics.Utils.fst | 328 +++ fstar-helpers/fstar-bitvec/dep.graph | 2316 +++++++++++++++++ .../proofs/fstar/extraction/Makefile | 2 +- 19 files changed, 4707 insertions(+), 1 deletion(-) create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Equality.fst create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Equality.fsti create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti create mode 100644 fstar-helpers/fstar-bitvec/BitVec.Utils.fst create mode 100644 fstar-helpers/fstar-bitvec/BitVecEq.fst create mode 100644 fstar-helpers/fstar-bitvec/BitVecEq.fsti create mode 100644 fstar-helpers/fstar-bitvec/Makefile create mode 100644 fstar-helpers/fstar-bitvec/MkSeq.fst create mode 100644 fstar-helpers/fstar-bitvec/RwLemmas.fst create mode 100644 fstar-helpers/fstar-bitvec/Tactics.Folds.fst create mode 100644 fstar-helpers/fstar-bitvec/Tactics.GetBit.fst create mode 100644 fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst create mode 100644 fstar-helpers/fstar-bitvec/Tactics.Pow2.fst create mode 100644 fstar-helpers/fstar-bitvec/Tactics.Seq.fst create mode 100644 fstar-helpers/fstar-bitvec/Tactics.Utils.fst create mode 100644 fstar-helpers/fstar-bitvec/dep.graph diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fst b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst new file mode 100644 index 000000000..5e21832c7 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Equality.fst @@ -0,0 +1,48 @@ +module BitVec.Equality + +open Core +open Rust_primitives +open FStar.Mul +open FStar.FunctionalExtensionality + +private let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f + +let rec bv_equality'' #n (bv1 bv2: bit_vec n) + : r: bool {r <==> feq bv1 bv2} + = if n = 0 then true + else let n' = n - 1 in + if bv1 n' = bv2 n' + then + ( + let bv1' = mk_bv (fun i -> bv1 i) in + let bv2' = mk_bv (fun i -> bv2 i) in + if bv_equality'' #n' bv1' bv2' + then ( + assert (forall (x: nat{x < n'}). bv1' x == bv1 x); + assert (forall (x: nat{x < n'}). bv2' x == bv2 x); + true + ) + else false + ) + else false + +let bv_equality' #n (bv1 bv2: bit_vec n) + : r: bool {r <==> bv1 == bv2} + = extensionality _ _ bv1 bv2; + bv_equality'' bv1 bv2 + + +let bv_equality #n (bv1 bv2: bit_vec n) = bv_equality' bv1 bv2 + +let bv_equality_elim #n (bv1 bv2: bit_vec n) + : Lemma (requires bv_equality bv1 bv2) + (ensures bv1 == bv2) + = () +let bv_equality_intro #n (bv1 bv2: bit_vec n) + : Lemma (requires bv1 == bv2) + (ensures bv_equality bv1 bv2) + = () + +let rewrite n (bv1: bit_vec n) + : Lemma (bv_equality #n bv1 bv1 == true) + = () diff --git a/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti new file mode 100644 index 000000000..5340903b4 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Equality.fsti @@ -0,0 +1,17 @@ +module BitVec.Equality + +open Core +open Rust_primitives +open FStar.Mul +open FStar.FunctionalExtensionality + +val bv_equality #n (bv1 bv2: bit_vec n): bool +val bv_equality_elim #n (bv1 bv2: bit_vec n) + : Lemma (requires bv_equality bv1 bv2) + (ensures bv1 == bv2) +val bv_equality_intro #n (bv1 bv2: bit_vec n) + : Lemma (requires bv1 == bv2) + (ensures bv_equality bv1 bv2) +val rewrite n (bv1: bit_vec n): Lemma (bv_equality #n bv1 bv1 == true) + + diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst new file mode 100644 index 000000000..9d2614842 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.Constants.fst @@ -0,0 +1,264 @@ +module BitVec.Intrinsics.Constants + +open Core +open Rust_primitives +open FStar.Mul +open FStar.FunctionalExtensionality +open BitVec.Utils +open BitVec.Equality + +let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) + : bit_vec 256 + = mk_bv (fun i -> + let offset = i % 16 in + match i / 16 with + | 0 -> get_bit x15 (sz offset) + | 1 -> get_bit x14 (sz offset) + | 2 -> get_bit x13 (sz offset) + | 3 -> get_bit x12 (sz offset) + | 4 -> get_bit x11 (sz offset) + | 5 -> get_bit x10 (sz offset) + | 6 -> get_bit x9 (sz offset) + | 7 -> get_bit x8 (sz offset) + | 8 -> get_bit x7 (sz offset) + | 9 -> get_bit x6 (sz offset) + | 10 -> get_bit x5 (sz offset) + | 11 -> get_bit x4 (sz offset) + | 12 -> get_bit x3 (sz offset) + | 13 -> get_bit x2 (sz offset) + | 14 -> get_bit x1 (sz offset) + | 15 -> get_bit x0 (sz offset) + ) + +let madd_rhs (n: nat {n < 16}) = + mm256_set_epi16 + (1s < bit_vec 256 = admit () + +open Tactics.Utils + +open FStar.Tactics + +(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are +unification variables. This returns a list of terms to substitute `x1` +... `xN` with. *) +let unify_app (t fn: term) norm_steps: Tac (option (list term)) + = let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in + let _fake_goal = + (* create a goal `b1 -> ... -> bn -> squash True` *) + let trivial = pack_comp (C_Total (`squash True)) in + unshelve (fresh_uvar (Some (mk_arr bds trivial))) + in + (* get back the binders `b1`, ..., `bn` *) + let bds = intros () in + let args = map (fun (b: binder) -> b <: term) bds in + let norm_term = norm_term (hnf::norm_steps) in + let fn, t = norm_term (mk_e_app fn args), norm_term t in + let vars = map (fun b -> + let b = inspect_binder b in + let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in + let nv: namedv_view = {uniq; ppname; sort = seal (`_)} in + (FStar.Reflection.V2.pack_namedv nv, b.binder_sort) + ) bds in + let?# substs = fst (try_unify (cur_env ()) vars fn t) in + if List.Tot.length substs <> List.Tot.length bds + then fail "unify_app: inconsistent lengths"; + (* solve the trivial goal introduced at the begining *) + trivial (); + Some (List.Tot.rev (map (fun (_, t) -> t) substs)) + +irreducible let add (x y: int): int = x + y + +let f (a b c d: int): int = add (add (add a b) c) d + +// #push-options "--print_full_names --print_implicits --print_bound_var_types" +let _ = assert true by ( + let r = + unify_app + (quote (f 1 2 3 4)) + (quote f) + [delta_only [`%f]] + in + let s = term_to_string (quote r) + in + print s + ) + +let test x y (#[( + let n = fresh_namedv () in + let y = quote y in + let y' = `(madd_rhs (`#n)) in + let n = FStar.Reflection.V2.pack_namedv n in + let t = match try_unify (cur_env ()) [(n,`(n: nat {n < 16}))] y y' with + | (Some [v, t'], _) -> + `(stupid (`#t')) + | _ -> `(stupid (`#y)) in + exact t +)]f: bit_vec 256 -> bit_vec 256) = f x + +let xx = fun x -> test x (madd_rhs 12) + +irreducible let vec256_to_i16s (bv: bit_vec 256) + : (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + & (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + = admit () + +irreducible let rw_vec256_to_i16_ints + (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) + : Lemma ( + vec256_to_i16s (mm256_set_epi16 x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15) + == ((x0, x1, x2, x3, x4, x5, x6, x7), (x8, x9, x10, x11, x12, x13, x14, x15)) + ) = admit () + +let madd_rhs (n: nat {n < 16}) = + mm256_set_epi16 + (1s <= 1 + && v x0 = v x2 && v x0 = v x4 && v x0 = v x6 && v x0 = v x8 + && v x0 = v x10 && v x0 = v x12 && v x0 = v x14 + && v x1 = 1 && v x3 = 1 && v x5 = 1 && v x7 = 1 + && v x9 = 1 && v x11= 1 && v x13= 1 && v x15= 1 + then match Tactics.Pow2.log2 (v x0 <: nat) with + | Some coef -> + if coef < 16 + then ( + assert (v ((1s < None + else None +#pop-options + +open FStar.Tactics.V2 +[@@FStar.Tactics.V2.postprocess_with (fun _ -> + compute (); + Tactics.Seq.norm_index (); + compute (); + fail "x" +)] +let aa = + let n = 12 in + let tuple = ( + ( (1s < n | None -> 0 in + x + +open Tactics.Utils +open FStar.Tactics.V2 +module Visit = FStar.Tactics.Visit + +let rec any (f: 'a -> bool) (l: list 'a): bool + = match l with + | [] -> false + | hd::tl -> if f hd + then true + else any f tl + +exception FoundFreeLocalVar +let is_closed_term (x: term): Tac bool + = try + let _ = FStar.Tactics.Visit.visit_tm ( + function + | Tv_Var _ | Tv_BVar _ -> raise FoundFreeLocalVar + | x -> x + ) x + in true + with | FoundFreeLocalVar -> false + | e -> raise e + +let rw_mm256_set_epi16 t = + let?# (f, [arg,_]) = expect_app_n t 1 in + let?# _ = expect_free_var f (`%vec256_to_i16_ints) in + let?? _ = is_closed_term arg in + let?# (f, args) = expect_app_n arg 16 in + let?# _ = expect_free_var f (`%mm256_set_epi16) in + pointwise' (fun _ -> + let _ = let?# (lhs, _, _) = expect_lhs_eq_rhs () in + Some (if any (fun (arg, _) -> term_eq lhs arg) args + then norm [primops; iota; delta; zeta_full] + else ()) + in trefl () + ); + Some () + +let rec expect_madd_rhs' (bv: bit_vec 256) (n:nat {n < 16}) + : result: option (n: nat {n < 16}) { match result with + | Some n -> bv == madd_rhs n + | _ -> True + } + = if bv_equality bv (madd_rhs n) + then ( bv_equality_elim bv (madd_rhs n); + Some n ) + else if n = 0 then None + else expect_madd_rhs' bv (n - 1) + +irreducible let expect_madd_rhs (bv: bit_vec 256): option (n: nat {n < 16}) + = expect_madd_rhs' bv 15 + +// let rewrite_expect_madd_rhs +// (bv: bit_vec 256) (n: nat {n < 16}) +// : Lemma (requires bv == madd_rhs n) +// (ensures ) +// = () + diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst new file mode 100644 index 000000000..0c60d6587 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.TestShuffle.fst @@ -0,0 +1,203 @@ +module BitVec.Intrinsics.TestShuffle + +open Rust_primitives +open FStar.Mul +open BitVec.Utils +open BitVec.Intrinsics + +assume val stuck: #a:Type -> #b:Type -> a -> b + +let index64 l (i: nat {i < List.Tot.length l}) = + match l with + | [x0;x1;x2;x3] -> + (match i with + | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3) + | [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31;x32;x33;x34;x35;x36;x37;x38;x39;x40;x41;x42;x43;x44;x45;x46;x47;x48;x49;x50;x51;x52;x53;x54;x55;x56;x57;x58;x59;x60;x61;x62;x63] -> + (match i with + | 0 -> x0 | 1 -> x1 | 2 -> x2 | 3 -> x3 | 4 -> x4 | 5 -> x5 | 6 -> x6 | 7 -> x7 | 8 -> x8 | 9 -> x9 | 10 -> x10 | 11 -> x11 | 12 -> x12 | 13 -> x13 | 14 -> x14 | 15 -> x15 + | 16 -> x16 | 17 -> x17 | 18 -> x18 | 19 -> x19 | 20 -> x20 | 21 -> x21 | 22 -> x22 | 23 -> x23 | 24 -> x24 | 25 -> x25 | 26 -> x26 | 27 -> x27 | 28 -> x28 | 29 -> x29 | 30 -> x30 | 31 -> x31 + | 32 -> x32 | 33 -> x33 | 34 -> x34 | 35 -> x35 | 36 -> x36 | 37 -> x37 | 38 -> x38 | 39 -> x39 | 40 -> x40 | 41 -> x41 | 42 -> x42 | 43 -> x43 | 44 -> x44 | 45 -> x45 | 46 -> x46 | 47 -> x47 + | 48 -> x48 | 49 -> x49 | 50 -> x50 | 51 -> x51 | 52 -> x52 | 53 -> x53 | 54 -> x54 | 55 -> x55 | 56 -> x56 | 57 -> x57 | 58 -> x58 | 59 -> x59 | 60 -> x60 | 61 -> x61 | 62 -> x62 | 63 -> x63) + | _ -> stuck "index" + +assume val nth: list bit -> nat -> bit + +let bv_of_list_list (n: pos) (l: list (l: list bit {List.Tot.length l == n})): bit_vec (List.Tot.length l * n) + = mk_bv (fun i -> nth (index64 l (i / n)) (i % n)) + +let z: l: list bit {List.Tot.length l == 4} = [0;0;0;0] + +type result #t0 #t1 #t2 #t3 #t4 = { + vector: t0; + adjacent_2_combined: t1; + adjacent_8_combined: t2; + combined': t3; + combined: t4; + } + +// /// We view `x` as a sequence of pairs of 16 bits, of the shape +// /// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. +// /// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. +// let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = +// mk_bv (fun i -> let j = i % 32 in +// // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` +// // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` +// let is_zero = +// // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` +// j >= n * 2 +// in +// if is_zero +// then 0 +// else if j < n +// then x i // we want to produce the bit `aⱼ` +// else +// // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` +// x (i - n + 16) +// ) + +// let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = +// mk_bv (fun i -> +// let j = i / 32 in +// let index = (List.Tot.index b (7 - j) % 8) * 32 in +// a (index + i % 32)) + +let serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + mm256_madd_epi16_specialized' vector 4 + // Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + // (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127;f 128;f 129;f 130;f 131;f 132;f 133;f 134;f 135;f 136;f 137;f 138;f 139;f 140;f 141;f 142;f 143;f 144;f 145;f 146;f 147;f 148;f 149;f 150;f 151;f 152;f 153;f 154;f 155;f 156;f 157;f 158;f 159;f 160;f 161;f 162;f 163;f 164;f 165;f 166;f 167;f 168;f 169;f 170;f 171;f 172;f 173;f 174;f 175;f 176;f 177;f 178;f 179;f 180;f 181;f 182;f 183;f 184;f 185;f 186;f 187;f 188;f 189;f 190;f 191;f 192;f 193;f 194;f 195;f 196;f 197;f 198;f 199;f 200;f 201;f 202;f 203;f 204;f 205;f 206;f 207;f 208;f 209;f 210;f 211;f 212;f 213;f 214;f 215;f 216;f 217;f 218;f 219;f 220;f 221;f 222;f 223;f 224;f 225;f 226;f 227;f 228;f 229;f 230;f 231;f 232;f 233;f 234;f 235;f 236;f 237;f 238;f 239;f 240;f 241;f 242;f 243;f 244;f 245;f 246;f 247;f 248;f 249;f 250;f 251;f 252;f 253;f 254;f 255] +let map128 (f: (i: nat {i < 128}) -> bit) = [f 0;f 1;f 2;f 3;f 4;f 5;f 6;f 7;f 8;f 9;f 10;f 11;f 12;f 13;f 14;f 15;f 16;f 17;f 18;f 19;f 20;f 21;f 22;f 23;f 24;f 25;f 26;f 27;f 28;f 29;f 30;f 31;f 32;f 33;f 34;f 35;f 36;f 37;f 38;f 39;f 40;f 41;f 42;f 43;f 44;f 45;f 46;f 47;f 48;f 49;f 50;f 51;f 52;f 53;f 54;f 55;f 56;f 57;f 58;f 59;f 60;f 61;f 62;f 63;f 64;f 65;f 66;f 67;f 68;f 69;f 70;f 71;f 72;f 73;f 74;f 75;f 76;f 77;f 78;f 79;f 80;f 81;f 82;f 83;f 84;f 85;f 86;f 87;f 88;f 89;f 90;f 91;f 92;f 93;f 94;f 95;f 96;f 97;f 98;f 99;f 100;f 101;f 102;f 103;f 104;f 105;f 106;f 107;f 108;f 109;f 110;f 111;f 112;f 113;f 114;f 115;f 116;f 117;f 118;f 119;f 120;f 121;f 122;f 123;f 124;f 125;f 126;f 127] + +let test (a b c d e f g h i j k l m n o p: (l: list bit {List.Tot.length l == 4})) = + let input = bv_of_list_list 4 [ + a;z;z;z; b;z;z;z; c;z;z;z; d;z;z;z; + e;z;z;z; f;z;z;z; g;z;z;z; h;z;z;z; + i;z;z;z; j;z;z;z; k;z;z;z; l;z;z;z; + m;z;z;z; n;z;z;z; o;z;z;z; p;z;z;z; + + // z;z;z;a; z;z;z;b; z;z;z;c; z;z;z;d; + // z;z;z;e; z;z;z;f; z;z;z;g; z;z;z;h; + // z;z;z;i; z;z;z;j; z;z;z;k; z;z;z;l; + // z;z;z;m; z;z;z;n; z;z;z;o; z;z;z;p; + ] in + serialize_4_ input + + +// let xx a b c d e f g h i j k l m n o p = +// Pervasives.norm [iota; primops; zeta_full; delta] ( +// Pervasives.norm [iota; primops; zeta; delta] ( +// let {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} = test a b c d e f g h i j k l m n o p in +// let vector = map256 (fun (idx: nat{idx < 256}) -> vector idx) in +// let adjacent_2_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_2_combined idx) in +// let adjacent_8_combined = map256 (fun (idx: nat{idx < 256}) -> adjacent_8_combined idx) in +// let combined' = map256 (fun (idx: nat{idx < 256}) -> combined' idx) in +// let combined = map128 (fun (idx: nat{idx < 128}) -> combined idx) in +// // map128 (fun (idx: nat {idx < 128}) -> test a b c d e f g h i j k l m n o p idx) +// {vector; adjacent_2_combined; adjacent_8_combined; combined'; combined} +// // (vector, adjacent_2_combined) +// ) +// ) + + + +open FStar.Tactics.V2 +open Tactics.Utils + + +open Libcrux_intrinsics.Avx2_extract {t_Vec256, t_Vec128} +// open BitVec.Intrinsics { + +// } + +#push-options "--compat_pre_core 0" +let serialize_4__ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = + let serialized:t_Array u8 (sz 16) = Rust_primitives.Hax.repeat 0uy (sz 16) in + let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + BitVec.Intrinsics.mm256_madd_epi16 vector + (BitVec.Intrinsics.mm256_set_epi16 (1s < i % 16 < 4 || vector i = 0)); + assert (forall (i: nat {i < 64}). + // let local_i = i / 4 in + combined i == vector ((i / 4) * 16 + i % 4) + ) by ( + // unfold wrappers + norm [primops; iota; zeta; delta_namespace [ + `%BitVec.Intrinsics.mm256_shuffle_epi8; + `%BitVec.Intrinsics.mm256_permutevar8x32_epi32; + `%BitVec.Intrinsics.mm256_madd_epi16; + `%BitVec.Intrinsics.mm256_castsi256_si128; + "BitVec.Utils"; + ]]; + Tactics.Utils.prove_forall_nat_pointwise (Tactics.Utils.print_time "SMT query succeeded in " (fun _ -> + let reduce t = + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.FunctionalExtensionality"; + t; + `%BitVec.Utils.mk_bv; + `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]]; + norm [primops; iota; zeta_full; delta_namespace [ + "FStar.List.Tot"; `%( + ); `%op_Subtraction; `%( / ); `%( * ); `%( % ) + ]] + in + reduce (`%BitVec.Intrinsics.mm256_permutevar8x32_epi32_i32); + reduce (`%BitVec.Intrinsics.mm256_shuffle_epi8_i8); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized); + grewrite (quote (forall_bool #256 (fun i -> i % 16 < 4 || op_Equality #int (vector i) 0))) (`true); + flip (); smt (); + reduce (`%BitVec.Intrinsics.mm256_madd_epi16_specialized'); + // focus (fun _ -> dump' "Goal!!"); + trivial () + )) + ); + combined diff --git a/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti new file mode 100644 index 000000000..a101013a6 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Intrinsics.fsti @@ -0,0 +1,425 @@ +module BitVec.Intrinsics + +open Core +open Rust_primitives +open FStar.Mul +open BitVec.Utils +open BitVec.Equality +open Tactics.Utils + +(*** The intrinsics *) +let mm256_slli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 + = mk_bv (fun i -> let nth_bit = i % 16 in + if nth_bit >= v shift then vec (i - v shift) else 0) + +let mm256_srli_epi16 (shift: i32 {v shift >= 0 /\ v shift <= 16}) (vec: bit_vec 256): bit_vec 256 + = mk_bv (fun i -> let nth_bit = i % 16 in + if nth_bit < 16 - v shift then vec (i + v shift) else 0) + +let mm256_srli_epi64 (shift: i32 {v shift >= 0 /\ v shift <= 64}) (vec: bit_vec 256): bit_vec 256 + = mk_bv (fun i -> let nth_bit = i % 64 in + if nth_bit < 64 - v shift then vec (i + v shift) else 0) + +let mm256_castsi256_si128 (vec: bit_vec 256): bit_vec 128 + = mk_bv (fun i -> vec i) +let mm256_extracti128_si256 (control: i32{control == 1l}) (vec: bit_vec 256): bit_vec 128 + = mk_bv (fun i -> vec (i + 128)) + +let mm256_si256_from_two_si128 (lower upper: bit_vec 128): bit_vec 256 + = mk_bv (fun i -> if i < 128 then lower i else upper (i - 128)) + +let mm_loadu_si128 (bytes: t_Array u8 (sz 16)): bit_vec 128 + = mk_bv (fun i -> get_bit (Seq.index bytes (i / 8)) (sz (i % 8))) + +let mm256_set_epi32 (x0 x1 x2 x3 x4 x5 x6 x7: i32) + : bit_vec 256 + = mk_bv (fun i -> + let h (x: i32) = get_bit x (sz (i % 32)) in + match i / 32 with + | 0 -> h x7 | 1 -> h x6 | 2 -> h x5 | 3 -> h x4 + | 4 -> h x3 | 5 -> h x2 | 6 -> h x1 | 7 -> h x0) + +let mm256_set_epi16 (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: i16) + : bit_vec 256 + = mk_bv (fun i -> + let h (x: i16) = get_bit x (sz (i % 16)) in + match i / 16 with + | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 + | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 + | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 + | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 + ) + +let mm_set_epi8 + (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: u8) + : bit_vec 128 + = mk_bv (fun i -> + let h (x: u8) = get_bit x (sz (i % 8)) in + match i / 8 with + | 0 -> h x15 | 1 -> h x14 | 2 -> h x13 | 3 -> h x12 + | 4 -> h x11 | 5 -> h x10 | 6 -> h x9 | 7 -> h x8 + | 8 -> h x7 | 9 -> h x6 | 10 -> h x5 | 11 -> h x4 + | 12 -> h x3 | 13 -> h x2 | 14 -> h x1 | 15 -> h x0 + ) + +let mm256_set_epi8 + (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: i8) + : bit_vec 256 + = mk_bv (fun i -> + let h (x: i8) = get_bit x (sz (i % 8)) in + match i / 8 with + | 0 -> h x31 | 1 -> h x30 | 2 -> h x29 | 3 -> h x28 + | 4 -> h x27 | 5 -> h x26 | 6 -> h x25 | 7 -> h x24 + | 8 -> h x23 | 9 -> h x22 | 10 -> h x21 | 11 -> h x20 + | 12 -> h x19 | 13 -> h x18 | 14 -> h x17 | 15 -> h x16 + | 16 -> h x15 | 17 -> h x14 | 18 -> h x13 | 19 -> h x12 + | 20 -> h x11 | 21 -> h x10 | 22 -> h x9 | 23 -> h x8 + | 24 -> h x7 | 25 -> h x6 | 26 -> h x5 | 27 -> h x4 + | 28 -> h x3 | 29 -> h x2 | 30 -> h x1 | 31 -> h x0 + ) + +val mm256_set1_epi16_no_semantics: i16 -> bit_vec 256 +let mm256_set1_epi16_pow2_minus_one (n: nat): bit_vec 256 + = mk_bv (fun i -> if i % 16 < n then 1 else 0) + +let mm256_and_si256 (x y: bit_vec 256): bit_vec 256 + = mk_bv (fun i -> if y i = 0 then 0 else x i) + +let mm256_set1_epi16 (constant: i16) + (#[Tactics.exact (match unify_app (quote constant) (quote (fun n -> ((1s < `(mm256_set1_epi16_pow2_minus_one (`#x)) + | _ -> (quote (mm256_set1_epi16_no_semantics constant)) + )]result: bit_vec 256) + : bit_vec 256 = result + +private let saturate8 (v: bit_vec 16): bit_vec 8 + = let on_upper_bits (+) (f: (n:nat{n >= 8 && n <= 15}) -> _) + = f 8 + f 9 + f 10 + f 11 + f 12 + f 13 + f 14 + f 15 + in + let any1 = on_upper_bits ( || ) (fun i -> v i = 1) in + let all1 = on_upper_bits ( && ) (fun i -> v i = 1) in + let negative = v 15 = 1 in + mk_bv (fun i -> + let last_bit = i = 7 in + if negative + then if last_bit + then 1 + else if all1 + then v i + else 0 + else if any1 + then if last_bit + then 0 + else 1 + else v i + ) + +let mm_movemask_epi8_bv (a: bit_vec 128): bit_vec 128 + = mk_bv (fun j -> + if j < 16 + then a ((j * 8) + 7) + else 0 + ) + +let mm_movemask_epi8 (a: bit_vec 128): i32 + = bit_vec_to_int_t 32 (mk_bv (fun i -> mm_movemask_epi8_bv a i)) + +let mm_packs_epi16 (a b: bit_vec 128): bit_vec 128 + = mk_bv (fun i -> + let nth_block = i / 8 in + let offset8 = nth_block * 8 in + let offset16' = nth_block * 16 in + let offset16 = offset16' % 128 in + let vec: bit_vec 128 = if offset16' < 128 then a else b in + saturate8 (mk_bv (fun j -> vec (offset16 + j))) (i - offset8) + ) + + + +// This is a very specialized version of mm256_mullo_epi16 +let mm256_mullo_epi16_specialized1 (a: bit_vec 256): bit_vec 256 = + mk_bv (fun i -> + let nth_bit = i % 16 in + let nth_i16 = i / 16 in + let shift = if nth_i16 >= 8 then 23 - nth_i16 else 15 - nth_i16 in + if nth_bit >= shift then a (i - shift) else 0 + ) + +// This is a very specialized version of mm256_mullo_epi16 +let mm256_mullo_epi16_specialized2 (a: bit_vec 256): bit_vec 256 = + mk_bv (fun i -> + let nth_bit = i % 16 in + let nth_i16 = i / 16 in + let shift = if nth_i16 % 2 = 0 then 4 else 0 in + if nth_bit >= shift then a (i - shift) else 0 + ) + +// This is a very specialized version of mm256_mullo_epi16 +let mm256_mullo_epi16_specialized3 (a: bit_vec 256): bit_vec 256 = + mk_bv (fun i -> + let nth_bit = i % 16 in + let nth_i16 = i / 16 in + let shift = 6 - (nth_i16 % 4) * 2 in + if nth_bit >= shift then a (i - shift) else 0 + ) + +// This term will be stuck, we don't know anything about it +val mm256_mullo_epi16_no_semantics (a count: bit_vec 256): bit_vec 256 + +open FStar.Tactics.V2 + + + +let mm256_mullo_epi16 + (a count: bit_vec 256) + (#[( + if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s + | _ -> false + then Tactics.exact (quote (mm256_mullo_epi16_specialized1 a)) + else if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s + | _ -> false + then Tactics.exact (quote (mm256_mullo_epi16_specialized2 a)) + else + if match unify_app (quote count) (quote (fun x -> mm256_set_epi16 (1s < unquote x = 1s + | _ -> false + then Tactics.exact (quote (mm256_mullo_epi16_specialized3 a)) + else + Tactics.exact (quote (mm256_mullo_epi16_no_semantics a count)) + )]result: bit_vec 256): bit_vec 256 = result + +let madd_rhs (n: nat {n < 16}) = + mm256_set_epi16 + (1s < bit_vec 256 -> bit_vec 256 + +let forall_bool (#max: pos) (f: (n: nat {n < max}) -> bool) + : r:bool {r <==> (forall i. f i)} + = let rec h (n: nat {n <= max}): r:bool {r <==> (forall i. i < n ==> f i)} = + match n with + | 0 -> true + | _ -> f (n - 1) && h (n - 1) + in h max + +/// We view `x` as a sequence of pairs of 16 bits, of the shape +/// `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)`: only the last `n` bits are non-zero. +/// We output a sequence of 32 bits `0b0…0b₁…bₙa₁…aₙ`. +let mm256_madd_epi16_specialized' (x: bit_vec 256) (n: nat {n < 16}): bit_vec 256 = + mk_bv (fun i -> let j = i % 32 in + // `x i` is the `j`th bit in the `i/32`th pair of 16 bits `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` + // we want to construct the `j`th bit of `0b0…0b₁…bₙa₁…aₙ` + let is_zero = + // `|b₁…bₙa₁…aₙ| = n * 2`: if we're above that, we want to produce the bit `0` + j >= n * 2 + in + if is_zero + then 0 + else if j < n + then x i // we want to produce the bit `aⱼ` + else + // the bit from `b` is in the second item of the pair `(0b0…0a₁…aₙ, 0b0…0b₁…bₙ)` + x (i - n + 16) + ) + +let mm256_concat_pairs_n + (n: u8 {v n < 16}) + (x: bit_vec 256 {forall (i: nat {i < 256}). i % 16 < v n || x i = 0}) = + mm256_madd_epi16_specialized' x (v n) + +let mm256_madd_epi16_specialized (x: bit_vec 256) (n: nat {n < 16}) = + if forall_bool (fun (i: nat {i < 256}) -> i % 16 < n || x i = 0) + then mm256_madd_epi16_specialized' x n + else mm256_madd_epi16_no_semantic x (madd_rhs n) + +val mm_shuffle_epi8_no_semantics (a b: bit_vec 128): bit_vec 128 +let mm_shuffle_epi8_u8 (a: bit_vec 128) (b: list int {List.Tot.length b == 16}): bit_vec 128 = + mk_bv (fun i -> + let nth = i / 8 in + let index = List.Tot.index b (15 - nth) in + if index < 0 then 0 + else let index = index % 16 in + a (index * 8 + i % 8 + i / 128 * 128)) + +let mm_shuffle_epi8 + (x y: bit_vec 128) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 -> + mm_set_epi8 + (UInt8.uint_to_t x0 ) (UInt8.uint_to_t x1 ) (UInt8.uint_to_t x2 ) (UInt8.uint_to_t x3 ) (UInt8.uint_to_t x4 ) (UInt8.uint_to_t x5 ) (UInt8.uint_to_t x6 ) (UInt8.uint_to_t x7 ) + (UInt8.uint_to_t x8 ) (UInt8.uint_to_t x9 ) (UInt8.uint_to_t x10) (UInt8.uint_to_t x11) (UInt8.uint_to_t x12) (UInt8.uint_to_t x13) (UInt8.uint_to_t x14) (UInt8.uint_to_t x15))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] -> + `(mm_shuffle_epi8_u8 (`@x) + (mk_list_16 + (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) + (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15))) + | _ -> quote (mm_shuffle_epi8_no_semantics x y) in + exact t + )]result: bit_vec 128) + : bit_vec 128 + = result + +val mm256_shuffle_epi8_no_semantics (a b: bit_vec 256): bit_vec 256 +let mm256_shuffle_epi8_i8 (a: bit_vec 256) (b: list _ {List.Tot.length b == 32}): bit_vec 256 = + mk_bv (fun i -> + let nth = i / 8 in + let index = List.Tot.index b (31 - nth) in + if index < 0 then 0 + else let index = index % 16 in + a (index * 8 + i % 8 + i / 128 * 128)) + +let mm256_shuffle_epi8 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31 -> + mm256_set_epi8 + (Int8.int_to_t x0 ) (Int8.int_to_t x1 ) (Int8.int_to_t x2 ) (Int8.int_to_t x3 ) (Int8.int_to_t x4 ) (Int8.int_to_t x5 ) (Int8.int_to_t x6 ) (Int8.int_to_t x7 ) + (Int8.int_to_t x8 ) (Int8.int_to_t x9 ) (Int8.int_to_t x10) (Int8.int_to_t x11) (Int8.int_to_t x12) (Int8.int_to_t x13) (Int8.int_to_t x14) (Int8.int_to_t x15) + (Int8.int_to_t x16) (Int8.int_to_t x17) (Int8.int_to_t x18) (Int8.int_to_t x19) (Int8.int_to_t x20) (Int8.int_to_t x21) (Int8.int_to_t x22) (Int8.int_to_t x23) + (Int8.int_to_t x24) (Int8.int_to_t x25) (Int8.int_to_t x26) (Int8.int_to_t x27) (Int8.int_to_t x28) (Int8.int_to_t x29) (Int8.int_to_t x30) (Int8.int_to_t x31))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] -> + `(mm256_shuffle_epi8_i8 (`@x) + (mk_list_32 + (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ) + (`#x8 ) (`#x9 ) (`#x10) (`#x11) (`#x12) (`#x13) (`#x14) (`#x15) + (`#x16) (`#x17) (`#x18) (`#x19) (`#x20) (`#x21) (`#x22) (`#x23) + (`#x24) (`#x25) (`#x26) (`#x27) (`#x28) (`#x29) (`#x30) (`#x31))) + | _ -> quote (mm256_shuffle_epi8_no_semantics x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + +val mm256_permutevar8x32_epi32_no_semantics (a b: bit_vec 256): bit_vec 256 +let mm256_permutevar8x32_epi32_i32 (a: bit_vec 256) (b: list _ {List.Tot.length b == 8}): bit_vec 256 = + mk_bv (fun i -> + let j = i / 32 in + let index = (List.Tot.index b (7 - j) % 8) * 32 in + a (index + i % 32)) + +let mm256_permutevar8x32_epi32 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> + mm256_set_epi32 + (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) + (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> + `(mm256_permutevar8x32_epi32_i32 (`@x) + (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) + | _ -> quote (mm256_permutevar8x32_epi32_no_semantics x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + +val mm256_sllv_epi32_no_semantics (x y: bit_vec 256): bit_vec 256 +let mm256_sllv_epi32_i32 (vec: bit_vec 256) (counts: list _ {List.Tot.length counts == 8}): bit_vec 256 + = mk_bv (fun i -> let nth_bit = i % 32 in + let shift = List.Tot.index counts (7 - i / 32) in + if shift >= 0 && nth_bit >= shift then vec (i - shift) else 0) + +let mm256_sllv_epi32 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) + (quote (fun x0 x1 x2 x3 x4 x5 x6 x7 -> + mm256_set_epi32 + (Int32.int_to_t x0) (Int32.int_to_t x1) (Int32.int_to_t x2) (Int32.int_to_t x3) + (Int32.int_to_t x4) (Int32.int_to_t x5) (Int32.int_to_t x6) (Int32.int_to_t x7))) [] with + | Some [x0;x1;x2;x3;x4;x5;x6;x7] -> + `(mm256_sllv_epi32_i32 (`@x) + (mk_list_8 (`#x0 ) (`#x1 ) (`#x2 ) (`#x3 ) (`#x4 ) (`#x5 ) (`#x6 ) (`#x7 ))) + | _ -> quote (mm256_sllv_epi32_no_semantics x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + + +let mm256_madd_epi16 + (x y: bit_vec 256) + (#[( + let t = match unify_app (quote y) (quote (fun n -> madd_rhs n)) [delta_only [`%madd_rhs]] with + | Some [n] -> `(mm256_madd_epi16_specialized (`@x) (`#n)) + | _ -> quote (mm256_madd_epi16_no_semantic x y) in + exact t + )]result: bit_vec 256) + : bit_vec 256 + = result + +val mm_storeu_bytes_si128 (_output: t_Slice u8) (vec: bit_vec 128) + // : r: t_Array u8 (sz 16) {forall i. vec i == get_bit (Seq.index r (i / 8)) (sz (i % 8))} + : r: t_Array u8 (sz 16) {forall i. vec i == bit_vec_of_int_t_array r 8 i} + +open FStar.Stubs.Tactics.V2.Builtins +open FStar.Stubs.Tactics.V2 +open FStar.Tactics.V2.Derived +open FStar.Tactics.V2 + +let rec bv_to_string #len (bv: bit_vec len): string + = if len = 0 then "" + else string_of_int (bv (len - 1)) + ^ bv_to_string #(len - 1) (mk_bv (fun i -> bv i)) + +let bv_of_string #len (s: string): Tac (bit_vec len) + = let l = FStar.String.list_of_string s + |> filter (function ' ' | '\n' -> false | _ -> true) + |> map #_ #bit (function '1' -> 1 <: bit | '0' -> 0 | c -> fail ("expected 0 or 1, got [" ^ String.string_of_char c ^ "]")) in + if FStar.List.Tot.length l = len + then mk_bv (fun (i: nat {i < len}) -> List.Tot.index l i) + else fail ("expected a bv of length " ^ string_of_int len ^ ", got a bv of length " ^ string_of_int (FStar.List.Tot.length l)) + +let call_native_intrinsic' #ilen name raw_args (bitvecs: list (bit_vec ilen)) : Tac string = + let bitvecs = List.Tot.map bv_to_string bitvecs in + let args = List.Tot.append raw_args bitvecs in + let result = launch_process "bash" ("/tmp/run.sh"::name::args) "" in + print ("process stdout is [" ^ result ^ "]"); + FStar.String.list_of_string result + |> filter (function ' ' | '\n' -> false | _ -> true) + |> String.string_of_list + +let call_native_intrinsic #ilen olen name raw_args (bitvecs: list (bit_vec ilen)) : Tac (bit_vec olen) = + bv_of_string (call_native_intrinsic' #ilen name raw_args bitvecs) + +let random_bv len: Tac (bit_vec len) + = call_native_intrinsic #1 _ "rand" [string_of_int len] [] + +let tassert (x: bool): Tac unit + = if x then () else fail "tassert" + + +private let example: bit_vec 256 = mk_bv (fun i -> if i % 16 = 15 then 1 else 0) + +private let x = bv_to_string example +private let y = bv_to_string (mm256_srli_epi16 15l example) + diff --git a/fstar-helpers/fstar-bitvec/BitVec.Utils.fst b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst new file mode 100644 index 000000000..3d2d19c98 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVec.Utils.fst @@ -0,0 +1,67 @@ +module BitVec.Utils + +open Core +open FStar.FunctionalExtensionality +open BitVec.Equality +open Rust_primitives.BitVectors + +let mk_bv #len (f: (i:nat{i < len}) -> bit) = on (i:nat {i < len}) f + +let mk_list_32 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15 x16 x17 x18 x19 x20 x21 x22 x23 x24 x25 x26 x27 x28 x29 x30 x31: a) + : (l:list a {List.Tot.length l == 32}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15;x16;x17;x18;x19;x20;x21;x22;x23;x24;x25;x26;x27;x28;x29;x30;x31] in + assert_norm (List.Tot.length l == 32); + l + +let mk_list_16 #a (x0 x1 x2 x3 x4 x5 x6 x7 x8 x9 x10 x11 x12 x13 x14 x15: a) + : (l:list a {List.Tot.length l == 16}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7;x8;x9;x10;x11;x12;x13;x14;x15] in + assert_norm (List.Tot.length l == 16); + l + +let mk_list_8 #a (x0 x1 x2 x3 x4 x5 x6 x7: a) + : (l:list a {List.Tot.length l == 8}) + = let l = [x0;x1;x2;x3;x4;x5;x6;x7] in + assert_norm (List.Tot.length l == 8); + l + +let rw_get_bit_cast #t #u + (x: int_t t) (nth: usize) + : Lemma (requires v nth < bits u /\ v nth < bits u) + (ensures eq2 #bit (get_bit (cast_mod #t #u x) nth) (if v nth < bits t then get_bit x nth else 0)) + [SMTPat (get_bit (cast_mod #t #u x) nth)] + = () + +let rw_get_bit_shr #t #u (x: int_t t) (y: int_t u) (i: usize {v i < bits t}) + : Lemma (requires v y >= 0 /\ v y < bits t) + (ensures eq2 #bit (get_bit (x >>! y) i ) + (if v i < bits t - v y + then get_bit x (mk_int (v i + v y)) + else if signed t + then get_bit x (mk_int (bits t - 1)) + else 0)) + = () + +unfold type forall_sig (n: nat) = pred: ((i:nat{i < n}) -> bool) + -> r: bool {r <==> (forall i. pred i)} + +let forall8: forall_sig 8 = fun pred -> pred 0 && pred 1 && pred 2 && pred 3 + && pred 4 && pred 5 && pred 6 && pred 7 + +#push-options "--z3rlimit 400" +let forall16: forall_sig 16 = fun pred -> forall8 pred && forall8 (fun i -> pred (i + 8)) +let forall32: forall_sig 32 = fun pred -> forall16 pred && forall16 (fun i -> pred (i + 16)) +let forall64: forall_sig 64 = fun pred -> forall32 pred && forall32 (fun i -> pred (i + 32)) +let forall128: forall_sig 128 = fun pred -> forall64 pred && forall64 (fun i -> pred (i + 64)) +let forall256: forall_sig 256 = fun pred -> forall128 pred && forall128 (fun i -> pred (i + 128)) +#pop-options + +let forall_n (n:nat{n <= 256}): forall_sig n = fun pred -> forall256 (fun i -> if i < n then pred i else true) + +let bit_vec_to_int_t_lemma + #t (d: num_bits t) (bv: bit_vec d) + i + : Lemma (get_bit (bit_vec_to_int_t d bv) (sz i) == bv i) + [SMTPat (get_bit (bit_vec_to_int_t d bv) (sz i))] + = bit_vec_to_int_t_lemma d bv i + diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fst b/fstar-helpers/fstar-bitvec/BitVecEq.fst new file mode 100644 index 000000000..c89f2fe35 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVecEq.fst @@ -0,0 +1,12 @@ +module BitVecEq + +open Core +open FStar.Mul +open FStar.FunctionalExtensionality + +let bit_vec_equal #n bv1 bv2 = forall i. bv1 i == bv2 i + +let bit_vec_equal_intro bv1 bv2 = () +let bit_vec_equal_elim bv1 bv2 = assert (feq bv1 bv2) + + diff --git a/fstar-helpers/fstar-bitvec/BitVecEq.fsti b/fstar-helpers/fstar-bitvec/BitVecEq.fsti new file mode 100644 index 000000000..c370f28bf --- /dev/null +++ b/fstar-helpers/fstar-bitvec/BitVecEq.fsti @@ -0,0 +1,293 @@ +module BitVecEq +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" +open Core +open FStar.Mul +open MkSeq +open FStar.FunctionalExtensionality + +val bit_vec_equal (#n: nat) (bv1 bv2: bit_vec n): Type0 +val bit_vec_equal_intro (#n: nat) (bv1 bv2: bit_vec n) + : Lemma (requires forall i. bv1 i == bv2 i) + (ensures bit_vec_equal bv1 bv2) +val bit_vec_equal_elim (#n: nat) (bv1 bv2: bit_vec n) + : Lemma (requires bit_vec_equal #n bv1 bv2) + (ensures bv1 == bv2) + [SMTPat (bit_vec_equal #n bv1 bv2)] + +let bit_vec_equal_intro_principle () + : Lemma (forall n (bv1 bv2: bit_vec n). (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2) + = introduce forall n (bv1 bv2: bit_vec n). _ + with introduce (forall i. bv1 i == bv2 i) ==> bit_vec_equal #n bv1 bv2 + with _. bit_vec_equal_intro #n bv1 bv2 + +let bit_vec_equal_elim_principle () + : Lemma (forall n (bv1 bv2: bit_vec n). bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i)) + = introduce forall n (bv1 bv2: bit_vec n). _ + with introduce bit_vec_equal #n bv1 bv2 ==> (forall i. bv1 i == bv2 i) + with _. bit_vec_equal_elim #n bv1 bv2 + +let bit_vec_equal_trivial (bv1 bv2: bit_vec 0): Lemma (bv1 == bv2) + [SMTPat (eq2 #(bit_vec 0) bv1 bv2)] + = bit_vec_equal_intro bv1 bv2 + +let bit_vec_sub #n (bv: bit_vec n) (start: nat) (len: nat {start + len <= n}) + : bit_vec len + = on (i: nat {i < len}) + (fun i -> bv (start + i)) + +let bit_vec_equal_trivial_sub_smtpat (bv1: bit_vec 'n) + : Lemma (forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2) + [SMTPat (bit_vec_sub bv1 0 0)] + = introduce forall (bv2: bit_vec 0). bit_vec_sub bv1 0 0 == bv2 + with bit_vec_equal_trivial (bit_vec_sub bv1 0 0) bv2 + +unfold let retype #a #b (#_:unit{a == b}) + (x: a): b + = x + +let bit_vec_sub_all_lemma #n (bv: bit_vec n) + : Lemma (bit_vec_sub bv 0 n == bv) + [SMTPat (bit_vec_sub bv 0 n)] + = bit_vec_equal_intro (bit_vec_sub bv 0 n) bv + +let int_t_array_bitwise_eq' + #t1 #t2 #n1 #n2 + (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) + (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) + = bit_vec_equal (bit_vec_of_int_t_array arr1 d1) + (retype (bit_vec_of_int_t_array arr2 d2)) + +let int_t_array_bitwise_eq + #t1 #t2 #n1 #n2 + (arr1: t_Array (int_t t1) n1) (d1: num_bits t1) + (arr2: t_Array (int_t t2) n2) (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) + = bit_vec_of_int_t_array arr1 d1 == bit_vec_of_int_t_array arr2 d2 + +// let get_bit_intro () +// : Lemma (forall (#n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). +// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) +// else get_bit_nat (pow2 (bits n) + v x) (v nth))) +// = introduce forall (n: inttype) (x: int_t n) (nth: usize {v nth < bits n}). +// get_bit #n x nth == ( if v x >= 0 then get_bit_nat (v x) (v nth) +// else get_bit_nat (pow2 (bits n) + v x) (v nth)) +// with get_bit_intro #n x nth + +#push-options "--fuel 0 --ifuel 0 --z3rlimit 80" +/// Rewrite a `bit_vec_of_int_t_array (Seq.slice arr ...)` into a `bit_vec_sub ...` +let int_t_seq_slice_to_bv_sub_lemma #t #n + (arr: t_Array (int_t t) n) + (start: nat) (len: usize {start + v len <= v n}) + (d: num_bits t) + : Lemma ( bit_vec_of_int_t_array (Seq.slice arr start (start + v len) <: t_Array _ len) d + `bit_vec_equal` bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d)) + [SMTPat (bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d))] + = let bv1 = bit_vec_of_int_t_array #_ #len (Seq.slice arr start (start + v len)) d in + let bv2 = bit_vec_sub (bit_vec_of_int_t_array arr d) (start * d) (v len * d) in + introduce forall i. bv1 i == bv2 i + with ( Seq.lemma_index_slice arr start (start + v len) (i / d); + Math.Lemmas.lemma_div_plus i start d; + Math.Lemmas.lemma_mod_plus i start d); + bit_vec_equal_intro bv1 bv2 + +#push-options "--split_queries always" +let int_t_eq_seq_slice_bv_sub_lemma #t #n1 #n2 + (arr1: t_Array (int_t t) n1) (arr2: t_Array (int_t t) n2) (d: num_bits t) + (start1 start2: nat) (len: nat {start1 + len <= v n1 /\ start2 + len <= v n2}) + : Lemma (requires Seq.slice arr1 start1 (start1 + len) == Seq.slice arr2 start2 (start2 + len)) + (ensures bit_vec_equal + (bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) + (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d))) + [SMTPat ((bit_vec_sub (bit_vec_of_int_t_array arr1 d) (start1 * d) (len * d)) == + (bit_vec_sub (bit_vec_of_int_t_array arr2 d) (start2 * d) (len * d)))] + = let len = sz len in + int_t_seq_slice_to_bv_sub_lemma arr1 start1 len d; + int_t_seq_slice_to_bv_sub_lemma arr2 start2 len d; + // bit_vec_equal_elim_principle (); + bit_vec_equal_intro_principle () +#pop-options + +let bit_vec_equal_extend #n1 #n2 + (bv1: bit_vec n1) (bv2: bit_vec n2) (start1 start2: nat) + (len1: nat) + (len2: nat { start1 + len1 + len2 <= n1 /\ start2 + len1 + len2 <= n2}) + : Lemma + (requires + bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1 + /\ bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2) + (ensures bit_vec_sub bv1 start1 (len1+len2) == bit_vec_sub bv2 start2 (len1+len2)) + // [SMTPat (bit_vec_sub bv1 start1 len1 == bit_vec_sub bv2 start2 len1); + // SMTPat () + // ] + // SMTPat (bit_vec_sub bv1 (start1 + len1) len2 == bit_vec_sub bv2 (start2 + len1) len2)] + = let left1 = bit_vec_sub bv1 start1 len1 in + let left2 = bit_vec_sub bv2 start2 len1 in + let right1 = bit_vec_sub bv1 (start1 + len1) len2 in + let right2 = bit_vec_sub bv2 (start2 + len1) len2 in + // () + // bit_vec_equal_elim left1 left2 ; + // bit_vec_equal_elim right1 right2; + let entire1 = bit_vec_sub bv1 start1 (len1 + len2) in + let entire2 = bit_vec_sub bv2 start2 (len1 + len2) in + assert (forall (i:nat). i < len1 ==> left1 i == left2 i); + assert (forall (i:nat). i < len2 ==> right1 i == right2 i); + introduce forall (i:nat). i < len1 + len2 ==> entire1 i == entire2 i + with introduce i < len1 + len2 ==> entire1 i == entire2 i + with _. if i < len1 then assert (left1 i == left2 i) + else assert (entire1 i == right1 (i - len1)); + bit_vec_equal_intro entire1 entire2 +#pop-options + +// let bit_vec_equal_trans (#n: nat) (bv1 bv2 bv3: bit_vec n) +// : Lemma (requires bv1 `bit_vec_equal` bv2 /\ bv2 `bit_vec_equal` bv3) +// (ensures bv1 `bit_vec_equal` bv3) +// = bit_vec_equal_elim_principle (); +// bit_vec_equal_intro_principle () + +(* +let int_arr_bitwise_eq_range + #t1 #t2 #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) + (d2: num_bits t2) + (offset1 offset2: nat) + (bits: nat { + offset1 + bits <= v n1 * d1 + /\ offset2 + bits <= v n2 * d2 + }) + = bit_vec_equal #bits (fun i -> bit_vec_of_int_t_array arr1 d1 (i + offset1)) + = forall (k: nat). k < bits ==> + bit_vec_of_int_t_array arr1 d1 (offset1 + k) + == bit_vec_of_int_t_array arr2 d2 (offset2 + k) + +let int_arr_bitwise_eq_range_comm + #t1 #t2 #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) + (d2: num_bits t2) + (offset1 offset2: nat) + (bits: nat { + offset1 + bits <= v n1 * d1 + /\ offset2 + bits <= v n2 * d2 + }) + : Lemma (requires int_arr_bitwise_eq_range arr1 d1 arr2 d2 offset1 offset2 bits) + (ensures int_arr_bitwise_eq_range arr2 d2 arr1 d1 offset2 offset1 bits) + = () + +// kill that function in favor of range +let int_arr_bitwise_eq_up_to + #t1 #t2 #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement x}) n2) + (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) + (max: nat {max <= v n1 * d1}) + + = forall i. i < max + ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i + +let int_arr_bitwise_eq_ + #t1 #t2 #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement x}) n2) + (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) + = int_arr_bitwise_eq_up_to arr1 d1 arr2 d2 (v n1 * d1) + +// move to fsti +let bit_vec_equal #n (bv1 bv2: bit_vec n) + = forall i. i < n ==> bv1 i == bv2 i + +let int_arr_bitwise_eq + #t1 #t2 #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement x}) n2) + (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) + = forall i. i < v n1 * d1 + ==> bit_vec_of_int_t_array arr1 d1 i == bit_vec_of_int_t_array arr2 d2 i + +let int_arr_bitwise_eq_range_transitivity + #t1 #t2 #t3 #n1 #n2 #n3 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement2 x}) n2) + (d2: num_bits t2) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement3: int_t t3 -> Type0) + (arr3: t_Array (x: int_t t3 {refinement3 x}) n3) + (d3: num_bits t3) + (offset1 offset2 offset3: nat) + (bits: nat { + offset1 + bits <= v n1 * d1 + /\ offset2 + bits <= v n2 * d2 + /\ offset3 + bits <= v n3 * d3 + }) + : Lemma + (requires int_arr_bitwise_eq_range #t1 #t2 #n1 #n2 arr1 d1 arr2 d2 offset1 offset2 bits + /\ int_arr_bitwise_eq_range #t2 #t3 #n2 #n3 arr2 d2 arr3 d3 offset2 offset3 bits) + (ensures int_arr_bitwise_eq_range #t1 #t3 #n1 #n3 arr1 d1 arr3 d3 offset1 offset3 bits) + = () + + +let int_arr_bitwise_eq_range_intro + #t1 #t2 #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t1 -> Type0) + (arr1: t_Array (x: int_t t1 {refinement1 x}) n1) + (d1: num_bits t1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t2 -> Type0) + (arr2: t_Array (x: int_t t2 {refinement x}) n2) + (d2: num_bits t2 {v n1 * d1 == v n2 * d2}) + : Lemma + (requires int_arr_bitwise_eq arr1 d1 arr2 d2) + (ensures int_arr_bitwise_eq_range arr1 d1 arr2 d2 0 0 (v n1 * d1)) + = admit () + +let int_arr_bitwise_eq_range_intro_eq_slice + #t #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement: int_t t -> Type0) + (arr1: t_Array (x: int_t t {refinement x}) n1) + (arr2: t_Array (x: int_t t {refinement x}) n2) + (d: num_bits t) + (offset1 offset2: nat) + (n: nat {offset1 + n < v n1 /\ offset2 + n < v n2}) + (bits: nat { + offset1 + bits <= v n1 * d + /\ offset2 + bits <= v n2 * d + /\ bits <= n * d + }) + : Lemma (requires Seq.slice arr1 offset1 (offset1 + n) == Seq.slice arr2 offset2 (offset2 + n)) + (ensures int_arr_bitwise_eq_range arr1 d arr2 d offset1 offset2 bits) + = admit () + +let int_arr_bitwise_eq_range_intro_eq + #t #n1 #n2 + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement1: int_t t -> Type0) + (arr1: t_Array (x: int_t t {refinement1 x}) n1) + (#[FStar.Tactics.exact (`(fun _ -> True))]refinement2: int_t t -> Type0) + (arr2: t_Array (x: int_t t {refinement2 x}) n2) + (d: num_bits t) + (n_offset1 n_offset2: nat) + (n: nat {n_offset1 + n <= v n1 /\ n_offset2 + n <= v n2}) + // (offset1 offset2: nat) + (bits: nat { + n_offset1 * d + bits <= v n1 * d + /\ n_offset2 * d + bits <= v n2 * d + /\ bits <= n * d + }) + : Lemma (requires forall (i: nat). i < n ==> Seq.index arr1 (i + n_offset1) == Seq.index arr2 (i + n_offset2)) + (ensures int_arr_bitwise_eq_range arr1 d arr2 d (n_offset1 * d) (n_offset2 * d) bits) + = admit () +*) diff --git a/fstar-helpers/fstar-bitvec/Makefile b/fstar-helpers/fstar-bitvec/Makefile new file mode 100644 index 000000000..b4ce70a38 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Makefile @@ -0,0 +1 @@ +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/fstar-helpers/fstar-bitvec/MkSeq.fst b/fstar-helpers/fstar-bitvec/MkSeq.fst new file mode 100644 index 000000000..89c8e0216 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/MkSeq.fst @@ -0,0 +1,59 @@ +module MkSeq +open Core + +open FStar.Tactics.V2 + +private let init (len: nat) (f: (i:nat{i < len}) -> Tac 'a): Tac (list 'a) + = let rec h (i: nat {i <= len}): Tac (list 'a) + = if i = len then [] else f i :: h (i + 1) + in h 0 + +private let tuple_proj (n: nat) (i: nat): Tac term + = if n = 1 then `(id) else + let name = "__proj__Mktuple" ^ string_of_int n ^ "__item___" ^ string_of_int (i + 1) in + Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) + +private let tuple_type (n: nat): Tac term + = if n = 1 then `(id) else + let name = "tuple" ^ string_of_int n in + Tv_FVar (pack_fv ["FStar";"Pervasives";"Native";name]) + +open Rust_primitives.Integers + +private let create_gen_tac (n: nat): Tac sigelt + = let typ_bd = {fresh_binder_named "t" (`Type0) with qual = FStar.Reflection.V2.Q_Implicit} in + let typ = binder_to_term typ_bd in + let input_typ = mk_e_app (tuple_type n) (init n (fun _ -> typ)) in + let input_bd = fresh_binder_named "tup" input_typ in + let output_type = `t_Array (`#typ) (sz (`@n)) in + let nth i = `((`#(tuple_proj n i)) (`#input_bd)) in + let mk_and: term -> term -> Tac term = fun t u -> `(`#t /\ `#u) in + let post = + let mk_inv s i = `(Seq.index (`#s) (`@i) == (`#(tuple_proj n i)) (`#input_bd)) in + let invs s = Tactics.fold_left mk_and (`(Seq.length (`#s) == (`@n))) (init n (mk_inv s)) in + let bd = fresh_binder_named "s" output_type in + mk_abs [bd] (invs bd) + in + let comp = C_Eff [] ["Prims"; "Pure"] + (`t_Array (`#typ) (sz (`@n))) + [ (`(requires True), Q_Explicit); (post, Q_Explicit)] [] + in + let args = [typ_bd; input_bd] in + let l = Tactics.fold_right (fun hd tl -> `((`#hd)::(`#tl))) (init n nth) (`[]) in + let indexes = + let f i = `((`#(nth i)) == List.Tot.index (`#l) (`@i)) in + Tactics.fold_left mk_and (`True) (init n f) + in + let lb_def = mk_abs args (`( + let l = `#l in + let s = Seq.createL l <: t_Array (`#typ) (sz (`@n)) in + FStar.Classical.forall_intro (Seq.lemma_index_is_nth s); + assert (`#indexes) by (Tactics.norm [primops; iota; delta; zeta]); + s + )) in + let lb_typ = mk_arr args (pack_comp comp) in + let open FStar.List.Tot in + let lb_fv = pack_fv (cur_module () @ ["create" ^ string_of_int n]) in + Sg_Let { isrec = false; lbs = [{ lb_fv; lb_us = []; lb_typ; lb_def }] } + +%splice[] (init 13 (fun i -> create_gen_tac (i + 1))) diff --git a/fstar-helpers/fstar-bitvec/RwLemmas.fst b/fstar-helpers/fstar-bitvec/RwLemmas.fst new file mode 100644 index 000000000..1fc1e00de --- /dev/null +++ b/fstar-helpers/fstar-bitvec/RwLemmas.fst @@ -0,0 +1,71 @@ +module RwLemmas + +open Core +module L = FStar.List.Tot +open FStar.Tactics.V2 +open FStar.Tactics.V2.SyntaxHelpers +open FStar.Class.Printable +open FStar.Mul +open FStar.Option + +open Tactics.Utils +open Tactics.Pow2 + +open BitVecEq {} + +let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) + +#push-options "--z3rlimit 40" +let deserialize_10_int (bytes: t_Array u8 (sz 10)) = + let r0:i16 = + (((cast (bytes.[ sz 1 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + in + let r2:i16 = + (((cast (bytes.[ sz 3 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + in + let r3:i16 = + ((cast (bytes.[ sz 4 ] <: u8) <: i16) <>! 6l <: i16) + in + let r4:i16 = + (((cast (bytes.[ sz 6 ] <: u8) <: i16) &. 3s <: i16) <>! 2l <: i16) + in + let r6:i16 = + (((cast (bytes.[ sz 8 ] <: u8) <: i16) &. 63s <: i16) <>! 4l <: i16) + in + let r7:i16 = + ((cast (bytes.[ sz 9 ] <: u8) <: i16) <>! 6l <: i16) + in + let result:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = + r0, r1, r2, r3, r4, r5, r6, r7 <: (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) + in + result +#pop-options + +let deserialize_10_int' (bytes: t_Array u8 (sz 10)): t_Array i16 (sz 8) + = MkSeq.create8 (deserialize_10_int bytes) + +#push-options "--compat_pre_core 0" +#push-options "--z3rlimit 80" +let fff_ (bytes: t_Array u8 (sz 10)) x: unit = + let bv1 = bit_vec_of_int_t_array bytes 8 in + let out = deserialize_10_int' bytes in + let bv2 = bit_vec_of_int_t_array out 10 in + assert (forall (i: nat { i < 80 }). bv1 i == bv2 i) by ( + Tactics.GetBit.prove_bit_vector_equality () + ) +#pop-options + diff --git a/fstar-helpers/fstar-bitvec/Tactics.Folds.fst b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst new file mode 100644 index 000000000..c5ead30b0 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Tactics.Folds.fst @@ -0,0 +1,82 @@ +module Tactics.Folds + +open Core +module L = FStar.List.Tot +module S = FStar.Seq.Base +open FStar.Tactics.V2 +open FStar.Tactics.V2.SyntaxHelpers +open FStar.Class.Printable +open FStar.Mul +open FStar.Option + +open Rust_primitives.Hax.Folds + +open Tactics.Utils + +// let unfold_fold_range +// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) +// (start_: int_t u) +// (end_: int_t u) +// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) +// (init: acc_t {inv init start_}) +// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} +// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) +// = if v start_ < v end_ +// then fold_range (start_ +! mk_int 1) end_ inv (f init start_) f +// else init + + +// #push-options "--z3rlimit 100" +// let unfold_fold_range +// (#acc_t: Type0) (#u: Lib.IntTypes.inttype) +// (start_: int_t u) +// (end_: int_t u) +// (inv: acc_t -> (i:int_t u{fold_range_wf_index start_ end_ false (v i)}) -> Type0) +// (init: acc_t {inv init start_}) +// (f: (acc:acc_t -> i:int_t u {v i <= v end_ /\ fold_range_wf_index start_ end_ true (v i) /\ inv acc i} +// -> acc':acc_t {(inv acc' (mk_int (v i + 1)))})) +// : Lemma ( fold_range start_ end_ inv init f +// == ( if v start_ < v end_ +// then +// fold_range (start_ +! mk_int 1) end_ inv (f init start_) f +// else init ) +// ) +// = admit () +// #pop-options + +// let expect_fold_range t +// = let?# (fr, [acc_t,_;u,_;start_,_;end_,_;inv,_;init,_;f,_]) = expect_app_n t 7 in +// let _ = expect_free_var fr (`%fold_range) in +// Some (acc_t, u, start_, end_, inv, init, f) + +// let make_fold_range_lemma (start_: nat) (end_: nat): Tac _ = +// let _ = tcut (quote (squash (forall acc_t u inv init f. +// fold_range #acc_t #u start_ end_ inv init f +// == fold_range #acc_t #u start_ end_ inv init f +// ))) in +// flip (); +// let acc_t = forall_intro () in +// let u = forall_intro () in +// let inv = forall_intro () in +// let init = forall_intro () in +// let f = forall_intro () in +// fail "xx"; +// let _ = rewrite_rhs () in +// flip (); +// focus (fun _ -> +// fail "xx"; +// apply_lemma_rw (`unfold_fold_range) +// ); +// () +// // rewrite_lhs +// // let aux start_ = + +// jlet _ = +// assert true by (make_fold_range_lemma 1 10) + +// in + + +// let tactic_fold_range t +// = let?# expect_fold_range _ = + diff --git a/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst new file mode 100644 index 000000000..abec9b4fe --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Tactics.GetBit.fst @@ -0,0 +1,66 @@ +/// Provides tactics around `get_bit _ _ == get_bit _ _` goals +module Tactics.GetBit + +open Core +module L = FStar.List.Tot +open FStar.Tactics.V2 +open FStar.Tactics.V2.SyntaxHelpers +open FStar.Class.Printable +open FStar.Mul +open FStar.Option + +open Tactics.Utils +open Tactics.Pow2 + +open BitVecEq +open Tactics.Seq + + +let norm_machine_int () = Tactics.MachineInts.(transform norm_machine_int_term) + +/// Does one round of computation +let compute_one_round (): Tac _ = + norm [ iota; zeta; reify_ + ; delta_namespace [ + "FStar" + ; "BitVecEq" + ; implode_qn (cur_module ()) + ; "MkSeq" + ; `%Rust_primitives.Hax.array_of_list + ; `%Libcrux_ml_kem.Vector.Portable.Vector_type.__proj__Mkt_PortableVector__item__f_elements + ] + ; primops; unmeta]; + trace "compute_one_round: norm_pow2" norm_pow2; + trace "compute_one_round: norm_machine_int" norm_machine_int; + trace "compute_one_round: norm_index" norm_index + +/// Normalizes up to `get_bit` +let compute': unit -> Tac unit = goal_fixpoint compute_one_round + +/// Proves a goal of the shape `forall (i:nat{i < N}). get_bit ... i == get_bit ... i` (`N` is expected to be a literal) +let prove_bit_vector_equality'' (): Tac unit = + norm [ + iota; + primops; + delta_only [`%bit_vec_of_int_t_array; `%FunctionalExtensionality.on]; + delta_namespace [ + implode_qn (cur_module ()); + "Libcrux_intrinsics.Avx2_extract"; + "BitVec.Intrinsics"; + "BitVecEq"; + ]; + ]; + compute_one_round (); + prove_forall_nat_pointwise (print_time "SMT solved the goal in " (fun _ -> + Tactics.Seq.norm_index_minimal (); + l_to_r [`bit_vec_to_int_t_lemma]; + print ("Ask SMT: " ^ term_to_string (cur_goal ())); + focus smt_sync + )) +let prove_bit_vector_equality' (): Tac unit = + if lax_on () + then iterAll tadmit + else prove_bit_vector_equality'' () +let prove_bit_vector_equality (): Tac unit = + set_rlimit 100; + with_compat_pre_core 0 prove_bit_vector_equality' diff --git a/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst new file mode 100644 index 000000000..85bb0bb78 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Tactics.MachineInts.fst @@ -0,0 +1,273 @@ +/// This module interprets machine integers terms that comes from +/// `FStar.[U]Int*` modules or from `Rust_primtiives.Integers` module. +/// It can then convert from and back those two representation, +/// normalize them, etc. +module Tactics.MachineInts + +open FStar.Tactics.V2 +open FStar.Tactics.V2.SyntaxHelpers +open FStar.Class.Printable +open FStar.Option + +open Tactics.Utils +module RI = Rust_primitives.Integers + +/// The size of a machine int +type size = + | PtrSize + | Size of n:nat {match n with | 8 | 16 | 32 | 64 | 128 -> true | _ -> false} +/// The signedness of a machine int +type signedness = | Signed | Unsigned + +/// The operations we recognize on machine ints +type machine_int_op = | MkInt | V + +/// The AST of a machine int expression +noeq type machine_int_term = + /// Operations `mk_int` (aka `FStar.[U]Int*.[u]int_to_t`) and `v` + | Op { /// Which operation is it? + op: machine_int_op + /// Is that a generic (Rust_primitives.Integers) operation or a native one (FStar.[U]Int*)? + ; native: bool + ; size: size + ; signedness: signedness + ; contents: machine_int_term } + /// A (math) integer literal + | Lit of int + /// An arbitrary term + | Term of term + +/// Expect `n` to be a definition in a machine int namespace +let expect_native_machine_int_ns (n: string): (option (signedness & size & string)) + = match explode_qn n with + | "FStar"::int_module::[def_name] -> + let? (sign, size) = match int_module with + | "Int8" -> Some (Signed, Size 8) + | "Int16" -> Some (Signed, Size 16) + | "Int32" -> Some (Signed, Size 32) + | "Int64" -> Some (Signed, Size 64) + | "Int128" -> Some (Signed, Size 128) + | "UInt8" -> Some (Unsigned, Size 8) + | "UInt16" -> Some (Unsigned, Size 16) + | "UInt32" -> Some (Unsigned, Size 32) + | "UInt64" -> Some (Unsigned, Size 64) + | "UInt18" -> Some (Unsigned, Size 128) + | _ -> None + in Some (sign, size, def_name) + | _ -> None + +/// Given a sign and a size, produces the correct namespace `FStar.[U]Int*` +let mk_native_machine_int_ns (sign: signedness) (size: size): option (list string) + = let sign = match sign with | Signed -> "" | Unsigned -> "U" in + let? size = match size with | PtrSize -> None | Size n -> Some (string_of_int n) in + Some ["FStar"; sign ^ "Int" ^ size] + +/// Interpret HACL*'s `inttype`s +let expect_inttype t: Tac (option (signedness & size)) + = let t = norm_term [iota; reify_; delta_namespace ["Rust_primitives.Integers"; "Lib.IntTypes"]; primops; unmeta] t in + let?# t = expect_fvar t in + match t with + | `%RI.i8_inttype | `%Lib.IntTypes.S8 -> Some ( Signed, Size 8) + | `%RI.i16_inttype | `%Lib.IntTypes.S16 -> Some ( Signed, Size 16) + | `%RI.i32_inttype | `%Lib.IntTypes.S32 -> Some ( Signed, Size 32) + | `%RI.i64_inttype | `%Lib.IntTypes.S64 -> Some ( Signed, Size 64) + | `%RI.i128_inttype | `%Lib.IntTypes.S128 -> Some ( Signed, Size 128) + | `%RI.u8_inttype | `%Lib.IntTypes.U8 -> Some (Unsigned, Size 8) + | `%RI.u16_inttype | `%Lib.IntTypes.U16 -> Some (Unsigned, Size 16) + | `%RI.u32_inttype | `%Lib.IntTypes.U32 -> Some (Unsigned, Size 32) + | `%RI.u64_inttype | `%Lib.IntTypes.U64 -> Some (Unsigned, Size 64) + | `%RI.u128_inttype | `%Lib.IntTypes.U128 -> Some (Unsigned, Size 128) + | `%RI.isize_inttype -> Some (Signed, PtrSize) + | `%RI.usize_inttype -> Some (Unsigned, PtrSize) + | _ -> None + +/// Given a signedness and a size, creates a name `[ui]*_inttype` +let mk_inttype_name (sign: signedness) (size: size): name = + let sign = match sign with | Signed -> "i" | Unsigned -> "u" in + let size = match size with | PtrSize -> "size" | Size n -> string_of_int n in + ["Rust_primitives"; "Integers"; sign ^ size ^ "_inttype"] + +/// Given a signedness and a size, creates a term `[ui]*_inttype` +let mk_inttype (sign: signedness) (size: size): Tac term = + pack (Tv_FVar (pack_fv (mk_inttype_name sign size))) + +/// Interprets a term as a machine int. This function always returns +/// something: when `t` is not a machine int expression we recognize, +/// it returns `Term t`. Below, `term_to_machine_int_term` returns an +/// option. +let rec term_to_machine_int_term' (t: term): Tac machine_int_term = + match term_to_machine_int_term'' t with | Some t -> t | None -> Term t +and term_to_machine_int_term'' (t: term): Tac (option machine_int_term) = + let t = norm_term [delta_only [(`%RI.sz); (`%RI.isz)]] t in + match t with + | Tv_Const (C_Int n) -> Some (Lit n) + | _ -> + let?# (hd, args) = collect_app_hd t in + match expect_native_machine_int_ns hd, args with + | (Some (signedness, size, def_name), [arg, _]) -> begin + let native = true in + let contents = term_to_machine_int_term' arg in + let?# op = match def_name with + | "__uint_to_t" | "__int_to_t" | "uint_to_t" | "int_to_t" -> Some MkInt + | "v" -> Some V | _ -> None in + Some (Op {op; native; size; signedness; contents}) + end + | (None, [inttype, _; contents, _]) -> begin + let?# (signedness, size) = expect_inttype inttype in + let contents = term_to_machine_int_term' contents in + let?# op = match hd with | `%RI.mk_int -> Some MkInt + | `%RI.v -> Some V + | _ -> None in + Some (Op {op; native = false; size; signedness; contents}) + end + | _ -> None + +/// Tries to interpret a term as a machine int +let term_to_machine_int_term (t: term): Tac (option (t: machine_int_term {~(Term? t)})) + = match term_to_machine_int_term' t with + | Term _ -> None | t -> Some t + +/// Transform a machine int AST into a term. Note that this doesn't +/// support native usize/isize (aka `FStar.SizeT`), whence the option. +let rec machine_int_term_to_term (t: machine_int_term): Tac (option term) = + match t with + | Term t -> Some t + | Op {native = false; op; size; signedness; contents} -> + let inttype = mk_inttype signedness size in + let?# contents = machine_int_term_to_term contents in + let op = match op with | V -> `RI.v + | MkInt -> `RI.mk_int in + Some (`((`#op) #(`#inttype) (`#contents))) + | Op {native = true; op; size; signedness; contents} -> + let?# ns = mk_native_machine_int_ns signedness size in + let f = FStar.List.Tot.append ns [ + match op with + | MkInt -> (match signedness with | Signed -> "" | Unsigned -> "u") ^ "int_to_t" + | V -> "v" + ] in + let f = pack (Tv_FVar (pack_fv f)) in + let?# contents = machine_int_term_to_term contents in + Some (mk_e_app f [contents]) + | Lit n -> Some (pack (Tv_Const (C_Int n))) + +/// An operation on a machine_int_term +type operation = machine_int_term -> option machine_int_term + +/// Removes `mk_int (v ...)` or `v (mk_int ...)` when it's the same type +let rec flatten_machine_int_term: operation = function + | Op x -> begin match x.contents with + | Op y -> if x.op <> y.op && x.size = y.size && x.signedness = y.signedness + then Some (match flatten_machine_int_term y.contents with + | Some result -> result + | None -> y.contents) + else let? y = flatten_machine_int_term (Op y) in + Some (Op {x with contents = y}) + | _ -> None + end + | _ -> None + +/// Makes a machine int native or not +let rec change_native_machine_int_term (native: bool): operation = function + | Op x -> let contents = change_native_machine_int_term native x.contents in + if x.native = native + then None + else Some (Op { x with native + ; contents = match contents with + | Some contents -> contents + | None -> x.contents}) + | _ -> None + +/// Combines two operation together +let combine: operation -> operation -> operation = + fun f g t -> match f t with + | Some t -> (match g t with | Some t -> Some t | None -> Some t) + | None -> g t + +/// We call `x` a normal machine integer if `x` has no `mk_int (v +/// ...)` or `v (mk_int ...)` sequence and if all `mk_int` and `v` are +/// native (aka `FStar.[U]Int*.*`, not +/// `Rust_primitives.Integer.*`). Note `usize` is an exception, +/// `mk_int` and `v` alone one usizes (and isizes) cannot be reduced +/// further. +let norm_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term true) + +/// We call `x` a normal generic machine integer if `x` has no +/// `FStar.[U]Int*.[u]int_to_t/v`, and no `mk_int (v ...)` or `v +/// (mk_int ...)`. +let norm_generic_machine_int_term = combine flatten_machine_int_term (change_native_machine_int_term false) + +/// Unfolds `mk_int` using `mk_int_equiv_lemma` +let norm_mk_int () = + let?# (lhs, _) = expect_lhs_eq_uvar () in + let lhs' = term_to_machine_int_term lhs in + match?# lhs' with + | Op {op = MkInt; native = false; size; signedness; contents} -> + let inttype = mk_inttype signedness size in + let lemma = `(RI.mk_int_equiv_lemma #(`#inttype)) in + let lemma = norm_term [primops; iota; delta; zeta] lemma in + focus (fun _ -> + apply_lemma_rw lemma + ); + Some () + | _ -> None + +/// Lemmas to deal with the special case of usize +let rw_v_mk_int_usize x + : Lemma (eq2 (RI.v #RI.usize_inttype (RI.mk_int #RI.usize_inttype x)) x) = () +let rw_mk_int_v_usize x + : Lemma (eq2 (RI.mk_int #RI.usize_inttype (RI.v #RI.usize_inttype x)) x) = () + +/// Rewrites `goal_lhs` into `machine_int`. This function expects the +/// goal to be of the shape ` == (?...)`, where `` +/// is a machine int. Do not call this function directly. +let _rewrite_to (goal_lhs: term) (eq_type: typ) (machine_int: machine_int_term): Tac (option unit) + = let?# t_term = machine_int_term_to_term machine_int in + Some (focus (fun _ -> + let rw = tcut (`squash (eq2 #(`#eq_type) (`#goal_lhs) (`#t_term))) in + // This tcut will generate simple verification conditions, we + // discharge them right away + // iterAllSMT (fun () -> smt_sync `or_else` (fun _ -> dump "norm_mk_int: Could not solve SMT here")); + flip (); + pointwise' (fun () -> match norm_mk_int () with + | Some _ -> () + | None -> // special case for usize + (fun () -> (fun () -> apply_lemma_rw (`rw_v_mk_int_usize)) + `or_else` (fun () -> apply_lemma_rw (`rw_mk_int_v_usize))) + `or_else` trefl + ); + compute (); + trefl (); + apply_lemma_rw rw + )) + +/// Rewrites a goal deeply, replacing every machine integer expression +/// `x` by `f x` (when it is `Some _`). +let transform (f: machine_int_term -> option machine_int_term): Tac unit + = pointwise' (fun _ -> + match revert_if_none (fun _ -> + let?# (lhs, eq_type) = expect_lhs_eq_uvar () in + let?# machine_int = term_to_machine_int_term lhs in + let?# machine_int' = f machine_int in + let?# _ = _rewrite_to lhs eq_type machine_int' in + Some () + ) + with + | None -> trefl () + | _ -> () + ) + +open Rust_primitives.Integers +let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) + by (transform norm_machine_int_term; trefl ()) +let _ = assert (mk_int #u8_inttype 3 == 3uy) + by (transform norm_machine_int_term; trefl ()) +let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) + by (transform norm_machine_int_term) +let _ = assert (v (mk_int #usize_inttype 3) == 3) + by (transform norm_machine_int_term; trefl ()) +let _ = fun x -> assert (v (mk_int #usize_inttype x) == x) + by (transform norm_machine_int_term; trefl ()) +let _ = assert (mk_int #u8_inttype 3 == 3uy) + by (transform norm_generic_machine_int_term; trefl ()) +let _ = fun x -> assert (mk_int #u8_inttype x == FStar.UInt8.uint_to_t x) + by (transform norm_generic_machine_int_term; trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst new file mode 100644 index 000000000..9f6ee1f0f --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Tactics.Pow2.fst @@ -0,0 +1,58 @@ +/// Provides tools to normalize `pow2` +module Tactics.Pow2 + +open Core +open Tactics.Utils +open FStar.Tactics.V2 + +/// Expects `t` to be of the shape `pow2 n`, with `n` a literal, returns n +let expect_pow2_literal t: Tac (option int) + = let?# (f, [x, _]) = expect_app_n t 1 in + let?# () = expect_free_var f (`%pow2) in + expect_int_literal x + +/// Expects `t` to be of the shape `pow2 n - 1`, with `n` a literal, returns n +let expect_pow2_minus_one_literal t: Tac (option int) + = let?# (f, [x, _; y, _]) = expect_app_n t 2 in + let?# () = expect_free_var f (`%op_Subtraction) in + let?# y = expect_int_literal y in + let?? () = y = 1 in + expect_pow2_literal x + +/// Fully normalize a term of the shape `pow2 n`, where `n` is a literal +let norm_pow2 (): Tac unit = + pointwise (fun () -> + let _ = let?# (t, _) = expect_lhs_eq_uvar () in + let?# n = expect_pow2_literal t in + debug ("Normalized `pow2 " ^ string_of_int n ^ "`"); + Some (norm [iota; zeta_full; reify_; delta; primops; unmeta]) in + trefl ()) + +/// Inverse of `pow2` +let rec log2 (n: nat): Tot (option (m: nat {pow2 m == n})) (decreases n) + = if n = 0 then None + else if n = 1 then Some 0 + else if n % 2 <> 0 then None + else match log2 (n / 2) with + | Some n -> Some (1 + n) + | None -> None + +/// Rewrite integers in the goal into `pow2 _ - 1` whenever possible +let rewrite_pow2_minus_one () = + pointwise (fun () -> + match let?# (t, _) = expect_lhs_eq_uvar () in + let?# n = expect_int_literal t in + if n >= 0 then + match log2 (n + 1) with + | Some e -> + let rw_lemma (): Lemma (n == pow2 e - 1) = () in + apply_lemma_rw (quote rw_lemma); + Some () + | _ -> None + else None + with None -> trefl () | _ -> () + ) + +// Test +let _ = fun (i: nat) -> assert (pow2 (i + 3) + pow2 10 == pow2 (i + 3) + 1024) + by (norm_pow2 (); trefl ()) diff --git a/fstar-helpers/fstar-bitvec/Tactics.Seq.fst b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst new file mode 100644 index 000000000..0a7015968 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Tactics.Seq.fst @@ -0,0 +1,123 @@ +module Tactics.Seq + +open Core +module L = FStar.List.Tot +module S = FStar.Seq +open FStar.Tactics.V2 +open FStar.Tactics.V2.SyntaxHelpers +open FStar.Class.Printable +open FStar.Mul +open FStar.Option + +open Tactics.Utils +open Tactics.Pow2 + +(*** Rewrite lemmas *) +private let rw_seq_index_list #t (l: list t) i + : Lemma (S.index (S.seq_of_list l) i == FStar.List.Tot.index l i) + = () +private let rw_index_slice #typ (s: S.seq typ) i j n: Lemma (S.index (S.slice s i j) n == S.index s (normalize_term (i + n))) + = () +private let rw_index_upd s n v i + : Lemma (S.index (S.upd s n v) i == (if n = i then v else S.index s i)) + = () + +/// A version of `L.index` to mark specific instances we want to normalize. +let rec index_to_normalize #a (l: list a) (i:nat{i < L.length l}): Tot a + = let hd::tl = l in + if i = 0 then hd else index_to_normalize tl (i - 1) + +private let rec rw_index_to_index_to_normalize #a (l: list a) (i:nat{i < L.length l}) + : Lemma (L.index #a l i == index_to_normalize #a l i) + = if i = 0 then () else rw_index_to_index_to_normalize (L.tl l) (i - 1) + + +(*** Tactics that apply those lemmas only if needed *) +let tactic_list_index () + = let?# (t, _) = expect_lhs_eq_uvar () in + let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in + let?# () = expect_free_var f (`%FStar.List.Tot.index) in + let?# n = expect_int_literal index in + apply_lemma_rw (`rw_index_to_index_to_normalize); + Some () + +/// Expects `t` to be of the shape `seq_of_list #_ _` +let expect_seq_of_list (t: term): Tac (option (term & term)) + = let?# (f, [t,_; index,_]) = expect_app_n t 2 in + let?# _ = expect_free_var f (`%S.seq_of_list) in + Some (t, index) + +/// Expects `t` to be of the shape `index #_ _` +let expect_seq_index (t: term): Tac (option (term & term & term)) + = let?# (f, [typ, _; l, _; index, _]) = expect_app_n t 3 in + let?# () = expect_free_var f (`%S.index) in + Some (typ, l, index) + +/// Expects `t` to be of the shape `slice #_ _` +let expect_seq_slice (t: term): Tac (option (term & term & term & term)) + = let?# (f, [typ, _; s, _; i, _; j, _]) = expect_app_n t 4 in + let?# () = expect_free_var f (`%S.slice) in + Some (typ, s, i, j) + +/// Expects `t` to be of the shape `upd #_ _` +let expect_seq_upd (t: term): Tac (option (term & term & term & term)) + = let?# (f, [typ, _; s, _; i, _; v, _]) = expect_app_n t 4 in + let?# () = expect_free_var f (`%S.upd) in + Some (typ, s, i, v) + +let tactic_seq_index_of_list () + = let?# (t, _) = expect_lhs_eq_uvar () in + let?# (_, l, _) = expect_seq_index t in + let?# _ = expect_seq_of_list l in + apply_lemma_rw (`rw_seq_index_list); + Some () + +let tactic_rw_index_slice () + = let?# (t, _) = expect_lhs_eq_uvar () in + let?# (typ, s, index) = expect_seq_index t in + let?# (_, s, i, j) = expect_seq_slice s in + apply_lemma_rw (`rw_index_slice #(`#typ) (`#s) (`#i) (`#j)); + Some () + +let tactic_rw_index_upd () + = let?# (t, _) = expect_lhs_eq_uvar () in + let?# (typ, s, index) = expect_seq_index t in + let?# (_, s, i, v) = expect_seq_upd s in + apply_lemma_rw (`rw_index_upd #(`#typ) (`#s) (`#i) (`#v)); + Some () + +(*** Final tactics *) +let norm_zeta_full_list_index (): Tac unit + = norm [iota; primops; zeta_full; delta_only [`%index_to_normalize]] + + +let norm_index_minimal (): Tac unit + = pointwise ((unwrap ∘ tactic_list_index) ||> trefl); + norm_zeta_full_list_index () + +let norm_index' (): Tac unit + = pointwise ( (unwrap ∘ tactic_seq_index_of_list) + ||> (unwrap ∘ tactic_list_index) + ||> (unwrap ∘ tactic_rw_index_slice) + ||> (unwrap ∘ tactic_rw_index_upd) + ||> trefl) + +let norm_index (): Tac unit + = goal_fixpoint norm_index' (); + norm_zeta_full_list_index () + + +(*** Tests *) +let _ = assert ( + let s = S.seq_of_list [1;2;3;4;5;6] in + let s = S.slice s 2 4 in + S.index s 1 == 4 +) by (norm []; norm_index (); trefl ()) + +let _ = assert ( + L.index [L.index [1;2;3;4;5;6] (L.index [1;2;3;4;3;3] 2)] 0 == 4 +) by (norm_index(); trefl ()) +let _ = assert ( + S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;(S.index (S.seq_of_list [1;2;3;4;1]) 3);1]) 3);1]) 3 == 4 +) by (norm_index(); trefl ()) + diff --git a/fstar-helpers/fstar-bitvec/Tactics.Utils.fst b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst new file mode 100644 index 000000000..18030a682 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/Tactics.Utils.fst @@ -0,0 +1,328 @@ +module Tactics.Utils + +open Core +open FStar.Option +module L = FStar.List.Tot +open FStar.Tactics.V2 +open FStar.Tactics.V2.SyntaxHelpers +open FStar.Class.Printable +open FStar.Mul + +(*** Let operators *) +let (let?#) (x: option 'a) (f: 'a -> Tac (option 'b)): Tac (option 'b) + = match x with + | Some x -> f x + | None -> None + +let ( let?? ) (x: bool) (f: unit -> Tac (option 'a)): Tac (option 'a) + = if x then f () else None + +(*** Debug helpers *) +/// Dump before failing (in some cases, exception cathing messes with +/// `fail`) +let fail' msg = dump msg; fail msg + +exception Restore +/// Dumps a goal with a minimal number of binders in the environment +let dump' (msg: string): Tac unit + = try set_smt_goals []; + iterAll (fun _ -> let _ = repeat clear_top in ()); + dump msg; + raise Restore + with | _ -> () + +(*** `option _` helpers *) +/// Executes `f`, if it fails, execute `g`. Like `or_else`, but returns +/// a chunk. +let ( ||> ) (f: 'a -> Tac 'b) (g: 'a -> Tac 'b) (a: 'a): Tac 'b + = try f a with | _ -> g a + +exception ExpectedSome +/// Unwraps an option, throws `ExpectedSome` if the option is `None` +let unwrap (x: option 'a): Tac 'a + = match x with + | Some x -> x + | None -> raise ExpectedSome + +/// Expects an option to be `None`, otherwise throws an error +let expect (msg: string) (x: option 'a): Tac 'a + = match x with + | None -> dump' ("Expected " ^ msg); + fail ("Expected " ^ msg) + | Some x -> x + +(*** misc. utils *) +/// Reverse function composition (in Tac) +unfold let (>>>) (f: 'a -> Tac 'b) (g: 'b -> Tac 'c) (x: 'a): Tac 'c + = g (f x) +/// Function composition (in Tac) +unfold let (∘) (f: 'b -> Tac 'c) (g: 'a -> Tac 'b): 'a -> Tac 'c + = g >>> f + + +let trace (fun_name: string) (t: unit -> Tac 'b) = + print (fun_name ^ ": enter"); + let result = + try t () + with | e -> (print (fun_name ^ ": exit (with an exception!)"); raise e) + in + print (fun_name ^ ": exit"); + result + +(*** control utils *) +/// Repeats a tactic `f` until the goal is stable +let goal_fixpoint (f: unit -> Tac unit): unit -> Tac unit + = let rec aux (): Tac _ = + let goal0 = cur_goal () in + f (); + let goal1 = cur_goal () in + if not (term_eq goal0 goal1) then aux () + in aux + +private exception DoRefl +let some_or_refl (f: unit -> Tac (option unit)) + = or_else (fun _ -> match f () with | None -> raise DoRefl | _ -> ()) trefl + +/// Runs `f` on each subterms for rewrite. If `f` is `None` or raises +/// an error, applies `trefl`. +let pointwise_or_refl (f: unit -> Tac (option unit)) + = pointwise (fun _ -> some_or_refl f) + +let rec repeatWhile (f: unit -> Tac bool): Tac unit + = if f () then repeatWhile f + +(*** `expect_*` combinators *) +let expect_int_literal (t: term): Tac (option int) = + match inspect_unascribe t with + | Tv_Const (C_Int n) -> Some n + | _ -> None + +let expect_fvar (t: term): Tac (option string) = + match t with + | Tv_UInst fv _ + | Tv_FVar fv -> Some (implode_qn (inspect_fv fv)) + | _ -> None + +let expect_free_var (t: term) (fv: string): Tac (option unit) = + let?# fv' = expect_fvar t in + if fv = fv' then Some () else None + +let expect_lhs_eq_rhs_term t = + match term_as_formula t with + | Comp (Eq typ) lhs rhs -> + let typ = match typ with | None -> `_ | Some typ -> typ in + Some (lhs, rhs, typ) + | _ -> None + +let expect_lhs_eq_rhs () = + expect_lhs_eq_rhs_term (cur_goal ()) + +let expect_lhs_eq_uvar () = + match expect_lhs_eq_rhs () with + | Some (lhs, rhs, typ) -> + ( match rhs with | Tv_Uvar _ _ -> Some (lhs, typ) | _ -> None ) + | _ -> None + +let expect_app_n t n: Tac (option (term & (l: list _ {L.length l == n}))) = + let (head, args) = collect_app t in + if L.length args = n + then Some (head, args) + else None + +let expect_forall t: Tac _ = + match term_as_formula t with + | Forall bv typ phi -> Some (bv, typ, phi) + | _ -> None + +(*** Rewrite utils *) +private exception ForceRevert +let revert_if_none (f: unit -> Tac (option 'a)): Tac (option 'a) + = try match f () with Some x -> Some x + | None -> raise ForceRevert + with | ForceRevert -> None | e -> raise e + +/// Collects an application whose head is a free variable +let collect_app_hd t: Tac (option (string & list argv)) + = let (hd, args) = collect_app t in + let?# fv = expect_fvar hd in + Some (fv, args) + +let statement_of_lemma (lemma: term) = + let _, comp = collect_arr (tc (cur_env ()) lemma) in + match inspect_comp comp with + | C_Total x + | C_Lemma _ x _ -> ( + match x with + | Tv_Abs _ x -> `(squash (`#x)) + | _ -> `(squash (`#x)) + ) + | _ -> fail "statement_of_lemma: supports only Tot and Lemma" + +let weaken_eq2_lemma (u: Type) (t: Type {subtype_of t u}) (p q: t) () + : Lemma (requires ( == ) #u p q) + (ensures ( == ) #t p q) + = () + +/// `apply_lemma_rw` doesn't work if the goal is `(==) #t ... (?u ...)` while the lemma is `(==) #u .. (?u ....)`. `apply_lemma_rw_eqtype` fixes some of those case, and warns about it. +let apply_lemma_rw_eqtype (lemma: term): Tac unit + = try + apply_lemma_rw lemma + with + | e -> match + let stmt = statement_of_lemma lemma in + let?# (lemma_lhs, lemma_rhs, type_lemma') = expect_lhs_eq_rhs_term stmt in + let?# (goal_lhs, goal_rhs, type_goal') = expect_lhs_eq_rhs () in + let type_lemma = norm_term [delta; iota; primops] type_lemma' in + let type_goal = norm_term [delta; iota; primops] type_goal' in + if term_eq type_lemma type_goal + then None + else + ( print "######## Warning: apply_lemma_rw, rewrite equalities with different type"; + print ("######## Your lemma has eq over type " ^ term_to_string type_lemma); + print ("######## Your goal has eq over type " ^ term_to_string type_goal); + print ("######## Trying to weaken the type of the goal."); + apply_lemma ( + `weaken_eq2_lemma + (`#type_lemma') (`#type_goal') + (`#goal_lhs) (`#goal_rhs) + ); + apply_lemma_rw lemma; + Some () + ) + with | None -> raise e + | Some () -> () + +/// Rewrites LHS of an equality: on goal `squash (x == y)`, it will add `squash (x == (?u ...))`. +let rewrite_lhs (): Tac _ = + let (lhs, _, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_lhs)" in + let uvar = fresh_uvar (Some (tc (cur_env ()) lhs)) in + tcut (`squash (`#lhs == `#uvar)) + +/// Rewrites RHS of an equality: on goal `squash (x == y)`, it will add `squash (y == (?u ...))`. +let rewrite_rhs (): Tac _ = + let (_, rhs, _) = expect_lhs_eq_rhs () |> expect "a goal ` == ` (rewrite_rhs)" in + let uvar = fresh_uvar (Some (tc (cur_env ()) rhs)) in + tcut (`squash (`#rhs == `#uvar)) + +open FStar.Tactics +(*** Unification *) +(** Unifies `t` with `fn x1 ... xN`, where `x1` and `xN` are +unification variables. This returns a list of terms to substitute `x1` +... `xN` with. You probably want `norm_steps` to be `[delta_only +[`%the_name_of_function_fn]]` *) +exception UnifyAppReturn of (option (list term)) +let unify_app (t fn: term) norm_steps: Tac (option (list term)) + = let (* Tactic types are confusing, seems like we need V1 here *) + open FStar.Tactics.V1 in + let bds = fst (collect_arr_bs (tc (cur_env ()) fn)) in + try + let _fake_goal = + (* create a goal `b1 -> ... -> bn -> squash True` *) + let trivial = `squash True in + let trivial_comp = pack_comp (C_Total trivial) in + unshelve (fresh_uvar (Some (match bds with | [] -> trivial | _ -> mk_arr bds trivial_comp))) + in + (* get back the binders `b1`, ..., `bn` *) + let bds = intros () in + let args = FStar.Tactics.Util.map (fun (b: binder) -> b <: term) bds in + let norm_term = norm_term (hnf::norm_steps) in + let fn, t = norm_term (mk_e_app fn args), norm_term t in + let fn = `(((`#fn), ())) in + let dummy_var = fresh_namedv_named "dummy_var" in + let t = `(((`#t), (`#dummy_var))) in + let vars = map (fun b -> + let b = inspect_binder b in + let {bv_index = uniq; bv_ppname = ppname} = inspect_bv b.binder_bv in + let sort = b.binder_sort in + let nv: namedv_view = {uniq; ppname; sort = seal sort} in + (FStar.Reflection.V2.pack_namedv nv, sort) + ) bds in + let vars = + List.Tot.append + vars + [(FStar.Reflection.V2.pack_namedv dummy_var, `())] + in + let?# substs = fst (try_unify (cur_env ()) vars fn t) in + raise (UnifyAppReturn ( + if List.Tot.length substs <> List.Tot.length bds + 1 + then (print ("unify_app: WARNING: inconsistent lengths: " ^ string_of_int (List.Tot.length substs) ^ " - 1 VS " ^ string_of_int (List.Tot.length bds + 1)); None) + else ( + match substs with + | [] -> None + | _::substs -> Some (List.Tot.rev (map (fun (_, t) -> t) substs)) + ))) + with | UnifyAppReturn result -> result + | e -> raise e + +(*** Logging and time *) +let time_tactic_ms (t: 'a -> Tac 'b) (x: 'a): Tac ('b & int) + = let time0 = curms () in + let result = t x in + let time1 = curms () in + (result, time1 - time0) + +let print_time prefix (t: 'a -> Tac 'b) (x: 'a): Tac 'b + = let (result, time) = time_tactic_ms t x in + print (prefix ^ string_of_int (time / 1000) ^ "." ^ string_of_int ((time/100)%10) ^ "s"); + result + +(*** Unroll forall goals *) +let _split_forall_nat + (upper_bound: pos) + ($p: (i:nat{i < upper_bound}) -> Type0) + : Lemma (requires (if upper_bound = 0 then True + else p (upper_bound - 1) /\ (forall (i:nat{i < upper_bound - 1}). p i))) + (ensures forall (i:nat{i < upper_bound}). p i) + = () + + +let focus_first_forall_goal (t : unit -> Tac unit) : Tac unit = + let goals = goals () in + let found_goal = alloc false in + iterAll (fun _ -> + (match expect_forall (cur_goal ()) with + | Some _ -> + if read found_goal + then () + else begin + write found_goal true; + t (); + () + end + | _ -> + ()) + ); + if not (read found_goal) then t () + +/// Proves `forall (i:nat{i < bound})` for `bound` being a concrete int +let rec prove_forall_nat_pointwise (tactic: unit -> Tac unit): Tac unit + = focus_first_forall_goal (fun _ -> + let _ = + (* hacky way of printing the progress *) + let goal = term_to_string (cur_goal ()) in + let goal = match String.split ['\n'] goal with + | s::_ -> s | _ -> "" in + print ("prove_forall_pointwise: " ^ goal ^ "...") + in + apply_lemma (`_split_forall_nat); + trivial `or_else` (fun _ -> + if try norm [primops]; + split (); + true + with | e -> false + then ( + tactic (); + prove_forall_nat_pointwise tactic + ) + ) + ) + +#push-options "--compat_pre_core 2" +private let _example (phi: int -> Type0) (proof: (i:int -> Lemma (phi i))) = + assert (forall (i: nat {i < 40}). phi i) + by ( + prove_forall_nat_pointwise (fun _ -> + apply_lemma (quote proof) + ) + ) +#pop-options diff --git a/fstar-helpers/fstar-bitvec/dep.graph b/fstar-helpers/fstar-bitvec/dep.graph new file mode 100644 index 000000000..58c54a479 --- /dev/null +++ b/fstar-helpers/fstar-bitvec/dep.graph @@ -0,0 +1,2316 @@ +digraph { + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "fstar_pervasives_native" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_properties" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_seq_base" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "fstar_pervasives" + "fstar_seq" -> "prims" + "fstar_seq" -> "prims" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_uint32" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_math_lemmas" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_mul" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_int" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "fstar_pervasives" + "fstar_int32" -> "prims" + "fstar_int32" -> "prims" + "fstar_int32" -> "fstar_int32" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_reflection_v1" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "fstar_tactics_v1_syntaxhelpers" -> "prims" + "core_option" -> "fstar_pervasives" + "core_option" -> "fstar_pervasives" + "core_option" -> "prims" + "core_option" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_squash" -> "fstar_squash" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v1_builtins" -> "fstar_stubs_reflection_v1_builtins" + "fstar_stubs_tactics_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_stubs_tactics_v1_builtins" -> "prims" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_namedview" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_tactics_v2_derived" + "fstar_tactics_print" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_tactics_effect" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_reflection_v2" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "fstar_pervasives" + "fstar_tactics_print" -> "prims" + "fstar_tactics_print" -> "prims" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_mul" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_reflection_v2_compare" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "fstar_pervasives" + "fstar_reflection_v1_compare" -> "prims" + "fstar_reflection_v1_compare" -> "prims" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_squash" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_classical" -> "fstar_classical" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_properties" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_list_tot_base" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_squash" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_list_tot" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_pervasives_native" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_classical" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_seq_base" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "fstar_pervasives" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "prims" + "fstar_seq_properties" -> "fstar_seq_properties" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_classical" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_squash" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "fstar_calc" -> "fstar_calc" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "tactics_pow2" -> "fstar_tactics_effect" + "tactics_pow2" -> "fstar_tactics_effect" + "tactics_pow2" -> "fstar_tactics_v2" + "tactics_pow2" -> "fstar_tactics_v2" + "tactics_pow2" -> "tactics_utils" + "tactics_pow2" -> "tactics_utils" + "tactics_pow2" -> "core" + "tactics_pow2" -> "core" + "tactics_pow2" -> "fstar_pervasives" + "tactics_pow2" -> "fstar_pervasives" + "tactics_pow2" -> "prims" + "tactics_pow2" -> "prims" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "fstar_pervasives" + "fstar_classical" -> "prims" + "fstar_classical" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v2_builtins" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_order" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "fstar_stubs_reflection_v2_builtins" -> "prims" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "fstar_math_lemmas" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "rust_primitives_bitvectors" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_pervasives_native" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_all" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "fstar_pervasives" + "fstar_option" -> "prims" + "fstar_option" -> "prims" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "fstar_pervasives" + "fstar_propositionalextensionality" -> "prims" + "fstar_propositionalextensionality" -> "prims" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_ghost" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "fstar_pervasives" + "fstar_erasedlogic" -> "prims" + "fstar_erasedlogic" -> "prims" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "core" + "bitveceq" -> "core" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "prims" + "bitveceq" -> "prims" + "bitveceq" -> "bitveceq" + "fstar_issue" -> "fstar_stubs_pprint" + "fstar_issue" -> "fstar_range" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "fstar_pervasives" + "fstar_issue" -> "prims" + "fstar_issue" -> "prims" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "fstar_pervasives" + "fstar_mul" -> "prims" + "fstar_mul" -> "prims" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_tactics_effect" + "tactics_utils" -> "fstar_char" + "tactics_utils" -> "fstar_string" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_reflection_v2" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_util" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics_v1" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_tactics" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_pervasives_native" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_mul" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_class_printable" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_tactics_v2" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_list_tot" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "fstar_option" + "tactics_utils" -> "core" + "tactics_utils" -> "core" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "fstar_pervasives" + "tactics_utils" -> "prims" + "tactics_utils" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "bitvec_intrinsics" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "prims" + "fstar_stubs_tactics_types" -> "fstar_issue" + "fstar_stubs_tactics_types" -> "fstar_range" + "fstar_stubs_tactics_types" -> "fstar_stubs_typechecker_core" + "fstar_stubs_tactics_types" -> "fstar_stubs_tactics_common" + "fstar_stubs_tactics_types" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "fstar_pervasives" + "fstar_stubs_tactics_types" -> "prims" + "fstar_stubs_tactics_types" -> "prims" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "fstar_pervasives" + "fstar_exn" -> "prims" + "fstar_exn" -> "prims" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "rust_primitives_arrays" + "core_iter" -> "core_ops_range" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "core_iter_adapters_step_by" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "fstar_pervasives_native" + "core_iter" -> "core_ops" + "core_iter" -> "core_ops" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "fstar_tactics_typeclasses" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_adapters_enumerate" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "core_iter_traits_iterator" + "core_iter" -> "rust_primitives" + "core_iter" -> "rust_primitives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "fstar_pervasives" + "core_iter" -> "prims" + "core_iter" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_pervasives_native" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_tactics_effect" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_types" + "fstar_functionalextensionality" -> "fstar_stubs_reflection_types" + "fstar_functionalextensionality" -> "fstar_stubs_tactics_v2_builtins" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "fstar_functionalextensionality" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "rust_primitives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "fstar_pervasives" + "core_iter_adapters_step_by" -> "prims" + "core_iter_adapters_step_by" -> "prims" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_squash" + "fstar_tactics_v1_derived" -> "fstar_range" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_pervasives_native" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_tactics_visit" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_list_tot_base" + "fstar_tactics_v1_derived" -> "fstar_vconfig" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_tactics_util" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v1_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_tactics_effect" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_reflection_v1" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "fstar_pervasives" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_v1_derived" -> "prims" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_pervasives_native" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_util" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_tactics_effect" + "fstar_tactics_visit" -> "fstar_reflection_v2" + "fstar_tactics_visit" -> "fstar_reflection_v2" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "fstar_pervasives" + "fstar_tactics_visit" -> "prims" + "fstar_tactics_visit" -> "prims" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint8" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint16" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_uint32" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int16" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_int32" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_seq" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "fstar_functionalextensionality" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_integers" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "rust_primitives_arrays" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_mul" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "fstar_pervasives" + "rust_primitives_bitvectors" -> "prims" + "rust_primitives_bitvectors" -> "prims" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "fstar_uint16" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "rust_primitives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "fstar_pervasives" + "core_num_error" -> "prims" + "core_num_error" -> "prims" + "bitveceq" -> "fstar_math_lemmas" + "bitveceq" -> "fstar_math_lemmas" + "bitveceq" -> "fstar_seq" + "bitveceq" -> "fstar_seq" + "bitveceq" -> "fstar_classical_sugar" + "bitveceq" -> "fstar_classical_sugar" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "fstar_functionalextensionality" + "bitveceq" -> "mkseq" + "bitveceq" -> "mkseq" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "fstar_mul" + "bitveceq" -> "core" + "bitveceq" -> "core" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "fstar_pervasives" + "bitveceq" -> "prims" + "bitveceq" -> "prims" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_bitvector" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_seq" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_uint" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_pervasives_native" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int_cast_full" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int_cast" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int128" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int64" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int32" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int16" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_int8" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint128" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint64" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint32" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint16" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_uint8" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_math_lemmas" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "fstar_pervasives" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "prims" + "lib_inttypes" -> "lib_inttypes" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint128" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_uint64" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_int_cast" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "fstar_pervasives" + "fstar_int_cast_full" -> "prims" + "fstar_int_cast_full" -> "prims" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "fstar_list_tot" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "lib_inttypes" + "rust_primitives_hax" -> "core_slice" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "fstar_tactics_typeclasses" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "core_ops_index" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "fstar_seq" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_arrays" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "rust_primitives_integers" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "fstar_pervasives" + "rust_primitives_hax" -> "prims" + "rust_primitives_hax" -> "prims" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_pervasives_native" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_reflection_termeq_simple" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_tactics_namedview" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_tactics_effect" + "fstar_reflection_v2_formula" -> "fstar_stubs_tactics_common" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_reflection_const" + "fstar_reflection_v2_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_list_tot_base" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "fstar_pervasives" + "fstar_reflection_v2_formula" -> "prims" + "fstar_reflection_v2_formula" -> "prims" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_tactics_effect" + "fstar_tactics_unseal" -> "fstar_sealed" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "fstar_pervasives" + "fstar_tactics_unseal" -> "prims" + "fstar_tactics_unseal" -> "prims" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_math_lemmas" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_int128" -> "fstar_int128" + "tactics_seq" -> "fstar_tactics_effect" + "tactics_seq" -> "fstar_tactics_effect" + "tactics_seq" -> "fstar_pervasives_native" + "tactics_seq" -> "fstar_pervasives_native" + "tactics_seq" -> "tactics_pow2" + "tactics_seq" -> "tactics_pow2" + "tactics_seq" -> "tactics_utils" + "tactics_seq" -> "tactics_utils" + "tactics_seq" -> "fstar_option" + "tactics_seq" -> "fstar_option" + "tactics_seq" -> "fstar_mul" + "tactics_seq" -> "fstar_mul" + "tactics_seq" -> "fstar_class_printable" + "tactics_seq" -> "fstar_class_printable" + "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_seq" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_seq" -> "fstar_tactics_v2" + "tactics_seq" -> "fstar_tactics_v2" + "tactics_seq" -> "fstar_seq_base" + "tactics_seq" -> "fstar_seq_base" + "tactics_seq" -> "fstar_list_tot" + "tactics_seq" -> "fstar_list_tot" + "tactics_seq" -> "core" + "tactics_seq" -> "core" + "tactics_seq" -> "fstar_pervasives" + "tactics_seq" -> "fstar_pervasives" + "tactics_seq" -> "prims" + "tactics_seq" -> "prims" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_seq" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "fstar_tactics_typeclasses" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_ops_control_flow" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_result" + "rust_primitives" -> "core_option" + "rust_primitives" -> "core_option" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_bitvectors" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_arrays" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "rust_primitives_integers" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "fstar_pervasives" + "rust_primitives" -> "prims" + "rust_primitives" -> "prims" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_classical" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_functionalextensionality" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_set" -> "fstar_set" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_pervasives_native" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_squash" + "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v1_logic" -> "fstar_classical" + "fstar_tactics_v1_logic" -> "fstar_classical" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_reflection_v1" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_util" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1_logic" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_tactics_effect" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "fstar_pervasives" + "fstar_tactics_v1_logic" -> "prims" + "fstar_tactics_v1_logic" -> "prims" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_seq" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_uint64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_int64" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_uint32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_int32" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_uint16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int16" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_int8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_uint8" + "fstar_class_printable" -> "fstar_char" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_list_tot" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_tactics_typeclasses" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_seq_properties" + "fstar_class_printable" -> "fstar_string" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "fstar_pervasives" + "fstar_class_printable" -> "prims" + "fstar_class_printable" -> "prims" + "tactics_getbit" -> "fstar_functionalextensionality" + "tactics_getbit" -> "fstar_functionalextensionality" + "tactics_getbit" -> "tactics_machineints" + "tactics_getbit" -> "tactics_machineints" + "tactics_getbit" -> "rust_primitives_hax" + "tactics_getbit" -> "rust_primitives_hax" + "tactics_getbit" -> "tactics_seq" + "tactics_getbit" -> "tactics_seq" + "tactics_getbit" -> "bitveceq" + "tactics_getbit" -> "bitveceq" + "tactics_getbit" -> "tactics_pow2" + "tactics_getbit" -> "tactics_pow2" + "tactics_getbit" -> "tactics_utils" + "tactics_getbit" -> "tactics_utils" + "tactics_getbit" -> "fstar_option" + "tactics_getbit" -> "fstar_option" + "tactics_getbit" -> "fstar_mul" + "tactics_getbit" -> "fstar_mul" + "tactics_getbit" -> "fstar_class_printable" + "tactics_getbit" -> "fstar_class_printable" + "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_getbit" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_getbit" -> "fstar_tactics_v2" + "tactics_getbit" -> "fstar_tactics_v2" + "tactics_getbit" -> "fstar_list_tot" + "tactics_getbit" -> "fstar_list_tot" + "tactics_getbit" -> "core" + "tactics_getbit" -> "core" + "tactics_getbit" -> "fstar_pervasives" + "tactics_getbit" -> "fstar_pervasives" + "tactics_getbit" -> "prims" + "tactics_getbit" -> "prims" + "tactics_machineints" -> "fstar_uint8" + "tactics_machineints" -> "fstar_uint8" + "tactics_machineints" -> "fstar_tactics_effect" + "tactics_machineints" -> "fstar_tactics_effect" + "tactics_machineints" -> "fstar_list_tot" + "tactics_machineints" -> "fstar_list_tot" + "tactics_machineints" -> "lib_inttypes" + "tactics_machineints" -> "lib_inttypes" + "tactics_machineints" -> "fstar_pervasives_native" + "tactics_machineints" -> "fstar_pervasives_native" + "tactics_machineints" -> "rust_primitives_integers" + "tactics_machineints" -> "rust_primitives_integers" + "tactics_machineints" -> "tactics_utils" + "tactics_machineints" -> "tactics_utils" + "tactics_machineints" -> "fstar_option" + "tactics_machineints" -> "fstar_option" + "tactics_machineints" -> "fstar_class_printable" + "tactics_machineints" -> "fstar_class_printable" + "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_machineints" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_machineints" -> "fstar_tactics_v2" + "tactics_machineints" -> "fstar_tactics_v2" + "tactics_machineints" -> "fstar_pervasives" + "tactics_machineints" -> "fstar_pervasives" + "tactics_machineints" -> "prims" + "tactics_machineints" -> "prims" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "fstar_pervasives" + "fstar_preorder" -> "prims" + "fstar_preorder" -> "prims" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "fstar_pervasives" + "fstar_reflection_const" -> "prims" + "fstar_reflection_const" -> "prims" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_pervasives_native" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_uint" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_bv" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_arith" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_reflection_v2_formula" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_tactics_v2" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "fstar_pervasives" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_bv" -> "prims" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_smt" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_mapply" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_namedview" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_visit" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_print" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_util" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_logic" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_tactics_effect" + "fstar_tactics_v2" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_reflection_v2" + "fstar_tactics_v2" -> "fstar_stubs_reflection_types" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "fstar_pervasives" + "fstar_tactics_v2" -> "prims" + "fstar_tactics_v2" -> "prims" + "fstar_stubs_tactics_result" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "fstar_pervasives" + "fstar_stubs_tactics_result" -> "prims" + "fstar_stubs_tactics_result" -> "prims" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "fstar_tactics_effect" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_range" -> "fstar_sealed" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "fstar_pervasives" + "fstar_range" -> "prims" + "fstar_range" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_classical" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_preorder" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "fstar_pervasives" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "prims" + "fstar_monotonic_witnessed" -> "fstar_monotonic_witnessed" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "fstar_uint32" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_set" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_monotonic_witnessed" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_preorder" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_heap" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_tset" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "fstar_pervasives" + "fstar_st" -> "prims" + "fstar_st" -> "prims" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_list_tot" + "bitvec_intrinsics" -> "fstar_string" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_tactics_v2_derived" + "bitvec_intrinsics" -> "fstar_stubs_tactics_v2_builtins" + "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" + "bitvec_intrinsics" -> "libcrux_intrinsics_avx2_extract" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_tactics" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_int16" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_tactics_v2" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "fstar_int32" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "tactics_utils" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_equality" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "bitvec_utils" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "fstar_mul" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "rust_primitives" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "core" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "fstar_pervasives" + "bitvec_intrinsics" -> "prims" + "bitvec_intrinsics" -> "prims" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "fstar_pervasives" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_stubs_typechecker_core" -> "prims" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_uint32" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "fstar_pervasives" + "fstar_char" -> "prims" + "fstar_char" -> "prims" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_math_lemmas" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "fstar_int8" -> "fstar_int8" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_mul" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_uint" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "fstar_pervasives" + "fstar_uint32" -> "prims" + "fstar_uint32" -> "prims" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_squash" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_strongexcludedmiddle" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_predicateextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_functionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_propositionalextensionality" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tset" -> "fstar_tset" + "tactics_folds" -> "tactics_utils" + "tactics_folds" -> "tactics_utils" + "tactics_folds" -> "rust_primitives_hax_folds" + "tactics_folds" -> "fstar_option" + "tactics_folds" -> "fstar_option" + "tactics_folds" -> "fstar_mul" + "tactics_folds" -> "fstar_mul" + "tactics_folds" -> "fstar_class_printable" + "tactics_folds" -> "fstar_class_printable" + "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_folds" -> "fstar_tactics_v2_syntaxhelpers" + "tactics_folds" -> "fstar_tactics_v2" + "tactics_folds" -> "fstar_tactics_v2" + "tactics_folds" -> "fstar_seq_base" + "tactics_folds" -> "fstar_seq_base" + "tactics_folds" -> "fstar_list_tot" + "tactics_folds" -> "fstar_list_tot" + "tactics_folds" -> "core" + "tactics_folds" -> "core" + "tactics_folds" -> "fstar_pervasives" + "tactics_folds" -> "fstar_pervasives" + "tactics_folds" -> "prims" + "tactics_folds" -> "prims" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "fstar_pervasives" + "fstar_vconfig" -> "prims" + "fstar_vconfig" -> "prims" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_list_tot_base" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_list_tot" + "fstar_reflection_v2_derived" -> "fstar_vconfig" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_order" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_reflection_const" + "fstar_reflection_v2_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "fstar_pervasives" + "fstar_reflection_v2_derived" -> "prims" + "fstar_reflection_v2_derived" -> "prims" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_set" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "fstar_pervasives" + "fstar_tset" -> "prims" + "fstar_tset" -> "prims" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_tactics_v1" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "fstar_pervasives" + "fstar_tactics" -> "prims" + "fstar_tactics" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_reflection_v1_derived_lemmas" -> "prims" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "fstar_pervasives" + "fstar_set" -> "prims" + "fstar_set" -> "prims" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_squash" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "fstar_classical_sugar" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_pervasives_native" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_int128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_uint128" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_int64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_uint64" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_int32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_uint32" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_int16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_uint16" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_int8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "fstar_uint8" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "lib_inttypes" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_mul" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "fstar_pervasives" + "fstar_squash" -> "prims" + "fstar_squash" -> "prims" + "fstar_stubs_reflection_types" -> "fstar_sealed" + "fstar_stubs_reflection_types" -> "fstar_range" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "fstar_pervasives" + "fstar_stubs_reflection_types" -> "prims" + "fstar_stubs_reflection_types" -> "prims" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_smt" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_visit" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_print" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_util" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_logic" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_syntaxhelpers" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_tactics_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_tactics_effect" + "fstar_tactics_v1" -> "fstar_stubs_tactics_types" + "fstar_tactics_v1" -> "fstar_reflection_v1_compare" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_formula" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_reflection_v1_derived" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_tactics_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_reflection_const" + "fstar_tactics_v1" -> "fstar_stubs_reflection_types" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "fstar_pervasives" + "fstar_tactics_v1" -> "prims" + "fstar_tactics_v1" -> "prims" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_properties" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_list_tot_base" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "fstar_pervasives" + "fstar_list_tot" -> "prims" + "fstar_list_tot" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "fstar_ghost" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_seq" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_mul" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "fstar_pervasives" + "fstar_bitvector" -> "prims" + "fstar_bitvector" -> "prims" + "core" -> "core_ops" + "core" -> "core_ops" + "core" -> "core_iter" + "core" -> "core_num" + "core" -> "rust_primitives" + "core" -> "rust_primitives" + "core" -> "fstar_pervasives" + "core" -> "fstar_pervasives" + "core" -> "prims" + "core" -> "prims" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_sealed" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_tactics_builtins" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_syntaxcoercions" -> "prims" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_pervasives_native" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_squash" + "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v2_logic" -> "fstar_indefinitedescription" + "fstar_tactics_v2_logic" -> "fstar_classical" + "fstar_tactics_v2_logic" -> "fstar_classical" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_util" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_namedview" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_tactics_v2_derived" + "fstar_tactics_v2_logic" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_tactics_effect" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_reflection_v2" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "fstar_pervasives" + "fstar_tactics_v2_logic" -> "prims" + "fstar_tactics_v2_logic" -> "prims" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_calc" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_seq_base" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_classical" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_seq" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lib" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_math_lemmas" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_bitvector" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_mul" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "fstar_pervasives" + "fstar_uint" -> "prims" + "fstar_uint" -> "prims" + "fstar_uint" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "fstar_uint8" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "fstar_pervasives" + "fstar_monotonic_pure" -> "prims" + "fstar_monotonic_pure" -> "prims" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_tactics_typeclasses" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "fstar_pervasives" + "core_ops_index" -> "prims" + "core_ops_index" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "fstar_uint64" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "fstar_pervasives" + "fstar_float" -> "prims" + "fstar_float" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_ghost" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_pervasives_native" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_reflection_v2_compare" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lib" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_int" -> "fstar_int" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_pervasives_native" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_list_tot" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_all" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "fstar_pervasives" + "fstar_list" -> "prims" + "fstar_list" -> "prims" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_propositionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_functionalextensionality" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "fstar_pervasives" + "fstar_predicateextensionality" -> "prims" + "fstar_predicateextensionality" -> "prims" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_list_tot_base" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_pervasives_native" + "fstar_reflection_v1_derived" -> "fstar_vconfig" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_order" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_reflection_const" + "fstar_reflection_v1_derived" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "fstar_pervasives" + "fstar_reflection_v1_derived" -> "prims" + "fstar_reflection_v1_derived" -> "prims" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v2_data" -> "fstar_stubs_syntax_syntax" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v2_data" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "fstar_vconfig" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_v1_data" + "fstar_stubs_reflection_v1_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_order" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_stubs_reflection_v1_builtins" -> "prims" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_classical" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_list_tot" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_pervasives_native" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_list_tot_base" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_order" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_reflection_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_tactics_v2" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "fstar_pervasives" + "fstar_reflection_v2_arith" -> "prims" + "fstar_reflection_v2_arith" -> "prims" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "fstar_pervasives" + "fstar_functionalextensionality" -> "prims" + "fstar_functionalextensionality" -> "prims" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_classical_sugar" + "fstar_reflection_termeq" -> "fstar_sealed" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_pervasives_native" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_strongexcludedmiddle" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_list_tot" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_termeq" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "fstar_pervasives" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "prims" + "fstar_reflection_termeq" -> "fstar_reflection_termeq" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_classical" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives_native" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_list_tot" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_derived_lemmas" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2_derived_lemmas" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "fstar_pervasives" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "fstar_reflection_v2_derived_lemmas" -> "prims" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "rust_primitives_hax" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "fstar_seq" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "core_ops_index" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_tactics_typeclasses" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "fstar_pervasives_native" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "core_iter_traits_iterator" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "rust_primitives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "fstar_pervasives" + "core_ops_range" -> "prims" + "core_ops_range" -> "prims" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "fstar_tactics_typeclasses" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_step_by" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "core_iter_adapters_enumerate" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "rust_primitives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "fstar_pervasives" + "core_iter_traits_iterator" -> "prims" + "core_iter_traits_iterator" -> "prims" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_list" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_calc" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_math_lib" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "fstar_math_lemmas" + "fstar_tactics_builtins" -> "fstar_stubs_tactics_v1_builtins" + "fstar_tactics_builtins" -> "fstar_pervasives" + "fstar_tactics_builtins" -> "fstar_pervasives" + "fstar_tactics_builtins" -> "prims" + "fstar_tactics_builtins" -> "prims" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_all" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_list" + "fstar_string" -> "fstar_char" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_list_tot" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "fstar_pervasives" + "fstar_string" -> "prims" + "fstar_string" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "prims" + "fstar_pervasives" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_pervasives_native" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_list_tot_base" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_tactics_effect" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "fstar_pervasives" + "fstar_tactics_util" -> "prims" + "fstar_tactics_util" -> "prims" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "rust_primitives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "fstar_pervasives" + "core_slice_iter" -> "prims" + "core_slice_iter" -> "prims" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "fstar_pervasives" + "core_ops_control_flow" -> "prims" + "core_ops_control_flow" -> "prims" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "fstar_tactics_typeclasses" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_ops_index" + "core_slice" -> "core_slice_iter" + "core_slice" -> "core_slice_iter" + "core_slice" -> "fstar_seq" + "core_slice" -> "fstar_seq" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_integers" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "rust_primitives_arrays" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "fstar_pervasives" + "core_slice" -> "prims" + "core_slice" -> "prims" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_exn" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_st" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_heap" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "fstar_pervasives" + "fstar_all" -> "prims" + "fstar_all" -> "prims" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "fstar_pervasives" + "fstar_ghost" -> "prims" + "fstar_ghost" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_classical" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_strongexcludedmiddle" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_classical_sugar" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_pervasives_native" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_list_tot_base" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "fstar_pervasives" + "fstar_list_tot_properties" -> "prims" + "fstar_list_tot_properties" -> "prims" + "fstar_stubs_syntax_syntax" -> "fstar_stubs_reflection_types" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "fstar_pervasives" + "fstar_stubs_syntax_syntax" -> "prims" + "fstar_stubs_syntax_syntax" -> "prims" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "fstar_tactics_typeclasses" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "rust_primitives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "fstar_pervasives" + "core_ops_arith" -> "prims" + "core_ops_arith" -> "prims" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "fstar_math_lemmas" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "lib_inttypes" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_seq" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "fstar_mul" + "rust_primitives_hax_folds" -> "core_ops_range" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "rust_primitives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "fstar_pervasives" + "rust_primitives_hax_folds" -> "prims" + "rust_primitives_hax_folds" -> "prims" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "fstar_pervasives" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_strongexcludedmiddle" -> "prims" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_uint32" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_mul" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_uint" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "fstar_pervasives" + "fstar_uint8" -> "prims" + "fstar_uint8" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "fstar_issue" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_list_tot" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_ghost" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives_native" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_pprint" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_unseal" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_tactics_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_tactics_effect" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_reflection_const" + "fstar_stubs_tactics_v2_builtins" -> "fstar_stubs_reflection_types" + "fstar_stubs_tactics_v2_builtins" -> "fstar_vconfig" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "fstar_pervasives" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "fstar_stubs_tactics_v2_builtins" -> "prims" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "fstar_pervasives_native" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "fstar_mul" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "fstar_reflection_v1" -> "fstar_reflection_v1_compare" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_const" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived_lemmas" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "fstar_pervasives" + "fstar_reflection_v1" -> "prims" + "fstar_reflection_v1" -> "prims" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_math_lemmas" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_seq" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_bitvector" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_uint" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "fstar_pervasives" + "fstar_bv" -> "prims" + "fstar_bv" -> "prims" + "fstar_bv" -> "fstar_bv" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_classical_sugar" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives_native" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "fstar_pervasives" + "fstar_list_tot_base" -> "prims" + "fstar_list_tot_base" -> "prims" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_mul" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "fstar_pervasives" + "fstar_math_lib" -> "prims" + "fstar_math_lib" -> "prims" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "fstar_tactics_typeclasses" + "core_num" -> "core_ops_arith" + "core_num" -> "core_num_error" + "core_num" -> "core_result" + "core_num" -> "core_result" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "fstar_math_lemmas" + "core_num" -> "lib_inttypes" + "core_num" -> "lib_inttypes" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint128" + "core_num" -> "fstar_uint32" + "core_num" -> "fstar_uint32" + "core_num" -> "rust_primitives" + "core_num" -> "rust_primitives" + "core_num" -> "fstar_pervasives" + "core_num" -> "fstar_pervasives" + "core_num" -> "prims" + "core_num" -> "prims" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_mul" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "fstar_pervasives" + "fstar_math_lemmas" -> "prims" + "fstar_math_lemmas" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_uint32" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_math_lemmas" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_mul" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_int" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "fstar_pervasives" + "fstar_int16" -> "prims" + "fstar_int16" -> "prims" + "fstar_int16" -> "fstar_int16" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "rust_primitives_bitvectors" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "bitvec_equality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "fstar_functionalextensionality" + "bitvec_utils" -> "core" + "bitvec_utils" -> "core" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "fstar_pervasives" + "bitvec_utils" -> "prims" + "bitvec_utils" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_pprint" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_list_tot" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_tactics_util" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_reflection_termeq_simple" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_pervasives_native" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_list_tot_base" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_namedview" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_derived" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_stubs_tactics_common" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_reflection_v2" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_tactics_typeclasses" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_int_cast" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "fstar_pervasives" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "prims" + "rust_primitives_integers" -> "rust_primitives_integers" + "fstar_tactics_namedview" -> "fstar_range" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_v2_compare" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_const" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived_lemmas" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_reflection_v2_derived" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_builtins" + "fstar_reflection_v2" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "fstar_pervasives" + "fstar_reflection_v2" -> "prims" + "fstar_reflection_v2" -> "prims" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int64" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int32" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int16" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_int8" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint64" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint32" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint16" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_uint8" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "fstar_pervasives" + "fstar_int_cast" -> "prims" + "fstar_int_cast" -> "prims" + "fstar_stubs_errors_msg" -> "fstar_stubs_pprint" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "fstar_pervasives" + "fstar_stubs_errors_msg" -> "prims" + "fstar_stubs_errors_msg" -> "prims" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_squash" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_typeclasses" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_derived" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_tactics_namedview" + "fstar_tactics_mapply" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_tactics_effect" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2_formula" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_reflection_v2" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "fstar_pervasives" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "prims" + "fstar_tactics_mapply" -> "fstar_tactics_mapply" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_tset" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_stubs_tactics_common" -> "fstar_range" + "fstar_stubs_tactics_common" -> "fstar_stubs_errors_msg" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "fstar_pervasives" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_tactics_common" -> "prims" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_sealed_inhabited" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_types" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_builtins" + "fstar_stubs_reflection_v1_data" -> "fstar_stubs_reflection_v2_data" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "fstar_pervasives" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_stubs_reflection_v1_data" -> "prims" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_list_tot" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "fstar_pervasives" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "prims" + "fstar_seq_base" -> "fstar_seq_base" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_propositionalextensionality" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_squash" + "fstar_tactics_v2_derived" -> "fstar_range" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_pervasives_native" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_reflection_termeq_simple" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_tactics_visit" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_list_tot_base" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxcoercions" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_tactics_namedview" + "fstar_tactics_v2_derived" -> "fstar_vconfig" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_v2_syntaxhelpers" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_tactics_util" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_result" + "fstar_tactics_v2_derived" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_tactics_effect" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2_formula" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_reflection_v2" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "fstar_pervasives" + "fstar_tactics_v2_derived" -> "prims" + "fstar_tactics_v2_derived" -> "prims" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_pervasives_native" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_int_cast" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_calc" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_classical_sugar" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_effect" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_bv" + "fstar_uint128" -> "fstar_tactics_v2" + "fstar_uint128" -> "fstar_tactics_v2" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_bv" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_math_lemmas" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint64" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_uint32" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_bitvector" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_seq" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_uint" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_mul" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "fstar_pervasives" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "prims" + "fstar_uint128" -> "fstar_uint128" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_uint32" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_mul" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_int" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "fstar_pervasives" + "fstar_int8" -> "prims" + "fstar_int8" -> "prims" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "fstar_seq" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "lib_inttypes" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "fstar_list_tot" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "rust_primitives_integers" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "fstar_pervasives" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "prims" + "rust_primitives_arrays" -> "rust_primitives_arrays" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_int64" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_uint32" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_mul" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_int" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "fstar_pervasives" + "fstar_int128" -> "prims" + "fstar_int128" -> "prims" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_uint32" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_mul" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_uint" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "fstar_pervasives" + "fstar_uint16" -> "prims" + "fstar_uint16" -> "prims" + "fstar_calc" -> "fstar_range" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_preorder" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "fstar_pervasives" + "fstar_calc" -> "prims" + "fstar_calc" -> "prims" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_functionalextensionality" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "fstar_mul" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "rust_primitives" + "bitvec_equality" -> "core" + "bitvec_equality" -> "core" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "fstar_pervasives" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "prims" + "bitvec_equality" -> "bitvec_equality" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "fstar_pervasives" + "fstar_sealed" -> "prims" + "fstar_sealed" -> "prims" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_seq" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_uint" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_math_lemmas" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_bitvector" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_mul" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "fstar_pervasives" + "fstar_int" -> "prims" + "fstar_int" -> "prims" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_uint32" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_mul" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_uint" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "fstar_pervasives" + "fstar_uint64" -> "prims" + "fstar_uint64" -> "prims" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_ghost" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_squash" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_classical" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "fstar_pervasives" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "prims" + "fstar_indefinitedescription" -> "fstar_indefinitedescription" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_math_lemmas" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "fstar_int64" -> "fstar_int64" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "fstar_pervasives" + "fstar_classical_sugar" -> "prims" + "fstar_classical_sugar" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq" + "fstar_reflection_termeq_simple" -> "fstar_stubs_reflection_types" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "fstar_pervasives" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "prims" + "fstar_reflection_termeq_simple" -> "fstar_reflection_termeq_simple" + "fstar_pervasives_native" -> "prims" + "fstar_pervasives_native" -> "prims" + "fstar_tactics_typeclasses" -> "fstar_stubs_reflection_types" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_tactics_effect" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "fstar_pervasives" + "fstar_tactics_typeclasses" -> "prims" + "fstar_tactics_typeclasses" -> "prims" + "fstar_stubs_pprint" -> "fstar_float" + "fstar_stubs_pprint" -> "fstar_char" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "fstar_pervasives" + "fstar_stubs_pprint" -> "prims" + "fstar_stubs_pprint" -> "prims" + "fstar_sealed_inhabited" -> "fstar_sealed" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "fstar_pervasives" + "fstar_sealed_inhabited" -> "prims" + "fstar_sealed_inhabited" -> "prims" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_list_tot" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_pervasives_native" + "fstar_tactics_namedview" -> "fstar_stubs_reflection_v2_data" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_reflection_v2" + "fstar_tactics_namedview" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_util" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_tactics_effect" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "fstar_pervasives" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "prims" + "fstar_tactics_namedview" -> "fstar_tactics_namedview" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_preorder" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_monotonic_heap" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "fstar_pervasives" + "fstar_heap" -> "prims" + "fstar_heap" -> "prims" + "mkseq" -> "fstar_tactics_effect" + "mkseq" -> "fstar_tactics_effect" + "mkseq" -> "fstar_classical" + "mkseq" -> "fstar_classical" + "mkseq" -> "fstar_list_tot" + "mkseq" -> "fstar_list_tot" + "mkseq" -> "fstar_pervasives_native" + "mkseq" -> "fstar_pervasives_native" + "mkseq" -> "fstar_tactics" + "mkseq" -> "fstar_tactics" + "mkseq" -> "fstar_seq" + "mkseq" -> "fstar_seq" + "mkseq" -> "fstar_reflection_v2" + "mkseq" -> "fstar_reflection_v2" + "mkseq" -> "rust_primitives_integers" + "mkseq" -> "rust_primitives_integers" + "mkseq" -> "fstar_tactics_v2" + "mkseq" -> "fstar_tactics_v2" + "mkseq" -> "core" + "mkseq" -> "core" + "mkseq" -> "fstar_pervasives" + "mkseq" -> "fstar_pervasives" + "mkseq" -> "prims" + "mkseq" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_list_tot_base" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives_native" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_namedview" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_stubs_tactics_types" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_tactics_effect" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_reflection_v2" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "fstar_pervasives" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "fstar_tactics_v2_syntaxhelpers" -> "prims" + "bitvec_intrinsics_constants" -> "fstar_tactics_visit" + "bitvec_intrinsics_constants" -> "fstar_tactics_visit" + "bitvec_intrinsics_constants" -> "tactics_seq" + "bitvec_intrinsics_constants" -> "tactics_seq" + "bitvec_intrinsics_constants" -> "tactics_pow2" + "bitvec_intrinsics_constants" -> "tactics_pow2" + "bitvec_intrinsics_constants" -> "fstar_tactics_effect" + "bitvec_intrinsics_constants" -> "fstar_tactics_effect" + "bitvec_intrinsics_constants" -> "fstar_list_tot" + "bitvec_intrinsics_constants" -> "fstar_list_tot" + "bitvec_intrinsics_constants" -> "fstar_reflection_v2" + "bitvec_intrinsics_constants" -> "fstar_reflection_v2" + "bitvec_intrinsics_constants" -> "fstar_pervasives_native" + "bitvec_intrinsics_constants" -> "fstar_pervasives_native" + "bitvec_intrinsics_constants" -> "fstar_tactics" + "bitvec_intrinsics_constants" -> "fstar_tactics" + "bitvec_intrinsics_constants" -> "tactics_utils" + "bitvec_intrinsics_constants" -> "tactics_utils" + "bitvec_intrinsics_constants" -> "fstar_tactics_v2" + "bitvec_intrinsics_constants" -> "fstar_tactics_v2" + "bitvec_intrinsics_constants" -> "fstar_int32" + "bitvec_intrinsics_constants" -> "fstar_int32" + "bitvec_intrinsics_constants" -> "fstar_int16" + "bitvec_intrinsics_constants" -> "fstar_int16" + "bitvec_intrinsics_constants" -> "bitvec_equality" + "bitvec_intrinsics_constants" -> "bitvec_equality" + "bitvec_intrinsics_constants" -> "bitvec_utils" + "bitvec_intrinsics_constants" -> "bitvec_utils" + "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" + "bitvec_intrinsics_constants" -> "fstar_functionalextensionality" + "bitvec_intrinsics_constants" -> "fstar_mul" + "bitvec_intrinsics_constants" -> "fstar_mul" + "bitvec_intrinsics_constants" -> "rust_primitives" + "bitvec_intrinsics_constants" -> "rust_primitives" + "bitvec_intrinsics_constants" -> "core" + "bitvec_intrinsics_constants" -> "core" + "bitvec_intrinsics_constants" -> "fstar_pervasives" + "bitvec_intrinsics_constants" -> "fstar_pervasives" + "bitvec_intrinsics_constants" -> "prims" + "bitvec_intrinsics_constants" -> "prims" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives_native" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "fstar_pervasives" + "fstar_order" -> "prims" + "fstar_order" -> "prims" + "fstar_tactics_effect" -> "fstar_range" + "fstar_tactics_effect" -> "fstar_stubs_tactics_result" + "fstar_tactics_effect" -> "fstar_stubs_tactics_types" + "fstar_tactics_effect" -> "fstar_stubs_reflection_types" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_monotonic_pure" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "fstar_pervasives" + "fstar_tactics_effect" -> "prims" + "fstar_tactics_effect" -> "prims" + "core_ops" -> "core_ops_index" + "core_ops" -> "core_ops_index" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "fstar_tactics_typeclasses" + "core_ops" -> "rust_primitives" + "core_ops" -> "rust_primitives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "fstar_pervasives" + "core_ops" -> "prims" + "core_ops" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "fstar_mul" + "libcrux_intrinsics_avx2_extract" -> "core" + "libcrux_intrinsics_avx2_extract" -> "fstar_pervasives" + "libcrux_intrinsics_avx2_extract" -> "prims" + "libcrux_intrinsics_avx2_extract" -> "libcrux_intrinsics_avx2_extract" + "core_result" -> "fstar_pervasives" + "core_result" -> "fstar_pervasives" + "core_result" -> "prims" + "core_result" -> "prims" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_erasedlogic" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_squash" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_set" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_pervasives_native" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_functionalextensionality" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_classical" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_preorder" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "fstar_pervasives" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "prims" + "fstar_monotonic_heap" -> "fstar_monotonic_heap" + "fstar_tactics_smt" -> "fstar_vconfig" + "fstar_tactics_smt" -> "fstar_stubs_tactics_v2_builtins" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_tactics_effect" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "fstar_pervasives" + "fstar_tactics_smt" -> "prims" + "fstar_tactics_smt" -> "prims" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_order" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_v2_data" + "fstar_reflection_v2_compare" -> "fstar_stubs_reflection_types" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "fstar_pervasives" + "fstar_reflection_v2_compare" -> "prims" + "fstar_reflection_v2_compare" -> "prims" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_uint32" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_mul" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_int" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "fstar_pervasives" + "fstar_int64" -> "prims" + "fstar_int64" -> "prims" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "rust_primitives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "fstar_pervasives" + "core_iter_adapters_enumerate" -> "prims" + "core_iter_adapters_enumerate" -> "prims" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_pervasives_native" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_data" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_reflection_v1_derived" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_reflection_const" + "fstar_reflection_v1_formula" -> "fstar_stubs_reflection_types" + "fstar_reflection_v1_formula" -> "fstar_stubs_tactics_v1_builtins" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_tactics_effect" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_list_tot_base" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "fstar_pervasives" + "fstar_reflection_v1_formula" -> "prims" + "fstar_reflection_v1_formula" -> "prims" +} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Makefile b/libcrux-ml-kem/proofs/fstar/extraction/Makefile index a3e9b243b..9f14bdf7d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Makefile +++ b/libcrux-ml-kem/proofs/fstar/extraction/Makefile @@ -16,5 +16,5 @@ ADMIT_MODULES = Libcrux_ml_kem.Vector.Avx2.fsti \ Libcrux_ml_kem.Vector.Neon.Serialize.fst \ Libcrux_ml_kem.Vector.Neon.Vector_type.fst -FSTAR_INCLUDE_DIRS_EXTRA += ../spec +FSTAR_INCLUDE_DIRS_EXTRA += ../spec $(shell git rev-parse --show-toplevel)/fstar-helpers/fstar-bitvec include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base From 1cefb79e2e0193ffc4a30bc7f9c74e60dfba7209 Mon Sep 17 00:00:00 2001 From: Franziskus Kiefer Date: Fri, 8 Nov 2024 09:48:33 +0000 Subject: [PATCH 72/74] update mlkem C code --- libcrux-ml-kem/c/code_gen.txt | 8 +- libcrux-ml-kem/c/internal/libcrux_core.h | 8 +- .../c/internal/libcrux_mlkem_avx2.h | 8 +- .../c/internal/libcrux_mlkem_portable.h | 8 +- libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h | 8 +- .../c/internal/libcrux_sha3_internal.h | 28 ++- libcrux-ml-kem/c/libcrux_core.c | 8 +- libcrux-ml-kem/c/libcrux_core.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem512.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem768.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem_portable.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem_portable.h | 8 +- libcrux-ml-kem/c/libcrux_sha3.h | 68 ++--- libcrux-ml-kem/c/libcrux_sha3_avx2.c | 149 +++++------ libcrux-ml-kem/c/libcrux_sha3_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_sha3_internal.h | 8 +- libcrux-ml-kem/c/libcrux_sha3_neon.c | 47 ++-- libcrux-ml-kem/c/libcrux_sha3_neon.h | 8 +- libcrux-ml-kem/cg/code_gen.txt | 8 +- libcrux-ml-kem/cg/libcrux_core.h | 8 +- libcrux-ml-kem/cg/libcrux_ct_ops.h | 8 +- libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h | 8 +- .../cg/libcrux_mlkem768_avx2_types.h | 8 +- libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 8 +- .../cg/libcrux_mlkem768_portable_types.h | 8 +- libcrux-ml-kem/cg/libcrux_sha3_avx2.h | 237 ++++++++++-------- libcrux-ml-kem/cg/libcrux_sha3_portable.h | 132 +++++----- 42 files changed, 502 insertions(+), 447 deletions(-) diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index a9f0fcd1a..8499b9238 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f +Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c -Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 -F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc -Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 +Karamel: 8c3612018c25889288da6857771be3ad03b75bcd +F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty +Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index a6219b29c..7f5862bfb 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __internal_libcrux_core_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 122098dd0..57c7e9008 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __internal_libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index fe31b4dfe..59bc0be6d 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __internal_libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 822ba71c9..4154d969b 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index c033eebf3..ee6a37d9b 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __internal_libcrux_sha3_internal_H @@ -27,7 +27,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17 /** Create a new SHAKE-128 state object. */ -static inline libcrux_sha3_generic_keccak_KeccakState_17 +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake128_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -35,7 +35,8 @@ libcrux_sha3_portable_incremental_shake128_init(void) { /** Absorb */ -static inline void libcrux_sha3_portable_incremental_shake128_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) { Eurydice_slice buf[1U] = {data0}; libcrux_sha3_generic_keccak_absorb_final_9e(s, buf); @@ -44,7 +45,7 @@ static inline void libcrux_sha3_portable_incremental_shake128_absorb_final( /** Squeeze another block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -81,7 +82,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6( /** Squeeze three blocks */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -184,7 +185,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6( /** Squeeze five blocks */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -194,7 +195,8 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( /** Absorb some data for SHAKE-256 for the last time */ -static inline void libcrux_sha3_portable_incremental_shake256_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) { Eurydice_slice buf[1U] = {data}; libcrux_sha3_generic_keccak_absorb_final_9e0(s, buf); @@ -203,7 +205,7 @@ static inline void libcrux_sha3_portable_incremental_shake256_absorb_final( /** Create a new SHAKE-256 state object. */ -static inline libcrux_sha3_generic_keccak_KeccakState_17 +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake256_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -211,7 +213,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) { /** Squeeze the first SHAKE-256 block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; @@ -221,7 +223,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block( /** Squeeze the next SHAKE-256 block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 380560655..1ca124a33 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "internal/libcrux_core.h" diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index a9ea4ae31..c6e16c759 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index 2a1bac2bc..17224c4b8 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index e998b91fa..90ad418e8 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index c6b5f62bf..7793d845c 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index 575ffc15b..777087e3e 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_mlkem1024_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index 623f86b6a..0d385ff7f 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index e50855804..8b9ba74b4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index b45918ce0..6e7b7232a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index a24272f38..0cfb59f30 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index 1aca3e46a..be7835ad5 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_mlkem512_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 82f656696..948e81ea1 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index 4c486fa96..f6e24fa88 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index 7754cb2d5..a45904109 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index b0f6e449c..1487a3e64 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index cadac4f79..1396149db 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_mlkem768_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index 58f4deb7e..89e860721 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index 450e14514..dd14a27bf 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "internal/libcrux_mlkem_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index b072c10b8..81fceac23 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 5ada2704e..5cd8bb2ee 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "internal/libcrux_mlkem_portable.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 6750e40b5..0ed288fba 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index 4f9736e53..ae0487c65 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_sha3_H @@ -25,8 +25,8 @@ extern "C" { /** A portable SHA3 512 implementation. */ -static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_96(buf0, buf); @@ -35,8 +35,8 @@ static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest, /** A portable SHA3 256 implementation. */ -static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad(buf0, buf); @@ -45,8 +45,8 @@ static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest, /** A portable SHAKE256 implementation. */ -static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( + Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad0(buf0, buf); @@ -55,8 +55,8 @@ static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest, /** A portable SHA3 224 implementation. */ -static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_1e(buf0, buf); @@ -65,8 +65,8 @@ static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest, /** A portable SHA3 384 implementation. */ -static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_7c(buf0, buf); @@ -78,15 +78,16 @@ static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest, Preconditions: - `digest.len() == 28` */ -static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha224(digest, payload); } /** SHA3 224 */ -static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, + uint8_t ret[28U]) { uint8_t out[28U] = {0U}; libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), data); @@ -96,15 +97,16 @@ static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { /** SHA3 256 */ -static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha256(digest, payload); } /** SHA3 256 */ -static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, + uint8_t ret[32U]) { uint8_t out[32U] = {0U}; libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), data); @@ -114,15 +116,16 @@ static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { /** SHA3 384 */ -static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha384(digest, payload); } /** SHA3 384 */ -static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, + uint8_t ret[48U]) { uint8_t out[48U] = {0U}; libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), data); @@ -132,15 +135,16 @@ static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { /** SHA3 512 */ -static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha512(digest, payload); } /** SHA3 512 */ -static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, + uint8_t ret[64U]) { uint8_t out[64U] = {0U}; libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), data); @@ -150,8 +154,8 @@ static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { /** A portable SHAKE128 implementation. */ -static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( + Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_c6(buf0, buf); @@ -162,8 +166,8 @@ static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest, Writes `out.len()` bytes. */ -static inline void libcrux_sha3_shake128_ema(Eurydice_slice out, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake128(out, data); } @@ -172,8 +176,8 @@ static inline void libcrux_sha3_shake128_ema(Eurydice_slice out, Writes `out.len()` bytes. */ -static inline void libcrux_sha3_shake256_ema(Eurydice_slice out, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake256(out, data); } diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index 7fc037744..6bb8c32bd 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "internal/libcrux_sha3_avx2.h" @@ -23,8 +23,8 @@ static KRML_MUSTINLINE __m256i zero_ef(void) { return mm256_set1_epi64x((int64_t)0); } -static __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c, __m256i d, - __m256i e) { +static KRML_MUSTINLINE __m256i _veor5q_u64(__m256i a, __m256i b, __m256i c, + __m256i d, __m256i e) { __m256i ab = mm256_xor_si256(a, b); __m256i cd = mm256_xor_si256(c, d); __m256i abcd = mm256_xor_si256(ab, cd); @@ -46,12 +46,12 @@ with const generics - LEFT= 1 - RIGHT= 63 */ -static __m256i rotate_left_76(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_76(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)1, x, __m256i), mm256_srli_epi64((int32_t)63, x, __m256i)); } -static __m256i _vrax1q_u64(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vrax1q_u64(__m256i a, __m256i b) { __m256i uu____0 = a; return mm256_xor_si256(uu____0, rotate_left_76(b)); } @@ -64,7 +64,7 @@ static KRML_MUSTINLINE __m256i rotate_left1_and_xor_ef(__m256i a, __m256i b) { return _vrax1q_u64(a, b); } -static __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) { +static KRML_MUSTINLINE __m256i _vbcaxq_u64(__m256i a, __m256i b, __m256i c) { return mm256_xor_si256(a, mm256_andnot_si256(c, b)); } @@ -76,7 +76,7 @@ static KRML_MUSTINLINE __m256i and_not_xor_ef(__m256i a, __m256i b, __m256i c) { return _vbcaxq_u64(a, b, c); } -static __m256i _veorq_n_u64(__m256i a, uint64_t c) { +static KRML_MUSTINLINE __m256i _veorq_n_u64(__m256i a, uint64_t c) { __m256i c0 = mm256_set1_epi64x( (int64_t) /* Casting here is required, doesn't change the value. */ c); return mm256_xor_si256(a, c0); @@ -90,18 +90,16 @@ static KRML_MUSTINLINE __m256i xor_constant_ef(__m256i a, uint64_t c) { return _veorq_n_u64(a, c); } -static __m256i xor0(__m256i a, __m256i b) { return mm256_xor_si256(a, b); } - /** This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: usize> for core::core_arch::x86::__m256i)} */ static KRML_MUSTINLINE __m256i xor_ef(__m256i a, __m256i b) { - return xor0(a, b); + return mm256_xor_si256(a, b); } -static void slice_4(Eurydice_slice a[4U], size_t start, size_t len, - Eurydice_slice ret[4U]) { +static KRML_MUSTINLINE void slice_4(Eurydice_slice a[4U], size_t start, + size_t len, Eurydice_slice ret[4U]) { ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); @@ -122,8 +120,8 @@ static KRML_MUSTINLINE void slice_n_ef(Eurydice_slice a[4U], size_t start, memcpy(ret, ret0, (size_t)4U * sizeof(Eurydice_slice)); } -static Eurydice_slice_uint8_t_4size_t__x2 split_at_mut_4(Eurydice_slice out[4U], - size_t mid) { +static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2 +split_at_mut_4(Eurydice_slice out[4U], size_t mid) { Eurydice_slice out0 = out[0U]; Eurydice_slice out1 = out[1U]; Eurydice_slice out2 = out[2U]; @@ -214,7 +212,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block with const generics - RATE= 136 */ -static void load_block_5b(__m256i (*s)[5U], Eurydice_slice blocks[4U]) { +static KRML_MUSTINLINE void load_block_5b(__m256i (*s)[5U], + Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; __m256i v00 = mm256_loadu_si256_u8( @@ -348,7 +347,7 @@ with const generics - LEFT= 36 - RIGHT= 28 */ -static __m256i rotate_left_02(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_02(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)36, x, __m256i), mm256_srli_epi64((int32_t)28, x, __m256i)); } @@ -359,7 +358,7 @@ with const generics - LEFT= 36 - RIGHT= 28 */ -static __m256i _vxarq_u64_02(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_02(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_02(ab); } @@ -384,7 +383,7 @@ with const generics - LEFT= 3 - RIGHT= 61 */ -static __m256i rotate_left_ac(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_ac(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)3, x, __m256i), mm256_srli_epi64((int32_t)61, x, __m256i)); } @@ -395,7 +394,7 @@ with const generics - LEFT= 3 - RIGHT= 61 */ -static __m256i _vxarq_u64_ac(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_ac(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_ac(ab); } @@ -420,7 +419,7 @@ with const generics - LEFT= 41 - RIGHT= 23 */ -static __m256i rotate_left_020(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_020(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)41, x, __m256i), mm256_srli_epi64((int32_t)23, x, __m256i)); } @@ -431,7 +430,7 @@ with const generics - LEFT= 41 - RIGHT= 23 */ -static __m256i _vxarq_u64_020(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_020(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_020(ab); } @@ -456,7 +455,7 @@ with const generics - LEFT= 18 - RIGHT= 46 */ -static __m256i rotate_left_a9(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_a9(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)18, x, __m256i), mm256_srli_epi64((int32_t)46, x, __m256i)); } @@ -467,7 +466,7 @@ with const generics - LEFT= 18 - RIGHT= 46 */ -static __m256i _vxarq_u64_a9(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_a9(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_a9(ab); } @@ -492,7 +491,7 @@ with const generics - LEFT= 1 - RIGHT= 63 */ -static __m256i _vxarq_u64_76(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_76(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_76(ab); } @@ -517,7 +516,7 @@ with const generics - LEFT= 44 - RIGHT= 20 */ -static __m256i rotate_left_58(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_58(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)44, x, __m256i), mm256_srli_epi64((int32_t)20, x, __m256i)); } @@ -528,7 +527,7 @@ with const generics - LEFT= 44 - RIGHT= 20 */ -static __m256i _vxarq_u64_58(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_58(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_58(ab); } @@ -553,7 +552,7 @@ with const generics - LEFT= 10 - RIGHT= 54 */ -static __m256i rotate_left_e0(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_e0(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)10, x, __m256i), mm256_srli_epi64((int32_t)54, x, __m256i)); } @@ -564,7 +563,7 @@ with const generics - LEFT= 10 - RIGHT= 54 */ -static __m256i _vxarq_u64_e0(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_e0(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_e0(ab); } @@ -589,7 +588,7 @@ with const generics - LEFT= 45 - RIGHT= 19 */ -static __m256i rotate_left_63(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_63(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)45, x, __m256i), mm256_srli_epi64((int32_t)19, x, __m256i)); } @@ -600,7 +599,7 @@ with const generics - LEFT= 45 - RIGHT= 19 */ -static __m256i _vxarq_u64_63(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_63(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_63(ab); } @@ -625,7 +624,7 @@ with const generics - LEFT= 2 - RIGHT= 62 */ -static __m256i rotate_left_6a(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_6a(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)2, x, __m256i), mm256_srli_epi64((int32_t)62, x, __m256i)); } @@ -636,7 +635,7 @@ with const generics - LEFT= 2 - RIGHT= 62 */ -static __m256i _vxarq_u64_6a(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_6a(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_6a(ab); } @@ -661,7 +660,7 @@ with const generics - LEFT= 62 - RIGHT= 2 */ -static __m256i rotate_left_ab(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_ab(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)62, x, __m256i), mm256_srli_epi64((int32_t)2, x, __m256i)); } @@ -672,7 +671,7 @@ with const generics - LEFT= 62 - RIGHT= 2 */ -static __m256i _vxarq_u64_ab(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_ab(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_ab(ab); } @@ -697,7 +696,7 @@ with const generics - LEFT= 6 - RIGHT= 58 */ -static __m256i rotate_left_5b(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_5b(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)6, x, __m256i), mm256_srli_epi64((int32_t)58, x, __m256i)); } @@ -708,7 +707,7 @@ with const generics - LEFT= 6 - RIGHT= 58 */ -static __m256i _vxarq_u64_5b(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_5b(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_5b(ab); } @@ -733,7 +732,7 @@ with const generics - LEFT= 43 - RIGHT= 21 */ -static __m256i rotate_left_6f(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_6f(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)43, x, __m256i), mm256_srli_epi64((int32_t)21, x, __m256i)); } @@ -744,7 +743,7 @@ with const generics - LEFT= 43 - RIGHT= 21 */ -static __m256i _vxarq_u64_6f(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_6f(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_6f(ab); } @@ -769,7 +768,7 @@ with const generics - LEFT= 15 - RIGHT= 49 */ -static __m256i rotate_left_62(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_62(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)15, x, __m256i), mm256_srli_epi64((int32_t)49, x, __m256i)); } @@ -780,7 +779,7 @@ with const generics - LEFT= 15 - RIGHT= 49 */ -static __m256i _vxarq_u64_62(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_62(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_62(ab); } @@ -805,7 +804,7 @@ with const generics - LEFT= 61 - RIGHT= 3 */ -static __m256i rotate_left_23(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_23(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)61, x, __m256i), mm256_srli_epi64((int32_t)3, x, __m256i)); } @@ -816,7 +815,7 @@ with const generics - LEFT= 61 - RIGHT= 3 */ -static __m256i _vxarq_u64_23(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_23(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_23(ab); } @@ -841,7 +840,7 @@ with const generics - LEFT= 28 - RIGHT= 36 */ -static __m256i rotate_left_37(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_37(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)28, x, __m256i), mm256_srli_epi64((int32_t)36, x, __m256i)); } @@ -852,7 +851,7 @@ with const generics - LEFT= 28 - RIGHT= 36 */ -static __m256i _vxarq_u64_37(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_37(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_37(ab); } @@ -877,7 +876,7 @@ with const generics - LEFT= 55 - RIGHT= 9 */ -static __m256i rotate_left_bb(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_bb(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)55, x, __m256i), mm256_srli_epi64((int32_t)9, x, __m256i)); } @@ -888,7 +887,7 @@ with const generics - LEFT= 55 - RIGHT= 9 */ -static __m256i _vxarq_u64_bb(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_bb(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_bb(ab); } @@ -913,7 +912,7 @@ with const generics - LEFT= 25 - RIGHT= 39 */ -static __m256i rotate_left_b9(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_b9(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)25, x, __m256i), mm256_srli_epi64((int32_t)39, x, __m256i)); } @@ -924,7 +923,7 @@ with const generics - LEFT= 25 - RIGHT= 39 */ -static __m256i _vxarq_u64_b9(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_b9(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_b9(ab); } @@ -949,7 +948,7 @@ with const generics - LEFT= 21 - RIGHT= 43 */ -static __m256i rotate_left_54(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_54(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)21, x, __m256i), mm256_srli_epi64((int32_t)43, x, __m256i)); } @@ -960,7 +959,7 @@ with const generics - LEFT= 21 - RIGHT= 43 */ -static __m256i _vxarq_u64_54(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_54(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_54(ab); } @@ -985,7 +984,7 @@ with const generics - LEFT= 56 - RIGHT= 8 */ -static __m256i rotate_left_4c(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_4c(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)56, x, __m256i), mm256_srli_epi64((int32_t)8, x, __m256i)); } @@ -996,7 +995,7 @@ with const generics - LEFT= 56 - RIGHT= 8 */ -static __m256i _vxarq_u64_4c(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_4c(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_4c(ab); } @@ -1021,7 +1020,7 @@ with const generics - LEFT= 27 - RIGHT= 37 */ -static __m256i rotate_left_ce(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_ce(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)27, x, __m256i), mm256_srli_epi64((int32_t)37, x, __m256i)); } @@ -1032,7 +1031,7 @@ with const generics - LEFT= 27 - RIGHT= 37 */ -static __m256i _vxarq_u64_ce(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_ce(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_ce(ab); } @@ -1057,7 +1056,7 @@ with const generics - LEFT= 20 - RIGHT= 44 */ -static __m256i rotate_left_77(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_77(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)20, x, __m256i), mm256_srli_epi64((int32_t)44, x, __m256i)); } @@ -1068,7 +1067,7 @@ with const generics - LEFT= 20 - RIGHT= 44 */ -static __m256i _vxarq_u64_77(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_77(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_77(ab); } @@ -1093,7 +1092,7 @@ with const generics - LEFT= 39 - RIGHT= 25 */ -static __m256i rotate_left_25(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_25(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)39, x, __m256i), mm256_srli_epi64((int32_t)25, x, __m256i)); } @@ -1104,7 +1103,7 @@ with const generics - LEFT= 39 - RIGHT= 25 */ -static __m256i _vxarq_u64_25(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_25(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_25(ab); } @@ -1129,7 +1128,7 @@ with const generics - LEFT= 8 - RIGHT= 56 */ -static __m256i rotate_left_af(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_af(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)8, x, __m256i), mm256_srli_epi64((int32_t)56, x, __m256i)); } @@ -1140,7 +1139,7 @@ with const generics - LEFT= 8 - RIGHT= 56 */ -static __m256i _vxarq_u64_af(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_af(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_af(ab); } @@ -1165,7 +1164,7 @@ with const generics - LEFT= 14 - RIGHT= 50 */ -static __m256i rotate_left_fd(__m256i x) { +static KRML_MUSTINLINE __m256i rotate_left_fd(__m256i x) { return mm256_xor_si256(mm256_slli_epi64((int32_t)14, x, __m256i), mm256_srli_epi64((int32_t)50, x, __m256i)); } @@ -1176,7 +1175,7 @@ with const generics - LEFT= 14 - RIGHT= 50 */ -static __m256i _vxarq_u64_fd(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i _vxarq_u64_fd(__m256i a, __m256i b) { __m256i ab = mm256_xor_si256(a, b); return rotate_left_fd(ab); } @@ -1422,7 +1421,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block with const generics - RATE= 136 */ -static void store_block_5b(__m256i (*s)[5U], Eurydice_slice out[4U]) { +static KRML_MUSTINLINE void store_block_5b(__m256i (*s)[5U], + Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; __m256i v0l = mm256_permute2x128_si256( @@ -1775,7 +1775,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.load_block with const generics - RATE= 168 */ -static void load_block_3a(__m256i (*s)[5U], Eurydice_slice blocks[4U]) { +static KRML_MUSTINLINE void load_block_3a(__m256i (*s)[5U], + Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; __m256i v00 = mm256_loadu_si256_u8( @@ -1961,7 +1962,8 @@ A monomorphic instance of libcrux_sha3.simd.avx2.store_block with const generics - RATE= 168 */ -static void store_block_3a(__m256i (*s)[5U], Eurydice_slice out[4U]) { +static KRML_MUSTINLINE void store_block_3a(__m256i (*s)[5U], + Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; __m256i v0l = mm256_permute2x128_si256( @@ -2205,7 +2207,8 @@ static KRML_MUSTINLINE void squeeze_first_five_blocks_97( /** Squeeze five blocks */ -void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( +KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; @@ -2215,7 +2218,7 @@ void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( /** Absorb */ -void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( +KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { Eurydice_slice buf[4U] = {data0, data1, data2, data3}; @@ -2225,7 +2228,8 @@ void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( /** Squeeze block */ -void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( +KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; @@ -2235,7 +2239,8 @@ void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( /** Squeeze next block */ -void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( +KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index b13fc4697..6abfa8697 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index 44ee7755b..f204ff714 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index 527fa850b..ab9ae179a 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #include "libcrux_sha3_neon.h" @@ -16,7 +16,8 @@ /** A portable SHA3 224 implementation. */ -void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) { +KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -25,7 +26,8 @@ void libcrux_sha3_neon_sha224(Eurydice_slice digest, Eurydice_slice data) { /** A portable SHA3 256 implementation. */ -void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) { +KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -34,7 +36,8 @@ void libcrux_sha3_neon_sha256(Eurydice_slice digest, Eurydice_slice data) { /** A portable SHA3 384 implementation. */ -void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) { +KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -43,7 +46,8 @@ void libcrux_sha3_neon_sha384(Eurydice_slice digest, Eurydice_slice data) { /** A portable SHA3 512 implementation. */ -void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) { +KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -54,8 +58,10 @@ void libcrux_sha3_neon_sha512(Eurydice_slice digest, Eurydice_slice data) { Writes the two results into `out0` and `out1` */ -void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, - Eurydice_slice out0, Eurydice_slice out1) { +KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice out0, + Eurydice_slice out1) { /* TODO: make argument ordering consistent */ KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -65,7 +71,7 @@ void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, Eurydice_slice input1, /** Initialise the `KeccakState2`. */ -libcrux_sha3_neon_x2_incremental_KeccakState +KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_init(void) { /* XXX: These functions could alternatively implement the same with the * portable implementation { let s0 = KeccakState::new(); let s1 = @@ -78,7 +84,7 @@ libcrux_sha3_neon_x2_incremental_init(void) { /** Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( +KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -94,7 +100,8 @@ void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( Squeeze 2 times the first three blocks in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( +KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { /* XXX: These functions could alternatively implement the same with the @@ -110,7 +117,8 @@ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( Squeeze 2 times the next block in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( +KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { /* XXX: These functions could alternatively implement the same with the @@ -125,7 +133,8 @@ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( /** Squeeze five blocks */ -void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( +KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -136,7 +145,7 @@ void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( /** Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( +KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -151,7 +160,8 @@ void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( /** Squeeze block */ -void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( +KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -162,7 +172,8 @@ void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( /** Squeeze next block */ -void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( +KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index 0fda1a76f..e53786c98 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: a971e8a0892ab58eb114a276e1eff2291093dae6 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_sha3_neon_H diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index ec74b2b30..8499b9238 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f +Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c -Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 -F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc -Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 +Karamel: 8c3612018c25889288da6857771be3ad03b75bcd +F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty +Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index b96c41ebd..0855ea040 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index 5c325dd1c..e5c8b4a89 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_ct_ops_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 30f56aa6c..178061ffb 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h index 7bf29c82c..7c6012c47 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_avx2_types_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index 4968a4688..ed2d45bf4 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h index c5ed62a6d..1d9e30625 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_mlkem768_portable_types_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index c3db3f651..35fa95616 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_sha3_avx2_H @@ -33,9 +33,8 @@ static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_zero_ef(void) { } KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__veor5q_u64(__m256i a, __m256i b, - __m256i c, __m256i d, - __m256i e) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veor5q_u64( + __m256i a, __m256i b, __m256i c, __m256i d, __m256i e) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); __m256i cd = libcrux_intrinsics_avx2_mm256_xor_si256(c, d); __m256i abcd = libcrux_intrinsics_avx2_mm256_xor_si256(ab, cd); @@ -59,14 +58,16 @@ with const generics - RIGHT= 63 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_76(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)1, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)63, x, __m256i)); } KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vrax1q_u64(__m256i a, + __m256i b) { __m256i uu____0 = a; return libcrux_intrinsics_avx2_mm256_xor_si256( uu____0, libcrux_sha3_simd_avx2_rotate_left_76(b)); @@ -83,8 +84,9 @@ libcrux_sha3_simd_avx2_rotate_left1_and_xor_ef(__m256i a, __m256i b) { } KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, __m256i b, - __m256i c) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vbcaxq_u64(__m256i a, + __m256i b, + __m256i c) { return libcrux_intrinsics_avx2_mm256_xor_si256( a, libcrux_intrinsics_avx2_mm256_andnot_si256(c, b)); } @@ -100,8 +102,8 @@ libcrux_sha3_simd_avx2_and_not_xor_ef(__m256i a, __m256i b, __m256i c) { } KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a, - uint64_t c) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__veorq_n_u64(__m256i a, + uint64_t c) { __m256i c0 = libcrux_intrinsics_avx2_mm256_set1_epi64x( (int64_t) /* Casting here is required, doesn't change the value. */ c); @@ -118,11 +120,6 @@ libcrux_sha3_simd_avx2_xor_constant_ef(__m256i a, uint64_t c) { return libcrux_sha3_simd_avx2__veorq_n_u64(a, c); } -KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_xor(__m256i a, __m256i b) { - return libcrux_intrinsics_avx2_mm256_xor_si256(a, b); -} - /** This function found in impl {(libcrux_sha3::traits::internal::KeccakItem<4: usize> for core::core_arch::x86::__m256i)} @@ -130,13 +127,12 @@ usize> for core::core_arch::x86::__m256i)} KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2_xor_ef(__m256i a, __m256i b) { - return libcrux_sha3_simd_avx2_xor(a, b); + return libcrux_intrinsics_avx2_mm256_xor_si256(a, b); } KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_simd_avx2_slice_4(Eurydice_slice a[4U], - size_t start, size_t len, - Eurydice_slice ret[4U]) { +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_4( + Eurydice_slice a[4U], size_t start, size_t len, Eurydice_slice ret[4U]) { ret[0U] = Eurydice_slice_subslice2(a[0U], start, start + len, uint8_t); ret[1U] = Eurydice_slice_subslice2(a[1U], start, start + len, uint8_t); ret[2U] = Eurydice_slice_subslice2(a[2U], start, start + len, uint8_t); @@ -159,7 +155,7 @@ static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_slice_n_ef( } KRML_ATTRIBUTE_TARGET("avx2") -static inline Eurydice_slice_uint8_t_4size_t__x2 +static KRML_MUSTINLINE Eurydice_slice_uint8_t_4size_t__x2 libcrux_sha3_simd_avx2_split_at_mut_4(Eurydice_slice out[4U], size_t mid) { Eurydice_slice out0 = out[0U]; Eurydice_slice out1 = out[1U]; @@ -264,7 +260,7 @@ with const generics - RATE= 136 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_simd_avx2_load_block_5b( +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_5b( __m256i (*s)[5U], Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; @@ -410,7 +406,8 @@ with const generics - RIGHT= 28 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_02(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)36, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)28, x, __m256i)); @@ -423,8 +420,8 @@ with const generics - RIGHT= 28 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_02(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_02(ab); } @@ -452,7 +449,8 @@ with const generics - RIGHT= 61 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_ac(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)3, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)61, x, __m256i)); @@ -465,8 +463,8 @@ with const generics - RIGHT= 61 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ac(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_ac(ab); } @@ -494,7 +492,8 @@ with const generics - RIGHT= 23 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_020(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)41, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)23, x, __m256i)); @@ -507,8 +506,8 @@ with const generics - RIGHT= 23 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2__vxarq_u64_020(__m256i a, __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_020(ab); } @@ -536,7 +535,8 @@ with const generics - RIGHT= 46 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_a9(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)18, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)46, x, __m256i)); @@ -549,8 +549,8 @@ with const generics - RIGHT= 46 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_a9(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_a9(ab); } @@ -578,8 +578,8 @@ with const generics - RIGHT= 63 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_76(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_76(ab); } @@ -607,7 +607,8 @@ with const generics - RIGHT= 20 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_58(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)44, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)20, x, __m256i)); @@ -620,8 +621,8 @@ with const generics - RIGHT= 20 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_58(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_58(ab); } @@ -649,7 +650,8 @@ with const generics - RIGHT= 54 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_e0(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)10, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)54, x, __m256i)); @@ -662,8 +664,8 @@ with const generics - RIGHT= 54 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_e0(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_e0(ab); } @@ -691,7 +693,8 @@ with const generics - RIGHT= 19 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_63(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)45, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)19, x, __m256i)); @@ -704,8 +707,8 @@ with const generics - RIGHT= 19 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_63(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_63(ab); } @@ -733,7 +736,8 @@ with const generics - RIGHT= 62 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_6a(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)2, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)62, x, __m256i)); @@ -746,8 +750,8 @@ with const generics - RIGHT= 62 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6a(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_6a(ab); } @@ -775,7 +779,8 @@ with const generics - RIGHT= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_ab(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)62, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)2, x, __m256i)); @@ -788,8 +793,8 @@ with const generics - RIGHT= 2 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ab(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_ab(ab); } @@ -817,7 +822,8 @@ with const generics - RIGHT= 58 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_5b(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)6, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)58, x, __m256i)); @@ -830,8 +836,8 @@ with const generics - RIGHT= 58 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_5b(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_5b(ab); } @@ -859,7 +865,8 @@ with const generics - RIGHT= 21 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_6f(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)43, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)21, x, __m256i)); @@ -872,8 +879,8 @@ with const generics - RIGHT= 21 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_6f(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_6f(ab); } @@ -901,7 +908,8 @@ with const generics - RIGHT= 49 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_62(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)15, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)49, x, __m256i)); @@ -914,8 +922,8 @@ with const generics - RIGHT= 49 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_62(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_62(ab); } @@ -943,7 +951,8 @@ with const generics - RIGHT= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_23(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)61, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)3, x, __m256i)); @@ -956,8 +965,8 @@ with const generics - RIGHT= 3 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_23(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_23(ab); } @@ -985,7 +994,8 @@ with const generics - RIGHT= 36 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_37(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)28, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)36, x, __m256i)); @@ -998,8 +1008,8 @@ with const generics - RIGHT= 36 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_37(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_37(ab); } @@ -1027,7 +1037,8 @@ with const generics - RIGHT= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_bb(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)55, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)9, x, __m256i)); @@ -1040,8 +1051,8 @@ with const generics - RIGHT= 9 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_bb(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_bb(ab); } @@ -1069,7 +1080,8 @@ with const generics - RIGHT= 39 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_b9(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)25, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)39, x, __m256i)); @@ -1082,8 +1094,8 @@ with const generics - RIGHT= 39 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_b9(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_b9(ab); } @@ -1111,7 +1123,8 @@ with const generics - RIGHT= 43 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_54(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)21, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)43, x, __m256i)); @@ -1124,8 +1137,8 @@ with const generics - RIGHT= 43 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_54(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_54(ab); } @@ -1153,7 +1166,8 @@ with const generics - RIGHT= 8 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_4c(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)56, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)8, x, __m256i)); @@ -1166,8 +1180,8 @@ with const generics - RIGHT= 8 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_4c(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_4c(ab); } @@ -1195,7 +1209,8 @@ with const generics - RIGHT= 37 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_ce(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)27, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)37, x, __m256i)); @@ -1208,8 +1223,8 @@ with const generics - RIGHT= 37 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_ce(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_ce(ab); } @@ -1237,7 +1252,8 @@ with const generics - RIGHT= 44 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_77(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)20, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)44, x, __m256i)); @@ -1250,8 +1266,8 @@ with const generics - RIGHT= 44 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_77(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_77(ab); } @@ -1279,7 +1295,8 @@ with const generics - RIGHT= 25 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_25(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)39, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)25, x, __m256i)); @@ -1292,8 +1309,8 @@ with const generics - RIGHT= 25 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_25(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_25(ab); } @@ -1321,7 +1338,8 @@ with const generics - RIGHT= 56 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_af(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)8, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)56, x, __m256i)); @@ -1334,8 +1352,8 @@ with const generics - RIGHT= 56 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_af(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_af(ab); } @@ -1363,7 +1381,8 @@ with const generics - RIGHT= 50 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) { +static KRML_MUSTINLINE __m256i +libcrux_sha3_simd_avx2_rotate_left_fd(__m256i x) { return libcrux_intrinsics_avx2_mm256_xor_si256( libcrux_intrinsics_avx2_mm256_slli_epi64((int32_t)14, x, __m256i), libcrux_intrinsics_avx2_mm256_srli_epi64((int32_t)50, x, __m256i)); @@ -1376,8 +1395,8 @@ with const generics - RIGHT= 50 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a, - __m256i b) { +static KRML_MUSTINLINE __m256i libcrux_sha3_simd_avx2__vxarq_u64_fd(__m256i a, + __m256i b) { __m256i ab = libcrux_intrinsics_avx2_mm256_xor_si256(a, b); return libcrux_sha3_simd_avx2_rotate_left_fd(ab); } @@ -1670,7 +1689,7 @@ with const generics - RATE= 136 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_simd_avx2_store_block_5b( +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_5b( __m256i (*s)[5U], Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)136U / (size_t)32U; i++) { size_t i0 = i; @@ -2013,7 +2032,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_keccak_fb( Perform 4 SHAKE256 operations in parallel */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_avx2_x4_shake256( +static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_shake256( Eurydice_slice input0, Eurydice_slice input1, Eurydice_slice input2, Eurydice_slice input3, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2037,7 +2056,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_55 Initialise the [`KeccakState`]. */ KRML_ATTRIBUTE_TARGET("avx2") -static inline libcrux_sha3_generic_keccak_KeccakState_55 +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_55 libcrux_sha3_avx2_x4_incremental_init(void) { return libcrux_sha3_generic_keccak_new_89_a6(); } @@ -2048,7 +2067,7 @@ with const generics - RATE= 168 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_simd_avx2_load_block_3a( +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_load_block_3a( __m256i (*s)[5U], Eurydice_slice blocks[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; @@ -2239,7 +2258,8 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_fb0( Absorb */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { Eurydice_slice buf[4U] = {data0, data1, data2, data3}; @@ -2252,7 +2272,7 @@ with const generics - RATE= 168 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_simd_avx2_store_block_3a( +static KRML_MUSTINLINE void libcrux_sha3_simd_avx2_store_block_3a( __m256i (*s)[5U], Eurydice_slice out[4U]) { for (size_t i = (size_t)0U; i < (size_t)168U / (size_t)32U; i++) { size_t i0 = i; @@ -2402,7 +2422,8 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_970( Squeeze another block */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; @@ -2454,7 +2475,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_97( Squeeze three blocks */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void +static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2508,7 +2529,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_97( Squeeze five blocks */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void +static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2520,7 +2541,8 @@ libcrux_sha3_avx2_x4_incremental_shake128_squeeze_first_five_blocks( Absorb */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice data0, Eurydice_slice data1, Eurydice_slice data2, Eurydice_slice data3) { Eurydice_slice buf[4U] = {data0, data1, data2, data3}; @@ -2531,7 +2553,7 @@ static inline void libcrux_sha3_avx2_x4_incremental_shake256_absorb_final( Squeeze block */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void +static KRML_MUSTINLINE void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { @@ -2543,7 +2565,8 @@ libcrux_sha3_avx2_x4_incremental_shake256_squeeze_first_block( Squeeze next block */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( +static KRML_MUSTINLINE void +libcrux_sha3_avx2_x4_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_55 *s, Eurydice_slice out0, Eurydice_slice out1, Eurydice_slice out2, Eurydice_slice out3) { Eurydice_slice buf[4U] = {out0, out1, out2, out3}; diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index 65f8d5cb2..b814c2361 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f + * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 - * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc - * Libcrux: b6ea994fd158898395679fbace91f4cb000bbe13 + * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd + * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty + * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 */ #ifndef __libcrux_sha3_portable_H @@ -1662,8 +1662,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_96( /** A portable SHA3 512 implementation. */ -static inline void libcrux_sha3_portable_sha512(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha512(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_96(buf0, buf); @@ -2021,8 +2021,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad( /** A portable SHA3 256 implementation. */ -static inline void libcrux_sha3_portable_sha256(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha256(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad(buf0, buf); @@ -2150,8 +2150,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_ad0( /** A portable SHAKE256 implementation. */ -static inline void libcrux_sha3_portable_shake256(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_shake256( + Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_ad0(buf0, buf); @@ -2163,7 +2163,7 @@ typedef libcrux_sha3_generic_keccak_KeccakState_17 /** Create a new SHAKE-128 state object. */ -static inline libcrux_sha3_generic_keccak_KeccakState_17 +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake128_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -2256,7 +2256,8 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_absorb_final_9e2( /** Absorb */ -static inline void libcrux_sha3_portable_incremental_shake128_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake128_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data0) { Eurydice_slice buf[1U] = {data0}; libcrux_sha3_generic_keccak_absorb_final_9e2(s, buf); @@ -2310,7 +2311,7 @@ static KRML_MUSTINLINE void libcrux_sha3_generic_keccak_squeeze_next_block_c61( /** Squeeze another block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -2359,7 +2360,7 @@ libcrux_sha3_generic_keccak_squeeze_first_three_blocks_c6( /** Squeeze three blocks */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -2756,8 +2757,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_1e( /** A portable SHA3 224 implementation. */ -static inline void libcrux_sha3_portable_sha224(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha224(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_1e(buf0, buf); @@ -3115,8 +3116,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_7c( /** A portable SHA3 384 implementation. */ -static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_sha384(Eurydice_slice digest, + Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_7c(buf0, buf); @@ -3128,15 +3129,16 @@ static inline void libcrux_sha3_portable_sha384(Eurydice_slice digest, Preconditions: - `digest.len() == 28` */ -static inline void libcrux_sha3_sha224_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha224_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha224(digest, payload); } /** SHA3 224 */ -static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha224(Eurydice_slice data, + uint8_t ret[28U]) { uint8_t out[28U] = {0U}; libcrux_sha3_sha224_ema(Eurydice_array_to_slice((size_t)28U, out, uint8_t), data); @@ -3146,15 +3148,16 @@ static inline void libcrux_sha3_sha224(Eurydice_slice data, uint8_t ret[28U]) { /** SHA3 256 */ -static inline void libcrux_sha3_sha256_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha256_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha256(digest, payload); } /** SHA3 256 */ -static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha256(Eurydice_slice data, + uint8_t ret[32U]) { uint8_t out[32U] = {0U}; libcrux_sha3_sha256_ema(Eurydice_array_to_slice((size_t)32U, out, uint8_t), data); @@ -3164,15 +3167,16 @@ static inline void libcrux_sha3_sha256(Eurydice_slice data, uint8_t ret[32U]) { /** SHA3 384 */ -static inline void libcrux_sha3_sha384_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha384_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha384(digest, payload); } /** SHA3 384 */ -static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha384(Eurydice_slice data, + uint8_t ret[48U]) { uint8_t out[48U] = {0U}; libcrux_sha3_sha384_ema(Eurydice_array_to_slice((size_t)48U, out, uint8_t), data); @@ -3182,15 +3186,16 @@ static inline void libcrux_sha3_sha384(Eurydice_slice data, uint8_t ret[48U]) { /** SHA3 512 */ -static inline void libcrux_sha3_sha512_ema(Eurydice_slice digest, - Eurydice_slice payload) { +static KRML_MUSTINLINE void libcrux_sha3_sha512_ema(Eurydice_slice digest, + Eurydice_slice payload) { libcrux_sha3_portable_sha512(digest, payload); } /** SHA3 512 */ -static inline void libcrux_sha3_sha512(Eurydice_slice data, uint8_t ret[64U]) { +static KRML_MUSTINLINE void libcrux_sha3_sha512(Eurydice_slice data, + uint8_t ret[64U]) { uint8_t out[64U] = {0U}; libcrux_sha3_sha512_ema(Eurydice_array_to_slice((size_t)64U, out, uint8_t), data); @@ -3407,8 +3412,8 @@ static KRML_MUSTINLINE void libcrux_sha3_portable_keccakx1_c6( /** A portable SHAKE128 implementation. */ -static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_portable_shake128( + Eurydice_slice digest, Eurydice_slice data) { Eurydice_slice buf0[1U] = {data}; Eurydice_slice buf[1U] = {digest}; libcrux_sha3_portable_keccakx1_c6(buf0, buf); @@ -3419,8 +3424,8 @@ static inline void libcrux_sha3_portable_shake128(Eurydice_slice digest, Writes `out.len()` bytes. */ -static inline void libcrux_sha3_shake128_ema(Eurydice_slice out, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_shake128_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake128(out, data); } @@ -3429,8 +3434,8 @@ static inline void libcrux_sha3_shake128_ema(Eurydice_slice out, Writes `out.len()` bytes. */ -static inline void libcrux_sha3_shake256_ema(Eurydice_slice out, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_shake256_ema(Eurydice_slice out, + Eurydice_slice data) { libcrux_sha3_portable_shake256(out, data); } @@ -3451,8 +3456,8 @@ static const size_t libcrux_sha3_generic_keccak__ROTC[24U] = { /** A portable SHA3 224 implementation. */ -static inline void libcrux_sha3_neon_sha224(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_neon_sha224(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3461,8 +3466,8 @@ static inline void libcrux_sha3_neon_sha224(Eurydice_slice digest, /** A portable SHA3 256 implementation. */ -static inline void libcrux_sha3_neon_sha256(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_neon_sha256(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3471,8 +3476,8 @@ static inline void libcrux_sha3_neon_sha256(Eurydice_slice digest, /** A portable SHA3 384 implementation. */ -static inline void libcrux_sha3_neon_sha384(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_neon_sha384(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3481,8 +3486,8 @@ static inline void libcrux_sha3_neon_sha384(Eurydice_slice digest, /** A portable SHA3 512 implementation. */ -static inline void libcrux_sha3_neon_sha512(Eurydice_slice digest, - Eurydice_slice data) { +static KRML_MUSTINLINE void libcrux_sha3_neon_sha512(Eurydice_slice digest, + Eurydice_slice data) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); KRML_HOST_EXIT(255U); @@ -3493,10 +3498,10 @@ static inline void libcrux_sha3_neon_sha512(Eurydice_slice digest, Writes the two results into `out0` and `out1` */ -static inline void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, - Eurydice_slice input1, - Eurydice_slice out0, - Eurydice_slice out1) { +static KRML_MUSTINLINE void libcrux_sha3_neon_x2_shake256(Eurydice_slice input0, + Eurydice_slice input1, + Eurydice_slice out0, + Eurydice_slice out1) { /* TODO: make argument ordering consistent */ KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, "panic!"); @@ -3510,7 +3515,7 @@ typedef struct libcrux_sha3_neon_x2_incremental_KeccakState_s { /** Initialise the `KeccakState2`. */ -static inline libcrux_sha3_neon_x2_incremental_KeccakState +static KRML_MUSTINLINE libcrux_sha3_neon_x2_incremental_KeccakState libcrux_sha3_neon_x2_incremental_init(void) { /* XXX: These functions could alternatively implement the same with the * portable implementation { let s0 = KeccakState::new(); let s1 = @@ -3523,7 +3528,8 @@ libcrux_sha3_neon_x2_incremental_init(void) { /** Shake128 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -3539,7 +3545,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake128_absorb_final( Squeeze 2 times the first three blocks in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { @@ -3556,7 +3562,8 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_three_blocks( Squeeze 2 times the next block in parallel in the [`KeccakState`] and return the output in `out0` and `out1`. */ -static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { /* XXX: These functions could alternatively implement the same with the @@ -3571,7 +3578,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake128_squeeze_next_block( /** Squeeze five blocks */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { @@ -3583,7 +3590,8 @@ libcrux_sha3_neon_x2_incremental_shake128_squeeze_first_five_blocks( /** Shake256 absorb `data0` and `data1` in the [`KeccakState`] `s`. */ -static inline void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_absorb_final( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice data0, Eurydice_slice data1) { /* XXX: These functions could alternatively implement the same with the @@ -3598,7 +3606,7 @@ static inline void libcrux_sha3_neon_x2_incremental_shake256_absorb_final( /** Squeeze block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { @@ -3610,7 +3618,8 @@ libcrux_sha3_neon_x2_incremental_shake256_squeeze_first_block( /** Squeeze next block */ -static inline void libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( +static KRML_MUSTINLINE void +libcrux_sha3_neon_x2_incremental_shake256_squeeze_next_block( libcrux_sha3_neon_x2_incremental_KeccakState *s, Eurydice_slice out0, Eurydice_slice out1) { KRML_HOST_EPRINTF("KaRaMeL abort at %s:%d\n%s\n", __FILE__, __LINE__, @@ -3662,7 +3671,7 @@ libcrux_sha3_generic_keccak_squeeze_first_five_blocks_c6( /** Squeeze five blocks */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out0) { Eurydice_slice buf[1U] = {out0}; @@ -3672,7 +3681,8 @@ libcrux_sha3_portable_incremental_shake128_squeeze_first_five_blocks( /** Absorb some data for SHAKE-256 for the last time */ -static inline void libcrux_sha3_portable_incremental_shake256_absorb_final( +static KRML_MUSTINLINE void +libcrux_sha3_portable_incremental_shake256_absorb_final( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice data) { Eurydice_slice buf[1U] = {data}; libcrux_sha3_generic_keccak_absorb_final_9e1(s, buf); @@ -3681,7 +3691,7 @@ static inline void libcrux_sha3_portable_incremental_shake256_absorb_final( /** Create a new SHAKE-256 state object. */ -static inline libcrux_sha3_generic_keccak_KeccakState_17 +static KRML_MUSTINLINE libcrux_sha3_generic_keccak_KeccakState_17 libcrux_sha3_portable_incremental_shake256_init(void) { return libcrux_sha3_generic_keccak_new_89_04(); } @@ -3689,7 +3699,7 @@ libcrux_sha3_portable_incremental_shake256_init(void) { /** Squeeze the first SHAKE-256 block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_first_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; @@ -3699,7 +3709,7 @@ libcrux_sha3_portable_incremental_shake256_squeeze_first_block( /** Squeeze the next SHAKE-256 block */ -static inline void +static KRML_MUSTINLINE void libcrux_sha3_portable_incremental_shake256_squeeze_next_block( libcrux_sha3_generic_keccak_KeccakState_17 *s, Eurydice_slice out) { Eurydice_slice buf[1U] = {out}; From ff302d3e4c2b3f9f153bdfe6ebaaee318d978aae Mon Sep 17 00:00:00 2001 From: Karthikeyan Bhargavan Date: Fri, 8 Nov 2024 14:44:57 +0100 Subject: [PATCH 73/74] fixed lax --- .../Libcrux_intrinsics.Arm64_extract.fsti | 2 +- .../Libcrux_intrinsics.Avx2_extract.fst | 1214 ++++++++++ .../Libcrux_intrinsics.Avx2_extract.fsti | 2 +- .../proofs/fstar/extraction/Makefile | 1 + .../Libcrux_ml_kem.Constant_time_ops.fst | 165 +- .../Libcrux_ml_kem.Constant_time_ops.fsti | 44 +- .../extraction/Libcrux_ml_kem.Constants.fsti | 2 +- .../Libcrux_ml_kem.Hash_functions.Avx2.fsti | 70 +- .../Libcrux_ml_kem.Hash_functions.Neon.fsti | 70 +- ...ibcrux_ml_kem.Hash_functions.Portable.fsti | 70 +- .../Libcrux_ml_kem.Hash_functions.fsti | 48 +- ...m.Ind_cca.Instantiations.Avx2.Unpacked.fst | 142 +- ....Ind_cca.Instantiations.Avx2.Unpacked.fsti | 77 +- ...rux_ml_kem.Ind_cca.Instantiations.Avx2.fst | 2 +- ...ux_ml_kem.Ind_cca.Instantiations.Avx2.fsti | 2 +- ...m.Ind_cca.Instantiations.Neon.Unpacked.fst | 80 +- ....Ind_cca.Instantiations.Neon.Unpacked.fsti | 49 +- ...rux_ml_kem.Ind_cca.Instantiations.Neon.fst | 12 +- ...ux_ml_kem.Ind_cca.Instantiations.Neon.fsti | 43 +- ...d_cca.Instantiations.Portable.Unpacked.fst | 34 +- ..._cca.Instantiations.Portable.Unpacked.fsti | 27 +- ...ml_kem.Ind_cca.Instantiations.Portable.fst | 32 +- ...l_kem.Ind_cca.Instantiations.Portable.fsti | 65 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fst | 18 +- .../Libcrux_ml_kem.Ind_cca.Multiplexing.fsti | 56 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fst | 9 +- .../Libcrux_ml_kem.Ind_cca.Unpacked.fsti | 2 +- .../extraction/Libcrux_ml_kem.Ind_cca.fst | 99 +- .../extraction/Libcrux_ml_kem.Ind_cca.fsti | 29 +- .../Libcrux_ml_kem.Ind_cpa.Unpacked.fsti | 8 +- .../extraction/Libcrux_ml_kem.Ind_cpa.fst | 301 +-- .../extraction/Libcrux_ml_kem.Ind_cpa.fsti | 154 +- .../extraction/Libcrux_ml_kem.Invert_ntt.fst | 130 +- .../extraction/Libcrux_ml_kem.Invert_ntt.fsti | 67 +- .../extraction/Libcrux_ml_kem.Matrix.fst | 50 +- .../extraction/Libcrux_ml_kem.Matrix.fsti | 67 +- ...Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst | 81 +- ...ibcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti | 75 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fst | 2 +- .../Libcrux_ml_kem.Mlkem1024.Avx2.fsti | 2 +- ...Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst | 81 +- ...ibcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti | 83 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fst | 2 +- .../Libcrux_ml_kem.Mlkem1024.Neon.fsti | 2 +- ...rux_ml_kem.Mlkem1024.Portable.Unpacked.fst | 63 +- ...ux_ml_kem.Mlkem1024.Portable.Unpacked.fsti | 57 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fst | 14 +- .../Libcrux_ml_kem.Mlkem1024.Portable.fsti | 12 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fst | 40 +- .../extraction/Libcrux_ml_kem.Mlkem1024.fsti | 29 +- .../Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst | 79 +- ...Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti | 73 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fst | 2 +- .../Libcrux_ml_kem.Mlkem512.Avx2.fsti | 2 +- .../Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst | 79 +- ...Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti | 81 +- .../Libcrux_ml_kem.Mlkem512.Neon.fst | 2 +- .../Libcrux_ml_kem.Mlkem512.Neon.fsti | 2 +- ...crux_ml_kem.Mlkem512.Portable.Unpacked.fst | 69 +- ...rux_ml_kem.Mlkem512.Portable.Unpacked.fsti | 57 +- .../Libcrux_ml_kem.Mlkem512.Portable.fst | 14 +- .../Libcrux_ml_kem.Mlkem512.Portable.fsti | 12 +- .../extraction/Libcrux_ml_kem.Mlkem512.fst | 40 +- .../extraction/Libcrux_ml_kem.Mlkem512.fsti | 88 +- .../Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst | 105 +- ...Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti | 83 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fst | 2 +- .../Libcrux_ml_kem.Mlkem768.Avx2.fsti | 2 +- .../Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst | 105 +- ...Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti | 87 +- .../Libcrux_ml_kem.Mlkem768.Neon.fst | 2 +- .../Libcrux_ml_kem.Mlkem768.Neon.fsti | 2 +- ...crux_ml_kem.Mlkem768.Portable.Unpacked.fst | 129 +- ...rux_ml_kem.Mlkem768.Portable.Unpacked.fsti | 99 +- .../Libcrux_ml_kem.Mlkem768.Portable.fst | 14 +- .../Libcrux_ml_kem.Mlkem768.Portable.fsti | 12 +- .../extraction/Libcrux_ml_kem.Mlkem768.fst | 40 +- .../extraction/Libcrux_ml_kem.Mlkem768.fsti | 29 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fst | 180 +- .../fstar/extraction/Libcrux_ml_kem.Ntt.fsti | 113 +- .../extraction/Libcrux_ml_kem.Polynomial.fst | 56 +- .../extraction/Libcrux_ml_kem.Polynomial.fsti | 53 +- .../extraction/Libcrux_ml_kem.Sampling.fst | 62 +- .../extraction/Libcrux_ml_kem.Sampling.fsti | 2 +- .../extraction/Libcrux_ml_kem.Serialize.fst | 283 +-- .../extraction/Libcrux_ml_kem.Serialize.fsti | 100 +- .../fstar/extraction/Libcrux_ml_kem.Types.fst | 32 +- .../extraction/Libcrux_ml_kem.Types.fsti | 90 +- .../fstar/extraction/Libcrux_ml_kem.Utils.fst | 19 +- .../extraction/Libcrux_ml_kem.Utils.fsti | 8 +- .../extraction/Libcrux_ml_kem.Variant.fsti | 38 +- .../Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst | 441 +--- ...Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti | 137 +- .../Libcrux_ml_kem.Vector.Avx2.Compress.fst | 148 +- .../Libcrux_ml_kem.Vector.Avx2.Compress.fsti | 26 +- .../Libcrux_ml_kem.Vector.Avx2.Ntt.fst | 234 +- .../Libcrux_ml_kem.Vector.Avx2.Ntt.fsti | 65 +- .../Libcrux_ml_kem.Vector.Avx2.Sampling.fst | 39 +- .../Libcrux_ml_kem.Vector.Avx2.Sampling.fsti | 11 +- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fst | 714 +++--- .../Libcrux_ml_kem.Vector.Avx2.Serialize.fsti | 239 +- .../extraction/Libcrux_ml_kem.Vector.Avx2.fst | 30 +- .../Libcrux_ml_kem.Vector.Avx2.fsti | 71 +- .../Libcrux_ml_kem.Vector.Neon.Arithmetic.fst | 2 +- ...Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti | 2 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fst | 2 +- .../Libcrux_ml_kem.Vector.Neon.Compress.fsti | 2 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fst | 2 +- .../Libcrux_ml_kem.Vector.Neon.Ntt.fsti | 2 +- .../Libcrux_ml_kem.Vector.Neon.Serialize.fst | 312 +-- .../Libcrux_ml_kem.Vector.Neon.Serialize.fsti | 26 +- ...Libcrux_ml_kem.Vector.Neon.Vector_type.fst | 72 +- ...ibcrux_ml_kem.Vector.Neon.Vector_type.fsti | 26 +- .../extraction/Libcrux_ml_kem.Vector.Neon.fst | 3 +- .../Libcrux_ml_kem.Vector.Neon.fsti | 34 +- ...crux_ml_kem.Vector.Portable.Arithmetic.fst | 580 ++--- ...rux_ml_kem.Vector.Portable.Arithmetic.fsti | 162 +- ...ibcrux_ml_kem.Vector.Portable.Compress.fst | 158 +- ...bcrux_ml_kem.Vector.Portable.Compress.fsti | 15 +- .../Libcrux_ml_kem.Vector.Portable.Ntt.fst | 600 ++--- .../Libcrux_ml_kem.Vector.Portable.Ntt.fsti | 169 +- ...ibcrux_ml_kem.Vector.Portable.Sampling.fst | 6 +- ...bcrux_ml_kem.Vector.Portable.Sampling.fsti | 11 +- ...bcrux_ml_kem.Vector.Portable.Serialize.fst | 2154 ++++++++++++----- ...crux_ml_kem.Vector.Portable.Serialize.fsti | 116 +- ...rux_ml_kem.Vector.Portable.Vector_type.fst | 2 +- ...ux_ml_kem.Vector.Portable.Vector_type.fsti | 24 +- .../Libcrux_ml_kem.Vector.Portable.fsti | 354 +-- ...ibcrux_ml_kem.Vector.Rej_sample_table.fsti | 2 +- .../Libcrux_ml_kem.Vector.Traits.fst | 2 +- .../Libcrux_ml_kem.Vector.Traits.fsti | 335 +-- .../proofs/fstar/extraction/Makefile | 3 +- libcrux-ml-kem/src/ind_cca.rs | 8 +- libcrux-ml-kem/src/serialize.rs | 6 +- libcrux-ml-kem/src/vector/avx2.rs | 1 + .../extraction/Libcrux_platform.Platform.fsti | 2 +- 136 files changed, 6330 insertions(+), 7153 deletions(-) create mode 100644 libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst create mode 100644 libcrux-intrinsics/proofs/fstar/extraction/Makefile diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti index d4014e6a8..a03c287ec 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Arm64_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Arm64_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst new file mode 100644 index 000000000..167d0b324 --- /dev/null +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fst @@ -0,0 +1,1214 @@ +module Libcrux_intrinsics.Avx2_extract +#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +open Core +open FStar.Mul + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3091; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_and_si256"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3580; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_castsi128_si256"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3681; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_extracti128_si256"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 2293; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_madd_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 2613; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_mullo_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3439; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_slli_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3378; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm256_srli_epi16"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3719; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm_movemask_epi8"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 3630; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm_packs_epi16"); disambiguator = 0 + } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) + +(* item error backend: (TransformHaxLibInline) Fatal error: something we considered as impossible occurred! Please report this by submitting an issue on GitHub! +Details: Malformed `Quote` item: `quote_of_expr` failed. Expression was: +{ Ast.Make.e = + Ast.Make.App { + f = + { Ast.Make.e = + (Ast.Make.GlobalVar + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "failure"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value })); + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + (Ast.Make.TArrow ([Ast.Make.TStr; Ast.Make.TStr], + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + )) + }; + args = + [{ Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "(AST import) Fatal error: something we considered as impossible occurred! \027[1mPlease report this by submitting an issue on GitHub!\027[0m\nDetails: [import_thir:literal] got an error literal: this means the Rust compiler or Hax's frontend probably reported errors above.")); + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr }; + { Ast.Make.e = + (Ast.Make.Literal + (Ast.String + "{ Types.attributes = [];\n contents =\n Types.Literal {\n lit =\n { Types.node =\n (Types.Err Types.ErrorGuaranteed {todo = \"ErrorGuaranteed(())\"});\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/lib.rs\"));\n hi = { Types.col = \"0\"; line = \"1\" };\n lo = { Types.col = \"0\"; line = \"1\" } }\n };\n neg = false};\n hir_id = None;\n span =\n { Types.filename =\n (Types.Real (Types.LocalPath \"libcrux-intrinsics/src/avx2_extract.rs\"));\n hi = { Types.col = \"14\"; line = \"50\" };\n lo = { Types.col = \"12\"; line = \"39\" } };\n ty = Types.Never }")); + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath + "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = Ast.Make.TStr } + ]; + generic_args = []; bounds_impls = []; trait = None}; + span = + { Span.id = 1423; + data = + [{ Span.Imported.filename = + (Span.Imported.Real + (Span.Imported.LocalPath "libcrux-intrinsics/src/avx2_extract.rs")); + hi = { Span.Imported.col = 14; line = 50 }; + lo = { Span.Imported.col = 12; line = 39 } } + ] + }; + typ = + Ast.Make.TApp { + ident = + `Concrete ({ Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "rust_primitives"; + path = + [{ Concrete_ident.Imported.data = (Concrete_ident.Imported.TypeNs "hax"); + disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "Never"); disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Type }); + args = []} + } + +Last AST: +/** print_rust: pitem: not implemented (item: { Concrete_ident.T.def_id = + { Concrete_ident.Imported.krate = "libcrux_intrinsics"; + path = + [{ Concrete_ident.Imported.data = + (Concrete_ident.Imported.TypeNs "avx2_extract"); disambiguator = 0 }; + { Concrete_ident.Imported.data = + (Concrete_ident.Imported.ValueNs "mm_storeu_bytes_si128"); + disambiguator = 0 } + ] + }; + kind = Concrete_ident.Kind.Value }) */ +const _: () = (); + *) diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti index 8e2571881..5ac496e48 100644 --- a/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti +++ b/libcrux-intrinsics/proofs/fstar/extraction/Libcrux_intrinsics.Avx2_extract.fsti @@ -1,5 +1,5 @@ module Libcrux_intrinsics.Avx2_extract -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-intrinsics/proofs/fstar/extraction/Makefile b/libcrux-intrinsics/proofs/fstar/extraction/Makefile new file mode 100644 index 000000000..b4ce70a38 --- /dev/null +++ b/libcrux-intrinsics/proofs/fstar/extraction/Makefile @@ -0,0 +1 @@ +include $(shell git rev-parse --show-toplevel)/fstar-helpers/Makefile.base diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst index 1bff53934..018593ecd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fst @@ -1,46 +1,15 @@ module Libcrux_ml_kem.Constant_time_ops -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let inz (value: u8) = - let v__orig_value:u8 = value in let value:u16 = cast (value <: u8) <: u16 in - let result:u8 = - cast ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l <: u16) <: u8 + let result:u16 = + ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) >>! 8l <: u16) &. + 1us in - let res:u8 = result &. 1uy in - let _:Prims.unit = - if v v__orig_value = 0 - then - (assert (value == zero); - lognot_lemma value; - assert ((~.value +. 1us) == zero); - assert ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) == zero); - logor_lemma value zero; - assert ((value |. (Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) <: u16) == - value); - assert (v result == v ((value >>! 8l))); - assert ((v value / pow2 8) == 0); - assert (result == 0uy); - logand_lemma 1uy result; - assert (res == 0uy)) - else - (assert (v value <> 0); - lognot_lemma value; - assert (v (~.value) = pow2 16 - 1 - v value); - assert (v (~.value) + 1 = pow2 16 - v value); - assert (v (value) <= pow2 8 - 1); - assert ((v (~.value) + 1) = (pow2 16 - pow2 8) + (pow2 8 - v value)); - assert ((v (~.value) + 1) = (pow2 8 - 1) * pow2 8 + (pow2 8 - v value)); - assert ((v (~.value) + 1) / pow2 8 = (pow2 8 - 1)); - assert (v ((Core.Num.impl__u16__wrapping_add (~.value <: u16) 1us <: u16) >>! 8l) = - pow2 8 - 1); - assert (result = ones); - logand_lemma 1uy result; - assert (res = 1uy)) - in - res + cast (result <: u16) <: u8 let is_non_zero (value: u8) = Core.Hint.black_box #u8 (inz value <: u8) @@ -49,143 +18,43 @@ let compare (lhs rhs: t_Slice u8) = let r:u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #u8 lhs <: usize) - (fun r i -> + (fun r temp_1_ -> let r:u8 = r in - let i:usize = i in - v i <= Seq.length lhs /\ - (if (Seq.slice lhs 0 (v i) = Seq.slice rhs 0 (v i)) then r == 0uy else ~(r == 0uy))) + let _:usize = temp_1_ in + true) r (fun r i -> let r:u8 = r in let i:usize = i in - let nr:u8 = r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) in - let _:Prims.unit = - if r =. 0uy - then - (if (Seq.index lhs (v i) = Seq.index rhs (v i)) - then - (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); - assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) = zero); - logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (nr = r); - assert (forall j. Seq.index (Seq.slice lhs 0 (v i)) j == Seq.index lhs j); - assert (forall j. Seq.index (Seq.slice rhs 0 (v i)) j == Seq.index rhs j); - eq_intro (Seq.slice lhs 0 ((v i) + 1)) (Seq.slice rhs 0 ((v i) + 1))) - else - (logxor_lemma (Seq.index lhs (v i)) (Seq.index rhs (v i)); - assert (((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <> zero); - logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (v nr > 0); - assert (Seq.index (Seq.slice lhs 0 ((v i) + 1)) (v i) <> - Seq.index (Seq.slice rhs 0 ((v i) + 1)) (v i)); - assert (Seq.slice lhs 0 ((v i) + 1) <> Seq.slice rhs 0 ((v i) + 1)))) - else - (logor_lemma r ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8); - assert (v nr >= v r); - assert (Seq.slice lhs 0 (v i) <> Seq.slice rhs 0 (v i)); - if (Seq.slice lhs 0 ((v i) + 1) = Seq.slice rhs 0 ((v i) + 1)) - then - (assert (forall j. - j < (v i) + 1 ==> - Seq.index (Seq.slice lhs 0 ((v i) + 1)) j == - Seq.index (Seq.slice rhs 0 ((v i) + 1)) j); - eq_intro (Seq.slice lhs 0 (v i)) (Seq.slice rhs 0 (v i)); - assert (False))) - in - let r:u8 = nr in - r) + r |. ((lhs.[ i ] <: u8) ^. (rhs.[ i ] <: u8) <: u8) <: u8) in is_non_zero r let compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) = Core.Hint.black_box #u8 (compare lhs rhs <: u8) -#push-options "--ifuel 0 --z3rlimit 50" - let select_ct (lhs rhs: t_Slice u8) (selector: u8) = let mask:u8 = Core.Num.impl__u8__wrapping_sub (is_non_zero selector <: u8) 1uy in - let _:Prims.unit = - assert (if selector = 0uy then mask = ones else mask = zero); - lognot_lemma mask; - assert (if selector = 0uy then ~.mask = zero else ~.mask = ones) - in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in let out:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE - (fun out i -> + (fun out temp_1_ -> let out:t_Array u8 (sz 32) = out in - let i:usize = i in - v i <= v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE /\ - (forall j. - j < v i ==> - (if (selector =. 0uy) - then Seq.index out j == Seq.index lhs j - else Seq.index out j == Seq.index rhs j)) /\ - (forall j. j >= v i ==> Seq.index out j == 0uy)) + let _:usize = temp_1_ in + true) out (fun out i -> let out:t_Array u8 (sz 32) = out in let i:usize = i in - let _:Prims.unit = assert ((out.[ i ] <: u8) = 0uy) in - let outi:u8 = - ((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - in - let _:Prims.unit = - if (selector = 0uy) - then - (logand_lemma (lhs.[ i ] <: u8) mask; - assert (((lhs.[ i ] <: u8) &. mask <: u8) == (lhs.[ i ] <: u8)); - logand_lemma (rhs.[ i ] <: u8) (~.mask); - assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == zero); - logor_lemma ((lhs.[ i ] <: u8) &. mask <: u8) - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8); - assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) == - (lhs.[ i ] <: u8)); - logor_lemma (out.[ i ] <: u8) (lhs.[ i ] <: u8); - assert (((out.[ i ] <: u8) |. - (((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) - <: - u8) == - (lhs.[ i ] <: u8)); - assert (outi = (lhs.[ i ] <: u8))) - else - (logand_lemma (lhs.[ i ] <: u8) mask; - assert (((lhs.[ i ] <: u8) &. mask <: u8) == zero); - logand_lemma (rhs.[ i ] <: u8) (~.mask); - assert (((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) == (rhs.[ i ] <: u8)); - logor_lemma (rhs.[ i ] <: u8) zero; - assert ((logor zero (rhs.[ i ] <: u8)) == (rhs.[ i ] <: u8)); - assert ((((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8)) == - (rhs.[ i ] <: u8)); - logor_lemma (out.[ i ] <: u8) (rhs.[ i ] <: u8); - assert (((out.[ i ] <: u8) |. - (((lhs.[ i ] <: u8) &. mask <: u8) |. - ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) - <: - u8) - <: - u8) == - (rhs.[ i ] <: u8)); - assert (outi = (rhs.[ i ] <: u8))) - in - let out:t_Array u8 (sz 32) = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out i outi - in - out) + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out + i + (((lhs.[ i ] <: u8) &. mask <: u8) |. ((rhs.[ i ] <: u8) &. (~.mask <: u8) <: u8) <: u8) + <: + t_Array u8 (sz 32)) in - let _:Prims.unit = if (selector =. 0uy) then (eq_intro out lhs) else (eq_intro out rhs) in out -#pop-options - let select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) = Core.Hint.black_box #(t_Array u8 (sz 32)) (select_ct lhs rhs selector <: t_Array u8 (sz 32)) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti index dc6fd2b46..0d28bb910 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constant_time_ops.fsti @@ -1,42 +1,24 @@ module Libcrux_ml_kem.Constant_time_ops -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// Return 1 if `value` is not zero and 0 otherwise. -val inz (value: u8) - : Prims.Pure u8 - Prims.l_True - (ensures - fun result -> - let result:u8 = result in - (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) +val inz (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val is_non_zero (value: u8) - : Prims.Pure u8 - Prims.l_True - (ensures - fun result -> - let result:u8 = result in - (value == 0uy ==> result == 0uy) /\ (value =!= 0uy ==> result == 1uy)) +val is_non_zero (value: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) /// Return 1 if the bytes of `lhs` and `rhs` do not exactly /// match and 0 otherwise. val compare (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + (fun _ -> Prims.l_True) val compare_ciphertexts_in_constant_time (lhs rhs: t_Slice u8) : Prims.Pure u8 (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize)) - (ensures - fun result -> - let result:u8 = result in - (lhs == rhs ==> result == 0uy) /\ (lhs =!= rhs ==> result == 1uy)) + (fun _ -> Prims.l_True) /// If `selector` is not zero, return the bytes in `rhs`; return the bytes in /// `lhs` otherwise. @@ -45,20 +27,14 @@ val select_ct (lhs rhs: t_Slice u8) (selector: u8) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) + (fun _ -> Prims.l_True) val select_shared_secret_in_constant_time (lhs rhs: t_Slice u8) (selector: u8) : Prims.Pure (t_Array u8 (sz 32)) (requires (Core.Slice.impl__len #u8 lhs <: usize) =. (Core.Slice.impl__len #u8 rhs <: usize) && (Core.Slice.impl__len #u8 lhs <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - (selector == 0uy ==> result == lhs) /\ (selector =!= 0uy ==> result == rhs)) + (fun _ -> Prims.l_True) val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s rhs_s: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) @@ -66,8 +42,4 @@ val compare_ciphertexts_select_shared_secret_in_constant_time (lhs_c rhs_c lhs_s (Core.Slice.impl__len #u8 lhs_c <: usize) =. (Core.Slice.impl__len #u8 rhs_c <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. (Core.Slice.impl__len #u8 rhs_s <: usize) && (Core.Slice.impl__len #u8 lhs_s <: usize) =. Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - let selector = if lhs_c =. rhs_c then 0uy else 1uy in - ((selector == 0uy ==> result == lhs_s) /\ (selector =!= 0uy ==> result == rhs_s))) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti index 812c7717d..76d143aad 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Constants.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Constants -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti index fc7ae6c87..b09ff4dcd 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,29 +8,12 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_Simd256Hash:Type0 -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) @@ -40,16 +23,16 @@ val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) let result:t_Array (t_Array u8 v_LEN) v_K = result in result == Spec.Utils.v_PRFxN v_K v_LEN input) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd256Hash Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd256Hash) - : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_Simd256Hash) + : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) - : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd256Hash) + : Prims.Pure (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -57,16 +40,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd256Hash) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = @@ -84,35 +64,35 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd256Hash v_K = f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd256Hash) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_Simd256Hash) -> let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_Simd256Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_Simd256Hash & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_Simd256Hash) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_Simd256Hash) -> true); + f_shake128_squeeze_block_post = (fun (self: t_Simd256Hash) (out1: (t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_Simd256Hash) -> let tmp0, out:(t_Simd256Hash & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_Simd256Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti index 8232d0b3d..11183ad88 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,29 +8,12 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_Simd128Hash:Type0 -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) @@ -40,16 +23,16 @@ val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) let result:t_Array (t_Array u8 v_LEN) v_K = result in result == Spec.Utils.v_PRFxN v_K v_LEN input) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure t_Simd128Hash Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_Simd128Hash) - : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_Simd128Hash) + : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) - : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_Simd128Hash) + : Prims.Pure (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -57,16 +40,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_Simd128Hash) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = @@ -84,35 +64,35 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash t_Simd128Hash v_K = f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_Simd128Hash) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_Simd128Hash) -> let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_Simd128Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_Simd128Hash & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_Simd128Hash) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_Simd128Hash) -> true); + f_shake128_squeeze_block_post = (fun (self: t_Simd128Hash) (out1: (t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_Simd128Hash) -> let tmp0, out:(t_Simd128Hash & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_Simd128Hash = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti index 33e10a142..74f6b0533 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,29 +8,12 @@ open FStar.Mul /// All other functions don\'t actually use any members. val t_PortableHash (v_K: usize) : Type0 -val v_G (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 64)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 64) = result in - result == Spec.Utils.v_G input) +val v_G (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 64)) Prims.l_True (fun _ -> Prims.l_True) -val v_H (input: t_Slice u8) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.Utils.v_H input) +val v_H (input: t_Slice u8) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val v_PRF (v_LEN: usize) (input: t_Slice u8) - : Prims.Pure (t_Array u8 v_LEN) - (requires v v_LEN < pow2 32) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Spec.Utils.v_PRF v_LEN input) + : Prims.Pure (t_Array u8 v_LEN) Prims.l_True (fun _ -> Prims.l_True) val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) : Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) @@ -40,16 +23,16 @@ val v_PRFxN (v_K v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) let result:t_Array (t_Array u8 v_LEN) v_K = result in result == Spec.Utils.v_PRFxN v_K v_LEN input) -val shake128_init_absorb_final (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) +val shake128_init_absorb (v_K: usize) (input: t_Array (t_Array u8 (sz 34)) v_K) : Prims.Pure (t_PortableHash v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_first_three_blocks (v_K: usize) (st: t_PortableHash v_K) - : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) +val shake128_squeeze_block (v_K: usize) (st: t_PortableHash v_K) + : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) Prims.l_True (fun _ -> Prims.l_True) -val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) - : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) +val shake128_squeeze_three_blocks (v_K: usize) (st: t_PortableHash v_K) + : Prims.Pure (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) Prims.l_True (fun _ -> Prims.l_True) @@ -57,16 +40,13 @@ val shake128_squeeze_next_block (v_K: usize) (st: t_PortableHash v_K) let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K) v_K = { f_G_pre = (fun (input: t_Slice u8) -> true); - f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> out == Spec.Utils.v_G input); + f_G_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 64)) -> true); f_G = (fun (input: t_Slice u8) -> v_G input); f_H_pre = (fun (input: t_Slice u8) -> true); - f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> out == Spec.Utils.v_H input); + f_H_post = (fun (input: t_Slice u8) (out: t_Array u8 (sz 32)) -> true); f_H = (fun (input: t_Slice u8) -> v_H input); - f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> v v_LEN < pow2 32); - f_PRF_post - = - (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> - v v_LEN < pow2 32 ==> out == Spec.Utils.v_PRF v_LEN input); + f_PRF_pre = (fun (v_LEN: usize) (input: t_Slice u8) -> true); + f_PRF_post = (fun (v_LEN: usize) (input: t_Slice u8) (out: t_Array u8 v_LEN) -> true); f_PRF = (fun (v_LEN: usize) (input: t_Slice u8) -> v_PRF v_LEN input); f_PRFxN_pre = @@ -84,43 +64,43 @@ let impl (v_K: usize) : Libcrux_ml_kem.Hash_functions.t_Hash (t_PortableHash v_K f_PRFxN = (fun (v_LEN: usize) (input: t_Array (t_Array u8 (sz 33)) v_K) -> v_PRFxN v_K v_LEN input); - f_shake128_init_absorb_final_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); - f_shake128_init_absorb_final_post + f_shake128_init_absorb_pre = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> true); + f_shake128_init_absorb_post = (fun (input: t_Array (t_Array u8 (sz 34)) v_K) (out: t_PortableHash v_K) -> true); - f_shake128_init_absorb_final + f_shake128_init_absorb = - (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb_final v_K input); - f_shake128_squeeze_first_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); - f_shake128_squeeze_first_three_blocks_post + (fun (input: t_Array (t_Array u8 (sz 34)) v_K) -> shake128_init_absorb v_K input); + f_shake128_squeeze_three_blocks_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_three_blocks_post = (fun (self: t_PortableHash v_K) (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)) -> true); - f_shake128_squeeze_first_three_blocks + f_shake128_squeeze_three_blocks = (fun (self: t_PortableHash v_K) -> let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K) = - shake128_squeeze_first_three_blocks v_K self + shake128_squeeze_three_blocks v_K self in let self:t_PortableHash v_K = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 504)) v_K = out in self, hax_temp_output <: (t_PortableHash v_K & t_Array (t_Array u8 (sz 504)) v_K)); - f_shake128_squeeze_next_block_pre = (fun (self: t_PortableHash v_K) -> true); - f_shake128_squeeze_next_block_post + f_shake128_squeeze_block_pre = (fun (self: t_PortableHash v_K) -> true); + f_shake128_squeeze_block_post = (fun (self: t_PortableHash v_K) (out1: (t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K)) -> true); - f_shake128_squeeze_next_block + f_shake128_squeeze_block = fun (self: t_PortableHash v_K) -> let tmp0, out:(t_PortableHash v_K & t_Array (t_Array u8 (sz 168)) v_K) = - shake128_squeeze_next_block v_K self + shake128_squeeze_block v_K self in let self:t_PortableHash v_K = tmp0 in let hax_temp_output:t_Array (t_Array u8 (sz 168)) v_K = out in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti index f734de676..e8a479263 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Hash_functions.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Hash_functions -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,19 +10,16 @@ open FStar.Mul /// - NEON /// - Portable class t_Hash (v_Self: Type0) (v_K: usize) = { - f_G_pre:input: t_Slice u8 -> pred: Type0{true ==> pred}; - f_G_post:input: t_Slice u8 -> result: t_Array u8 (sz 64) - -> pred: Type0{pred ==> result == Spec.Utils.v_G input}; + f_G_pre:t_Slice u8 -> Type0; + f_G_post:t_Slice u8 -> t_Array u8 (sz 64) -> Type0; f_G:x0: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 64)) (f_G_pre x0) (fun result -> f_G_post x0 result); - f_H_pre:input: t_Slice u8 -> pred: Type0{true ==> pred}; - f_H_post:input: t_Slice u8 -> result: t_Array u8 (sz 32) - -> pred: Type0{pred ==> result == Spec.Utils.v_H input}; + f_H_pre:t_Slice u8 -> Type0; + f_H_post:t_Slice u8 -> t_Array u8 (sz 32) -> Type0; f_H:x0: t_Slice u8 -> Prims.Pure (t_Array u8 (sz 32)) (f_H_pre x0) (fun result -> f_H_post x0 result); - f_PRF_pre:v_LEN: usize -> input: t_Slice u8 -> pred: Type0{v v_LEN < pow2 32 ==> pred}; - f_PRF_post:v_LEN: usize -> input: t_Slice u8 -> result: t_Array u8 v_LEN - -> pred: Type0{pred ==> v v_LEN < pow2 32 ==> result == Spec.Utils.v_PRF v_LEN input}; + f_PRF_pre:v_LEN: usize -> t_Slice u8 -> Type0; + f_PRF_post:v_LEN: usize -> t_Slice u8 -> t_Array u8 v_LEN -> Type0; f_PRF:v_LEN: usize -> x0: t_Slice u8 -> Prims.Pure (t_Array u8 v_LEN) (f_PRF_pre v_LEN x0) (fun result -> f_PRF_post v_LEN x0 result); f_PRFxN_pre:v_LEN: usize -> input: t_Array (t_Array u8 (sz 33)) v_K @@ -40,26 +37,25 @@ class t_Hash (v_Self: Type0) (v_K: usize) = { -> Prims.Pure (t_Array (t_Array u8 v_LEN) v_K) (f_PRFxN_pre v_LEN x0) (fun result -> f_PRFxN_post v_LEN x0 result); - f_shake128_init_absorb_final_pre:input: t_Array (t_Array u8 (sz 34)) v_K - -> pred: Type0{true ==> pred}; - f_shake128_init_absorb_final_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0; - f_shake128_init_absorb_final:x0: t_Array (t_Array u8 (sz 34)) v_K + f_shake128_init_absorb_pre:t_Array (t_Array u8 (sz 34)) v_K -> Type0; + f_shake128_init_absorb_post:t_Array (t_Array u8 (sz 34)) v_K -> v_Self -> Type0; + f_shake128_init_absorb:x0: t_Array (t_Array u8 (sz 34)) v_K -> Prims.Pure v_Self - (f_shake128_init_absorb_final_pre x0) - (fun result -> f_shake128_init_absorb_final_post x0 result); - f_shake128_squeeze_first_three_blocks_pre:self___: v_Self -> pred: Type0{true ==> pred}; - f_shake128_squeeze_first_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) + (f_shake128_init_absorb_pre x0) + (fun result -> f_shake128_init_absorb_post x0 result); + f_shake128_squeeze_three_blocks_pre:v_Self -> Type0; + f_shake128_squeeze_three_blocks_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 504)) v_K) -> Type0; - f_shake128_squeeze_first_three_blocks:x0: v_Self + f_shake128_squeeze_three_blocks:x0: v_Self -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 504)) v_K) - (f_shake128_squeeze_first_three_blocks_pre x0) - (fun result -> f_shake128_squeeze_first_three_blocks_post x0 result); - f_shake128_squeeze_next_block_pre:self___: v_Self -> pred: Type0{true ==> pred}; - f_shake128_squeeze_next_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0; - f_shake128_squeeze_next_block:x0: v_Self + (f_shake128_squeeze_three_blocks_pre x0) + (fun result -> f_shake128_squeeze_three_blocks_post x0 result); + f_shake128_squeeze_block_pre:v_Self -> Type0; + f_shake128_squeeze_block_post:v_Self -> (v_Self & t_Array (t_Array u8 (sz 168)) v_K) -> Type0; + f_shake128_squeeze_block:x0: v_Self -> Prims.Pure (v_Self & t_Array (t_Array u8 (sz 168)) v_K) - (f_shake128_squeeze_next_block_pre x0) - (fun result -> f_shake128_squeeze_next_block_post x0 result) + (f_shake128_squeeze_block_pre x0) + (fun result -> f_shake128_squeeze_block_post x0 result) } /// The SHA3 block size. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst index cecdf9ad1..4ae062555 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fst @@ -6,11 +6,42 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate +let decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + key_pair ciphertext + +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + decapsulate_avx2 v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE key_pair ciphertext + +let encapsulate_avx2 (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: @@ -24,7 +55,70 @@ let encapsulate v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash public_key randomness -let unpack_public_key +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + encapsulate_avx2 v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE + v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN + v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness + +let generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash + #Libcrux_ml_kem.Variant.t_MlKem randomness out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + out + +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + generate_keypair_avx2 v_K + v_CPA_PRIVATE_KEY_SIZE + v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE + v_BYTES_PER_RING_ELEMENT + v_ETA1 + v_ETA1_RANDOMNESS_SIZE + randomness + out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + out + +let unpack_public_key_avx2 (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (unpacked_public_key: @@ -50,40 +144,26 @@ let unpack_public_key in unpacked_public_key -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - key_pair ciphertext - -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K +let unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - let hax_temp_output, out:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = (), - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector #Libcrux_ml_kem.Hash_functions.Avx2.t_Simd256Hash - randomness out + unpack_public_key_avx2 v_K + v_T_AS_NTT_ENCODED_SIZE + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + public_key + unpacked_public_key <: (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) in - out + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti index 609428969..eeb705954 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.fsti @@ -6,12 +6,33 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Avx2 in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -/// Unpacked encapsulate -val encapsulate +val decapsulate_avx2 + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + +val encapsulate_avx2 (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: @@ -22,26 +43,28 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) -/// Unpacked decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: +val generate_keypair_avx2 + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) - (key_pair: + (randomness: t_Array u8 (sz 64)) + (out: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) /// Generate a key pair val generate_keypair @@ -54,3 +77,25 @@ val generate_keypair : Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key_avx2 + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst index c9a34f640..97bf551a2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti index 39fede866..62e566a3c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst index 91614ab24..1c5cfc0fe 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fst @@ -6,10 +6,28 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () +let decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + = + Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE + v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE + v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 + v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext + let encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) @@ -24,6 +42,30 @@ let encapsulate v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash public_key randomness +let generate_keypair + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + usize) + (randomness: t_Array u8 (sz 64)) + (out: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, out:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness + out + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + out + let unpack_public_key (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -49,41 +91,3 @@ let unpack_public_key Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) in unpacked_public_key - -let decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - = - Libcrux_ml_kem.Ind_cca.Unpacked.decapsulate v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE - v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE - v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 - v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash key_pair ciphertext - -let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: - usize) - (randomness: t_Array u8 (sz 64)) - (out: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - = - let hax_temp_output, out:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - (), - Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash randomness out - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - in - out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti index e602961e3..9d2131a1c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.fsti @@ -6,10 +6,23 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Neon in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () +/// Unpacked decapsulate +val decapsulate + (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: + usize) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + /// Unpacked encapsulate val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -22,29 +35,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpack_public_key - (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Unpacked decapsulate -val decapsulate - (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: - usize) - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - /// Generate a key pair val generate_keypair (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: @@ -58,3 +48,16 @@ val generate_keypair Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpack_public_key + (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst index dca261dd4..a269333d7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -40,25 +40,25 @@ let decapsulate ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector #Libcrux_ml_kem.Hash_functions.Neon.t_Simd128Hash #Libcrux_ml_kem.Variant.t_MlKem randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti index e244a6ece..5f7d577a0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -30,55 +30,24 @@ val decapsulate usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable public key validation diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst index 3d5ed41ba..df28e3a00 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fst @@ -6,24 +6,13 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE - v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 - v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness - let unpack_public_key (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -50,6 +39,20 @@ let unpack_public_key in unpacked_public_key +let encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Unpacked.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE + v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) public_key randomness + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -80,7 +83,8 @@ let generate_keypair Libcrux_ml_kem.Ind_cca.Unpacked.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) randomness out + #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem + randomness out <: (Prims.unit & Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked v_K diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti index ef16fb9d1..e8eab1c4d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.fsti @@ -6,22 +6,13 @@ open FStar.Mul let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Hash_functions in let open Libcrux_ml_kem.Hash_functions.Portable in + let open Libcrux_ml_kem.Variant in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () -/// Unpacked encapsulate -val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: - usize) - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - /// Get the unpacked public key. val unpack_public_key (v_K v_T_AS_NTT_ENCODED_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) @@ -35,6 +26,18 @@ val unpack_public_key Prims.l_True (fun _ -> Prims.l_True) +/// Unpacked encapsulate +val encapsulate + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + usize) + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked v_K + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + /// Unpacked decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst index 333f8fbbd..317195665 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -25,6 +25,16 @@ let validate_private_key private_key ciphertext +let validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + = + Libcrux_ml_kem.Ind_cca.validate_public_key v_K + v_RANKED_BYTES_PER_RING_ELEMENT + v_PUBLIC_KEY_SIZE + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + public_key + let decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) @@ -40,35 +50,25 @@ let decapsulate private_key ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) = Libcrux_ml_kem.Ind_cca.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE - v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE - v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE + v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR + v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = Libcrux_ml_kem.Ind_cca.generate_keypair v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE - v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE + v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector #(Libcrux_ml_kem.Hash_functions.Portable.t_PortableHash v_K) #Libcrux_ml_kem.Variant.t_MlKem randomness - -let validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - = - Libcrux_ml_kem.Ind_cca.validate_public_key v_K - v_RANKED_BYTES_PER_RING_ELEMENT - v_PUBLIC_KEY_SIZE - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti index b62f5b8f2..04583da6a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Instantiations.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Instantiations.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -24,70 +24,39 @@ val validate_private_key v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) (fun _ -> Prims.l_True) +/// Portable public key validation +val validate_public_key + (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) + (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) + : Prims.Pure bool + (requires + Spec.MLKEM.is_rank v_K /\ + v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ + v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + (fun _ -> Prims.l_True) + /// Portable decapsulate val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) /// Portable generate key pair. val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) - (fun _ -> Prims.l_True) - -/// Portable public key validation -val validate_public_key - (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) - (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst index 2fbb2ea3d..f945524c6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -52,7 +52,7 @@ let decapsulate private_key ciphertext let encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) @@ -61,23 +61,23 @@ let encapsulate then Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness else if Libcrux_platform.Platform.simd128_support () then Libcrux_ml_kem.Ind_cca.Instantiations.Neon.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness else Libcrux_ml_kem.Ind_cca.Instantiations.Portable.encapsulate v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR - v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 + v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE public_key randomness let generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) = @@ -87,7 +87,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness @@ -98,7 +98,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness @@ -107,7 +107,7 @@ let generate_keypair v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE - v_RANKED_BYTES_PER_RING_ELEMENT + v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti index 4e231ea63..8323134a3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Multiplexing.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Multiplexing -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,73 +7,33 @@ val validate_private_key (v_K v_SECRET_KEY_SIZE v_CIPHERTEXT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val validate_public_key (v_K v_RANKED_BYTES_PER_RING_ELEMENT v_PUBLIC_KEY_SIZE: usize) (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) val decapsulate (v_K v_SECRET_KEY_SIZE v_CPA_SECRET_KEY_SIZE v_PUBLIC_KEY_SIZE v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize) (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CPA_SECRET_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K /\ - v_IMPLICIT_REJECTION_HASH_INPUT_SIZE == Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) val encapsulate - (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: + (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_VECTOR_U_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: usize) (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE & t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_T_AS_NTT_ENCODED_SIZE == Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K /\ - v_C1_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ v_C2_SIZE == Spec.MLKEM.v_C2_SIZE v_K /\ - v_VECTOR_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_VECTOR_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_C1_BLOCK_SIZE == Spec.MLKEM.v_C1_BLOCK_SIZE v_K /\ v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K /\ - v_ETA2 == Spec.MLKEM.v_ETA2 v_K /\ - v_ETA2_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA2_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) val generate_keypair - (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_RANKED_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: + (v_K v_CPA_PRIVATE_KEY_SIZE v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE v_BYTES_PER_RING_ELEMENT v_ETA1 v_ETA1_RANDOMNESS_SIZE: usize) (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - (requires - Spec.MLKEM.is_rank v_K /\ v_CPA_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_PRIVATE_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_ETA1 == Spec.MLKEM.v_ETA1 v_K /\ - v_ETA1_RANDOMNESS_SIZE == Spec.MLKEM.v_ETA1_RANDOMNESS_SIZE v_K) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst index 90b5d0f43..227944b6d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -63,7 +63,7 @@ let transpose_a v_K (fun v__j -> let v__j:usize = v__j in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -169,7 +169,8 @@ let unpack_public_key unpacked_public_key.f_ind_cpa_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE + v_K #v_Vector (public_key.Libcrux_ml_kem.Types.f_value.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE @@ -257,7 +258,7 @@ let unpack_public_key Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) } <: t_MlKemPublicKeyUnpacked v_K v_Vector diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti index 6bccf5010..148d38dda 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.Unpacked.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst index 84a0cd81c..14c3eddd9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -44,8 +44,6 @@ let validate_private_key in t =. expected -#push-options "--z3rlimit 150" - let serialize_kem_secret_key (v_K v_SERIALIZED_KEY_LEN: usize) (#v_Hasher: Type0) @@ -156,44 +154,8 @@ let serialize_kem_secret_key <: t_Slice u8) in - let _:Prims.unit = - let open Spec.Utils in - assert ((Seq.slice out 0 (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K))) - `Seq.equal` - private_key); - assert ((Seq.slice out - (v #usize_inttype (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K))) - `Seq.equal` - public_key); - assert ((Seq.slice out - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE))) - `Seq.equal` - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key)); - assert (Seq.slice out - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE)) - (v #usize_inttype - (Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K +! Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K +! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE +! - Spec.MLKEM.v_SHARED_SECRET_SIZE)) == - implicit_rejection_value); - lemma_slice_append_4 out - private_key - public_key - (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K public_key) - implicit_rejection_value - in out -#pop-options - #push-options "--z3rlimit 150" let encapsulate @@ -220,7 +182,6 @@ let encapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (randomness <: t_Slice u8) in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) randomness in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE } @@ -235,17 +196,12 @@ let encapsulate (Libcrux_ml_kem.Hash_functions.f_H #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) <: t_Slice u8) <: t_Slice u8) in - let _:Prims.unit = - assert (Seq.slice to_hash 0 (v Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE) == randomness); - lemma_slice_append to_hash randomness (Spec.Utils.v_H public_key.f_value); - assert (to_hash == concat randomness (Spec.Utils.v_H public_key.f_value)) - in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -261,7 +217,7 @@ let encapsulate Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher - (Libcrux_ml_kem.Types.impl_20__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness + (Libcrux_ml_kem.Types.impl_21__as_slice v_PUBLIC_KEY_SIZE public_key <: t_Slice u8) randomness pseudorandomness in let ciphertext:Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE = @@ -294,7 +250,8 @@ let validate_public_key (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) = let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced_out v_PUBLIC_KEY_SIZE + v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_RANKED_BYTES_PER_RING_ELEMENT } <: @@ -365,7 +322,7 @@ let generate_keypair #FStar.Tactics.Typeclasses.solve secret_key_serialized in - Libcrux_ml_kem.Types.impl_21__from v_PRIVATE_KEY_SIZE + Libcrux_ml_kem.Types.impl__from v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE private_key (Core.Convert.f_from #(Libcrux_ml_kem.Types.t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -391,10 +348,6 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) = - let _:Prims.unit = - assert (v v_CIPHERTEXT_SIZE == - v v_IMPLICIT_REJECTION_HASH_INPUT_SIZE - v Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE) - in let ind_cpa_secret_key, secret_key:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 (private_key.Libcrux_ml_kem.Types.f_value <: t_Slice u8) @@ -406,20 +359,6 @@ let decapsulate let ind_cpa_public_key_hash, implicit_rejection_value:(t_Slice u8 & t_Slice u8) = Core.Slice.impl__split_at #u8 secret_key Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE in - let _:Prims.unit = - assert (ind_cpa_secret_key == slice private_key.f_value (sz 0) v_CPA_SECRET_KEY_SIZE); - assert (ind_cpa_public_key == - slice private_key.f_value v_CPA_SECRET_KEY_SIZE (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) - ); - assert (ind_cpa_public_key_hash == - slice private_key.f_value - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE) - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE)); - assert (implicit_rejection_value == - slice private_key.f_value - (v_CPA_SECRET_KEY_SIZE +! v_PUBLIC_KEY_SIZE +! Spec.MLKEM.v_H_DIGEST_SIZE) - (length private_key.f_value)) - in let decrypted:t_Array u8 (sz 32) = Libcrux_ml_kem.Ind_cpa.decrypt v_K v_CIPHERTEXT_SIZE @@ -433,7 +372,6 @@ let decapsulate let (to_hash: t_Array u8 (sz 64)):t_Array u8 (sz 64) = Libcrux_ml_kem.Utils.into_padded_array (sz 64) (decrypted <: t_Slice u8) in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) decrypted in let to_hash:t_Array u8 (sz 64) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -449,11 +387,6 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = - lemma_slice_append to_hash decrypted ind_cpa_public_key_hash; - assert (decrypted == Spec.MLKEM.ind_cpa_decrypt v_K ind_cpa_secret_key ciphertext.f_value); - assert (to_hash == concat decrypted ind_cpa_public_key_hash) - in let hashed:t_Array u8 (sz 64) = Libcrux_ml_kem.Hash_functions.f_G #v_Hasher #v_K @@ -465,21 +398,11 @@ let decapsulate (hashed <: t_Slice u8) Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE in - let _:Prims.unit = - assert ((shared_secret, pseudorandomness) == - split hashed Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE); - assert (length implicit_rejection_value = - v_SECRET_KEY_SIZE -! v_CPA_SECRET_KEY_SIZE -! v_PUBLIC_KEY_SIZE -! - Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE); - assert (length implicit_rejection_value = Spec.MLKEM.v_SHARED_SECRET_SIZE); - assert (Spec.MLKEM.v_SHARED_SECRET_SIZE <=. Spec.MLKEM.v_IMPLICIT_REJECTION_HASH_INPUT_SIZE v_K) - in let (to_hash: t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE):t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Libcrux_ml_kem.Utils.into_padded_array v_IMPLICIT_REJECTION_HASH_INPUT_SIZE implicit_rejection_value in - let _:Prims.unit = eq_intro (Seq.slice to_hash 0 32) implicit_rejection_value in let to_hash:t_Array u8 v_IMPLICIT_REJECTION_HASH_INPUT_SIZE = Rust_primitives.Hax.Monomorphized_update_at.update_at_range_from to_hash ({ Core.Ops.Range.f_start = Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE } @@ -500,12 +423,6 @@ let decapsulate <: t_Slice u8) in - let _:Prims.unit = - assert_norm (pow2 32 == 0x100000000); - assert (v (sz 32) < pow2 32); - assert (i4.f_PRF_pre (sz 32) to_hash); - lemma_slice_append to_hash implicit_rejection_value ciphertext.f_value - in let (implicit_rejection_shared_secret: t_Array u8 (sz 32)):t_Array u8 (sz 32) = Libcrux_ml_kem.Hash_functions.f_PRF #v_Hasher #v_K @@ -513,10 +430,6 @@ let decapsulate (sz 32) (to_hash <: t_Slice u8) in - let _:Prims.unit = - assert (implicit_rejection_shared_secret == Spec.Utils.v_PRF (sz 32) to_hash); - assert (Seq.length ind_cpa_public_key == v v_PUBLIC_KEY_SIZE) - in let expected_ciphertext:t_Array u8 v_CIPHERTEXT_SIZE = Libcrux_ml_kem.Ind_cpa.encrypt v_K v_CIPHERTEXT_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti index cc03d69ee..6c03c2e17 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cca.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cca -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -30,11 +30,7 @@ val validate_private_key {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey v_SECRET_KEY_SIZE) (v__ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ v_SECRET_KEY_SIZE == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) /// Serialize the secret key. val serialize_kem_secret_key @@ -42,19 +38,7 @@ val serialize_kem_secret_key (#v_Hasher: Type0) {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} (private_key public_key implicit_rejection_value: t_Slice u8) - : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) - (requires - Spec.MLKEM.is_rank v_K /\ v_SERIALIZED_KEY_LEN == Spec.MLKEM.v_CCA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 private_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 public_key == Spec.MLKEM.v_CPA_PUBLIC_KEY_SIZE v_K /\ - Core.Slice.impl__len #u8 implicit_rejection_value == Spec.MLKEM.v_SHARED_SECRET_SIZE) - (ensures - fun result -> - let result:t_Array u8 v_SERIALIZED_KEY_LEN = result in - result == - Seq.append private_key - (Seq.append public_key (Seq.append (Spec.Utils.v_H public_key) implicit_rejection_value) - )) + : Prims.Pure (t_Array u8 v_SERIALIZED_KEY_LEN) Prims.l_True (fun _ -> Prims.l_True) val encapsulate (v_K v_CIPHERTEXT_SIZE v_PUBLIC_KEY_SIZE v_T_AS_NTT_ENCODED_SIZE v_C1_SIZE v_C2_SIZE v_VECTOR_U_COMPRESSION_FACTOR v_VECTOR_V_COMPRESSION_FACTOR v_C1_BLOCK_SIZE v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE: @@ -95,12 +79,7 @@ val validate_public_key (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Array u8 v_PUBLIC_KEY_SIZE) - : Prims.Pure bool - (requires - Spec.MLKEM.is_rank v_K /\ - v_RANKED_BYTES_PER_RING_ELEMENT == Spec.MLKEM.v_RANKED_BYTES_PER_RING_ELEMENT v_K /\ - v_PUBLIC_KEY_SIZE == Spec.MLKEM.v_CCA_PUBLIC_KEY_SIZE v_K) - (fun _ -> Prims.l_True) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) /// Packed API /// Generate a key pair. diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti index b7e0c4efc..be39c3deb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.Unpacked.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa.Unpacked -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -40,7 +40,7 @@ let impl { f_secret_as_ntt = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K @@ -66,14 +66,14 @@ let impl_1 { f_t_as_ntt = - Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K; f_seed_for_A = Rust_primitives.Hax.repeat 0uy (sz 32); f_A = - Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl_2__ZERO + Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst index 29146d11c..8efd719f7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -28,7 +28,7 @@ let deserialize_secret_key v_K (fun temp_0_ -> let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -80,6 +80,92 @@ let deserialize_secret_key #pop-options +#push-options "--ext context_pruning" + +let deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let _:Prims.unit = + assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /! + Rust_primitives.mk_usize 8) == + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + v_K + (fun temp_0_ -> + let _:usize = temp_0_ in + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! + v_U_COMPRESSION_FACTOR + <: + usize) /! + sz 8 + <: + usize) + (ciphertext <: t_Slice u8) + (fun u_as_ntt i -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i:usize = i in + forall (j: nat). + j < v i ==> + j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <= + v v_CIPHERTEXT_SIZE /\ + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) == + Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR) + (Seq.slice ciphertext + (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) + (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))) + )) + u_as_ntt + (fun u_as_ntt temp_1_ -> + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + u_as_ntt + in + let i, u_bytes:(usize & t_Slice u8) = temp_1_ in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR + #v_Vector + u_bytes + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt + i + (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR + #v_Vector + (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + in + u_as_ntt) + in + let _:Prims.unit = + Lib.Sequence.eq_intro #Spec.MLKEM.polynomial + #(v v_K) + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt) + (let open Spec.MLKEM in + vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))) + in + u_as_ntt + +#pop-options + #push-options "--max_fuel 10 --z3rlimit 1000 --ext context_pruning --z3refresh --split_queries always" let sample_ring_element_cbd @@ -99,7 +185,7 @@ let sample_ring_element_cbd v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -362,7 +448,7 @@ let sample_vector_cbd_then_ntt_out v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -526,6 +612,65 @@ let generate_keypair_unpacked #pop-options +let decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext + in + let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR + #v_Vector + (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } + <: + Core.Ops.Range.t_RangeFrom usize ] + <: + t_Slice u8) + in + let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Matrix.compute_message v_K + #v_Vector + v + secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt + u_as_ntt + in + Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message + +let decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + = + let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in + let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = + deserialize_secret_key v_K #v_Vector secret_key + in + let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = + { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } + <: + Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector + in + decrypt_unpacked v_K + v_CIPHERTEXT_SIZE + v_VECTOR_U_ENCODED_SIZE + v_U_COMPRESSION_FACTOR + v_V_COMPRESSION_FACTOR + #v_Vector + secret_key_unpacked + ciphertext + #push-options "--z3rlimit 200 --ext context_pruning --z3refresh" let compress_then_serialize_u @@ -782,7 +927,8 @@ let encrypt unpacked_public_key with Libcrux_ml_kem.Ind_cpa.Unpacked.f_t_as_ntt = - Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_K + Libcrux_ml_kem.Serialize.deserialize_ring_elements_reduced v_T_AS_NTT_ENCODED_SIZE + v_K #v_Vector (public_key.[ { Core.Ops.Range.f_end = v_T_AS_NTT_ENCODED_SIZE } <: @@ -824,151 +970,6 @@ let encrypt v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR v_BLOCK_LEN v_ETA1 v_ETA1_RANDOMNESS_SIZE v_ETA2 v_ETA2_RANDOMNESS_SIZE #v_Vector #v_Hasher unpacked_public_key message randomness -#push-options "--ext context_pruning" - -let deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_U_COMPRESSION_FACTOR) /! - Rust_primitives.mk_usize 8) == - v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Core.Array.from_fn #(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - v_K - (fun temp_0_ -> - let _:usize = temp_0_ in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! - v_U_COMPRESSION_FACTOR - <: - usize) /! - sz 8 - <: - usize) - (ciphertext <: t_Slice u8) - (fun u_as_ntt i -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i:usize = i in - forall (j: nat). - j < v i ==> - j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) <= - v v_CIPHERTEXT_SIZE /\ - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector (Seq.index u_as_ntt j) == - Spec.MLKEM.poly_ntt (Spec.MLKEM.byte_decode_then_decompress (v v_U_COMPRESSION_FACTOR) - (Seq.slice ciphertext - (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K)) - (j * v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K) + v (Spec.MLKEM.v_C1_BLOCK_SIZE v_K))) - )) - u_as_ntt - (fun u_as_ntt temp_1_ -> - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - u_as_ntt - in - let i, u_bytes:(usize & t_Slice u8) = temp_1_ in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_u v_U_COMPRESSION_FACTOR - #v_Vector - u_bytes - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize u_as_ntt - i - (Libcrux_ml_kem.Ntt.ntt_vector_u v_U_COMPRESSION_FACTOR - #v_Vector - (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - in - u_as_ntt) - in - let _:Prims.unit = - Lib.Sequence.eq_intro #Spec.MLKEM.polynomial - #(v v_K) - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector u_as_ntt) - (let open Spec.MLKEM in - vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K))))) - in - u_as_ntt - -#pop-options - -let decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let u_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_then_decompress_u v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR #v_Vector ciphertext - in - let v:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Serialize.deserialize_then_decompress_ring_element_v v_V_COMPRESSION_FACTOR - #v_Vector - (ciphertext.[ { Core.Ops.Range.f_start = v_VECTOR_U_ENCODED_SIZE } - <: - Core.Ops.Range.t_RangeFrom usize ] - <: - t_Slice u8) - in - let message:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Matrix.compute_message v_K - #v_Vector - v - secret_key.Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt - u_as_ntt - in - Libcrux_ml_kem.Serialize.compress_then_serialize_message #v_Vector message - -let decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - = - let _:Prims.unit = reveal_opaque (`%Spec.MLKEM.ind_cpa_decrypt) Spec.MLKEM.ind_cpa_decrypt in - let secret_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_secret_key v_K #v_Vector secret_key - in - let secret_key_unpacked:Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector = - { Libcrux_ml_kem.Ind_cpa.Unpacked.f_secret_as_ntt = secret_as_ntt } - <: - Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector - in - decrypt_unpacked v_K - v_CIPHERTEXT_SIZE - v_VECTOR_U_ENCODED_SIZE - v_U_COMPRESSION_FACTOR - v_V_COMPRESSION_FACTOR - #v_Vector - secret_key_unpacked - ciphertext - #push-options "--z3rlimit 200 --ext context_pruning --z3refresh" let serialize_secret_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti index 32c317b57..2881c5435 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ind_cpa.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ind_cpa -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -30,6 +30,24 @@ val deserialize_secret_key Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == Spec.MLKEM.vector_decode_12 #v_K secret_key) +/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element +/// in the `ciphertext`. +val deserialize_then_decompress_u + (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) + (ensures + fun res -> + let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in + Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == + Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K + (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) + /// Sample a vector of ring elements from a centered binomial distribution. val sample_ring_element_cbd (v_K v_ETA2_RANDOMNESS_SIZE v_ETA2: usize) @@ -188,6 +206,64 @@ val generate_keypair_unpacked .f_t_as_ntt i))) +/// This function implements Algorithm 14 of the +/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. +/// Algorithm 14 is reproduced below: +/// ```plaintext +/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. +/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. +/// Output: message m ∈ 𝔹^{32}. +/// c₁ ← c[0 : 32dᵤk] +/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] +/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) +/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) +/// ŝ ← ByteDecode₁₂(dkₚₖₑ) +/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) +/// m ← ByteEncode₁(Compress₁(w)) +/// return m +/// ``` +/// The NIST FIPS 203 standard can be found at +/// . +val decrypt_unpacked + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ + v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + result == + Spec.MLKEM.ind_cpa_decrypt_unpacked v_K + ciphertext + (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt)) + +val decrypt + (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: + usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (secret_key: t_Slice u8) + (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) + : Prims.Pure (t_Array u8 (sz 32)) + (requires + Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ + v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ + v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ + v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ + v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) + (ensures + fun result -> + let result:t_Array u8 (sz 32) = result in + result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) + /// Call [`compress_then_serialize_ring_element_u`] on each ring element. val compress_then_serialize_u (v_K v_OUT_LEN v_COMPRESSION_FACTOR v_BLOCK_LEN: usize) @@ -304,82 +380,6 @@ val encrypt let expected, valid = Spec.MLKEM.ind_cpa_encrypt v_K public_key message randomness in valid ==> result == expected) -/// Call [`deserialize_then_decompress_ring_element_u`] on each ring element -/// in the `ciphertext`. -val deserialize_then_decompress_u - (v_K v_CIPHERTEXT_SIZE v_U_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector res == - Spec.MLKEM.(vector_ntt (decode_then_decompress_u #v_K - (Seq.slice ciphertext 0 (v (Spec.MLKEM.v_C1_SIZE v_K)))))) - -/// This function implements Algorithm 14 of the -/// NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. -/// Algorithm 14 is reproduced below: -/// ```plaintext -/// Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. -/// Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. -/// Output: message m ∈ 𝔹^{32}. -/// c₁ ← c[0 : 32dᵤk] -/// c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] -/// u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) -/// v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) -/// ŝ ← ByteDecode₁₂(dkₚₖₑ) -/// w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) -/// m ← ByteEncode₁(Compress₁(w)) -/// return m -/// ``` -/// The NIST FIPS 203 standard can be found at -/// . -val decrypt_unpacked - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: Libcrux_ml_kem.Ind_cpa.Unpacked.t_IndCpaPrivateKeyUnpacked v_K v_Vector) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == - Spec.MLKEM.ind_cpa_decrypt_unpacked v_K - ciphertext - (Libcrux_ml_kem.Polynomial.to_spec_vector_t #v_K #v_Vector secret_key.f_secret_as_ntt)) - -val decrypt - (v_K v_CIPHERTEXT_SIZE v_VECTOR_U_ENCODED_SIZE v_U_COMPRESSION_FACTOR v_V_COMPRESSION_FACTOR: - usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (secret_key: t_Slice u8) - (ciphertext: t_Array u8 v_CIPHERTEXT_SIZE) - : Prims.Pure (t_Array u8 (sz 32)) - (requires - Spec.MLKEM.is_rank v_K /\ length secret_key == Spec.MLKEM.v_CPA_PRIVATE_KEY_SIZE v_K /\ - v_CIPHERTEXT_SIZE == Spec.MLKEM.v_CPA_CIPHERTEXT_SIZE v_K /\ - v_VECTOR_U_ENCODED_SIZE == Spec.MLKEM.v_C1_SIZE v_K /\ - v_U_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_U_COMPRESSION_FACTOR v_K /\ - v_V_COMPRESSION_FACTOR == Spec.MLKEM.v_VECTOR_V_COMPRESSION_FACTOR v_K) - (ensures - fun result -> - let result:t_Array u8 (sz 32) = result in - result == Spec.MLKEM.ind_cpa_decrypt v_K secret_key ciphertext) - /// Call [`serialize_uncompressed_ring_element`] for each ring element. val serialize_secret_key (v_K v_OUT_LEN: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst index 7293e04c6..c8c456676 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Invert_ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -38,27 +38,15 @@ let invert_ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_1) (invert_ntt_re_range_1 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round * 4 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -66,11 +54,6 @@ let invert_ntt_at_layer_1_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -82,10 +65,19 @@ let invert_ntt_at_layer_1_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_1_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 1 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 2 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 3 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 3 <: usize + ] + <: + i16) <: v_Vector) } @@ -93,15 +85,6 @@ let invert_ntt_at_layer_1_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i -! sz 3 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -116,26 +99,15 @@ let invert_ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round * 2 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -143,11 +115,6 @@ let invert_ntt_at_layer_2_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -159,8 +126,11 @@ let invert_ntt_at_layer_2_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_2_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i -! sz 1 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i -! sz 1 <: usize + ] + <: + i16) <: v_Vector) } @@ -168,15 +138,6 @@ let invert_ntt_at_layer_2_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -191,26 +152,15 @@ let invert_ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) = - let _:Prims.unit = reveal_opaque (`%invert_ntt_re_range_2) (invert_ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init - v round /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -218,11 +168,6 @@ let invert_ntt_at_layer_3_ in let round:usize = round in let zeta_i:usize = zeta_i -! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -234,29 +179,18 @@ let invert_ntt_at_layer_3_ (Libcrux_ml_kem.Vector.Traits.f_inv_ntt_layer_3_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#push-options "--admit_smt_queries true" - let invert_ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -305,7 +239,7 @@ let invert_ntt_at_layer_4_plus (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -340,8 +274,6 @@ let invert_ntt_at_layer_4_plus let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - let invert_ntt_montgomery (v_K: usize) (#v_Vector: Type0) @@ -395,7 +327,7 @@ let invert_ntt_montgomery let _:Prims.unit = () in let hax_temp_output, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti index d83521180..ffe255831 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Invert_ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Invert_ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,36 +14,7 @@ val inv_ntt_layer_int_vec_step_reduce {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a b: v_Vector) (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array b) i))) /\ - Spec.Utils.is_i16b_array 28296 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (Libcrux_ml_kem.Vector.Traits.f_add a b))) - (fun _ -> Prims.l_True) - -[@@ "opaque_to_smt"] - let invert_ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) - -[@@ "opaque_to_smt"] - let invert_ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque 3328 - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_at_layer_1_ (#v_Vector: Type0) @@ -52,14 +23,8 @@ val invert_ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 128 /\ invert_ntt_re_range_1 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 64) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_2_ (#v_Vector: Type0) @@ -68,14 +33,8 @@ val invert_ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 64 /\ invert_ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 32) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_3_ (#v_Vector: Type0) @@ -84,14 +43,8 @@ val invert_ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 32 /\ invert_ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - invert_ntt_re_range_2 re_future /\ v zeta_i_future == 16) + Prims.l_True + (fun _ -> Prims.l_True) val invert_ntt_at_layer_4_plus (#v_Vector: Type0) @@ -100,7 +53,7 @@ val invert_ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v layer >= 4 /\ v layer <= 7) + Prims.l_True (fun _ -> Prims.l_True) val invert_ntt_montgomery @@ -109,5 +62,5 @@ val invert_ntt_montgomery {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires invert_ntt_re_range_1 re) + Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst index 0fe17e19e..737d106dc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -132,9 +132,7 @@ let sample_matrix_A in v_A_transpose)) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in + let hax_temp_output:Prims.unit = () <: Prims.unit in v_A_transpose let compute_As_plus_e @@ -171,7 +169,7 @@ let compute_As_plus_e let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + (Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -197,7 +195,7 @@ let compute_As_plus_e temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector matrix_element (s_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -205,7 +203,7 @@ let compute_As_plus_e v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K (tt_as_ntt.[ i ] <: @@ -219,7 +217,7 @@ let compute_As_plus_e let tt_as_ntt:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize tt_as_ntt i - (Libcrux_ml_kem.Polynomial.impl_2__add_standard_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_standard_error_reduce #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -232,8 +230,6 @@ let compute_As_plus_e let hax_temp_output:Prims.unit = result in tt_as_ntt -#push-options "--admit_smt_queries true" - let compute_message (v_K: usize) (#v_Vector: Type0) @@ -245,7 +241,7 @@ let compute_message t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -259,12 +255,12 @@ let compute_message let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector (secret_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (u_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product in result) in @@ -272,14 +268,10 @@ let compute_message Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__subtract_reduce #v_Vector v result + Libcrux_ml_kem.Polynomial.impl__subtract_reduce #v_Vector v result in result -#pop-options - -#push-options "--admit_smt_queries true" - let compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -290,7 +282,7 @@ let compute_ring_element_v (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -304,12 +296,12 @@ let compute_ring_element_v let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in let i:usize = i in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector (tt_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (r_as_ntt.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector v_K result product + Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K result product in result) in @@ -317,14 +309,10 @@ let compute_ring_element_v Libcrux_ml_kem.Invert_ntt.invert_ntt_montgomery v_K #v_Vector result in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__add_message_error_reduce #v_Vector error_2_ message result + Libcrux_ml_kem.Polynomial.impl__add_message_error_reduce #v_Vector error_2_ message result in result -#pop-options - -#push-options "--admit_smt_queries true" - let compute_vector_u (v_K: usize) (#v_Vector: Type0) @@ -340,7 +328,7 @@ let compute_vector_u v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -385,7 +373,7 @@ let compute_vector_u temp_1_ in let product:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ntt_multiply #v_Vector + Libcrux_ml_kem.Polynomial.impl__ntt_multiply #v_Vector a_element (r_as_ntt.[ j ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -393,7 +381,7 @@ let compute_vector_u v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_2__add_to_ring_element #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_to_ring_element #v_Vector v_K (result.[ i ] <: @@ -416,7 +404,7 @@ let compute_vector_u let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result i - (Libcrux_ml_kem.Polynomial.impl_2__add_error_reduce #v_Vector + (Libcrux_ml_kem.Polynomial.impl__add_error_reduce #v_Vector (result.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (error_1_.[ i ] <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) <: @@ -425,5 +413,3 @@ let compute_vector_u result) in result - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti index 7c0e78e63..5d7fa10d5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Matrix.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Matrix -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -21,20 +21,8 @@ val sample_matrix_A (transpose: bool) : Prims.Pure (t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun v_A_transpose_future -> - let v_A_transpose_future:t_Array - (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K = - v_A_transpose_future - in - let matrix_A, valid = Spec.MLKEM.sample_matrix_A_ntt (Seq.slice seed 0 32) in - valid ==> - (if transpose - then Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == matrix_A - else - Libcrux_ml_kem.Polynomial.to_spec_matrix_t v_A_transpose_future == - Spec.MLKEM.matrix_transpose matrix_A)) + Prims.l_True + (fun _ -> Prims.l_True) /// Compute  ◦ ŝ + ê val compute_As_plus_e @@ -76,20 +64,10 @@ val compute_message (secret_as_ntt u_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let secret_spec = to_spec_vector_t secret_as_ntt in - let u_spec = to_spec_vector_t u_as_ntt in - let v_spec = to_spec_poly_t v in - to_spec_poly_t res == - Spec.MLKEM.(poly_sub v_spec - (poly_inv_ntt (vector_dot_product_ntt #v_K secret_spec u_spec))) /\ - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + Prims.l_True + (fun _ -> Prims.l_True) -/// Compute InverseNTT(tᵀ ◦ r\u{302}) + e₂ + message +/// Compute InverseNTT(tᵀ ◦ r̂) + e₂ + message val compute_ring_element_v (v_K: usize) (#v_Vector: Type0) @@ -97,21 +75,10 @@ val compute_ring_element_v (tt_as_ntt r_as_ntt: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) (error_2_ message: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = res in - let open Libcrux_ml_kem.Polynomial in - let tt_spec = to_spec_vector_t tt_as_ntt in - let r_spec = to_spec_vector_t r_as_ntt in - let e2_spec = to_spec_poly_t error_2_ in - let m_spec = to_spec_poly_t message in - let res_spec = to_spec_poly_t res in - res_spec == - Spec.MLKEM.(poly_add (poly_add (vector_dot_product_ntt #v_K tt_spec r_spec) e2_spec) - m_spec) /\ Libcrux_ml_kem.Serialize.coefficients_field_modulus_range res) + Prims.l_True + (fun _ -> Prims.l_True) -/// Compute u := InvertNTT(Aᵀ ◦ r\u{302}) + e₁ +/// Compute u := InvertNTT(Aᵀ ◦ r̂) + e₁ val compute_vector_u (v_K: usize) (#v_Vector: Type0) @@ -120,17 +87,5 @@ val compute_vector_u t_Array (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) v_K) (r_as_ntt error_1_: t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires Spec.MLKEM.is_rank v_K) - (ensures - fun res -> - let res:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = res in - let open Libcrux_ml_kem.Polynomial in - let a_spec = to_spec_matrix_t a_as_ntt in - let r_spec = to_spec_vector_t r_as_ntt in - let e_spec = to_spec_vector_t error_1_ in - let res_spec = to_spec_vector_t res in - res_spec == - Spec.MLKEM.(vector_add (vector_inv_ntt (matrix_vector_mul_ntt a_spec r_spec)) e_spec) /\ - (forall (i: nat). - i < v v_K ==> - Libcrux_ml_kem.Serialize.coefficients_field_modulus_range (Seq.index res i))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst index ca698a11d..535743eee 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fst @@ -8,24 +8,9 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let init_public_key (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - #FStar.Tactics.Typeclasses.solve - () - let serialized_public_key (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) @@ -33,7 +18,7 @@ let serialized_public_key (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 4) #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector (sz 1536) (sz 1568) @@ -42,29 +27,6 @@ let serialized_public_key in serialized -let unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - = - let hax_temp_output, unpacked_public_key:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - (), - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4) - (sz 1536) - (sz 1536) - (sz 1568) - public_key - unpacked_public_key - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - in - unpacked_public_key - let decapsulate (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -75,6 +37,16 @@ let decapsulate (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) private_key ciphertext +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) (key_pair: @@ -106,3 +78,32 @@ let init_key_pair (_: Prims.unit) = Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) #FStar.Tactics.Typeclasses.solve () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti index 98114aa20..e456bc52c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.Unpacked.fsti @@ -8,8 +8,30 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) @@ -32,43 +54,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - /// Generate ML-KEM 1024 Key Pair in "unpacked" form val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -84,3 +69,19 @@ val init_key_pair: Prims.unit -> Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst index 1ed6cc3c1..7080765e4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti index 4f57bcb17..f8995e737 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst index 3b74c3b27..f4da0ce27 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fst @@ -8,24 +8,9 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let init_public_key (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - #FStar.Tactics.Typeclasses.solve - () - let serialized_public_key (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) @@ -33,7 +18,7 @@ let serialized_public_key (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 4) #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector (sz 1536) (sz 1568) @@ -42,29 +27,6 @@ let serialized_public_key in serialized -let unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - = - let hax_temp_output, unpacked_public_key:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - (), - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4) - (sz 1536) - (sz 1536) - (sz 1568) - public_key - unpacked_public_key - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - in - unpacked_public_key - let decapsulate (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -75,6 +37,16 @@ let decapsulate (sz 1568) (sz 1568) (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) private_key ciphertext +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) (key_pair: @@ -106,3 +78,32 @@ let init_key_pair (_: Prims.unit) = Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) #FStar.Tactics.Typeclasses.solve () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 4) + (sz 1536) + (sz 1536) + (sz 1568) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti index 46f643f14..c98c5408d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.Unpacked.fsti @@ -8,8 +8,30 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () +/// Get the serialized public key. +val serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Decapsulate ML-KEM 1024 (unpacked) +/// Generates an [`MlKemSharedSecret`]. +/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] +/// and an [`MlKem1024Ciphertext`]. +val decapsulate + (private_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) @@ -32,47 +54,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Decapsulate ML-KEM 1024 (unpacked) -/// Generates an [`MlKemSharedSecret`]. -/// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] -/// and an [`MlKem1024Ciphertext`]. -val decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) - /// Generate ML-KEM 1024 Key Pair in "unpacked" form val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -92,3 +73,23 @@ val init_key_pair: Prims.unit Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst index 8cab7c870..a7bb1aed1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti index d71f032a7..19fcf2a03 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst index b77d33651..c2a95d58f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fst @@ -8,17 +8,14 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () let init_public_key (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) @@ -26,22 +23,6 @@ let init_public_key (_: Prims.unit) = #FStar.Tactics.Typeclasses.solve () -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 4) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 1536) - (sz 1568) - public_key - serialized - in - serialized - let unpacked_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (unpacked_public_key: @@ -65,6 +46,32 @@ let unpacked_public_key in unpacked_public_key +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 4) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + = + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 4) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 1536) + (sz 1568) + public_key + serialized + in + serialized + let decapsulate (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) @@ -100,9 +107,3 @@ let generate_key_pair Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in key_pair - -let init_key_pair (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti index fdc651118..d1678d7e7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.Unpacked.fsti @@ -8,8 +8,37 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) @@ -32,14 +61,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Get the serialized public key. val serialized_public_key (public_key: @@ -50,18 +71,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 1024 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem1024KeyPairUnpacked`] @@ -84,11 +93,3 @@ val generate_key_pair Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Prims.l_True (fun _ -> Prims.l_True) - -/// Create a new, empty unpacked key. -val init_key_pair: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 4) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst index 60a05dcc1..326b30645 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) + (sz 1536) + (sz 1568) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 4) - (sz 1536) - (sz 1568) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti index 9ce6a597e..4ba09a9a9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 1024 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem1024PrivateKey`] and an [`MlKem1024Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst index c06297797..6137197ca 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) - (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 4) (sz 3168) (sz 1536) (sz 1568) (sz 1568) + (sz 1536) (sz 1408) (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1600) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1568)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) - (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 4) (sz 1568) (sz 1568) (sz 1536) (sz 1408) + (sz 160) (sz 11) (sz 5) (sz 352) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) - (sz 1536) - (sz 3168) - (sz 1568) - (sz 1536) - (sz 2) - (sz 128) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 4) + (sz 1536) + (sz 3168) + (sz 1568) + (sz 1536) + (sz 2) + (sz 128) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti index fa7a134dd..e62e15b56 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem1024.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem1024 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -80,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 3168)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem1024_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 1024 /// Generates an ([`MlKem1024Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -99,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1568) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem1024_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 1024 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size @@ -115,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 3168) (sz 1568) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem1024_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst index 6fc3cda34..c2dec7172 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fst @@ -8,23 +8,9 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let init_public_key (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - #FStar.Tactics.Typeclasses.solve - () - let serialized_public_key (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) @@ -33,7 +19,7 @@ let serialized_public_key = let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = (), - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 2) #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector (sz 768) (sz 800) @@ -44,29 +30,6 @@ let serialized_public_key in serialized -let unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - = - let hax_temp_output, unpacked_public_key:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - (), - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2) - (sz 768) - (sz 768) - (sz 800) - public_key - unpacked_public_key - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - in - unpacked_public_key - let decapsulate (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -77,6 +40,15 @@ let decapsulate (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) private_key ciphertext +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) (key_pair: @@ -102,3 +74,32 @@ let init_key_pair (_: Prims.unit) = Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) #FStar.Tactics.Typeclasses.solve () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti index cd0cb965f..d5042edbf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.Unpacked.fsti @@ -8,34 +8,9 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Get the serialized public key. val serialized_public_key (public_key: @@ -46,16 +21,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] @@ -67,6 +32,26 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate ML-KEM 512 Key Pair in "unpacked" form val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -82,3 +67,19 @@ val init_key_pair: Prims.unit -> Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst index d84c15890..fb044bdcf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti index 79530147b..fffe20cdb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst index 273041027..cb844f8f7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fst @@ -8,23 +8,9 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) - (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - -let init_public_key (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - #FStar.Tactics.Typeclasses.solve - () - let serialized_public_key (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) @@ -33,7 +19,7 @@ let serialized_public_key = let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = (), - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 2) #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector (sz 768) (sz 800) @@ -44,29 +30,6 @@ let serialized_public_key in serialized -let unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - = - let hax_temp_output, unpacked_public_key:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - (), - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2) - (sz 768) - (sz 768) - (sz 800) - public_key - unpacked_public_key - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - in - unpacked_public_key - let decapsulate (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -77,6 +40,15 @@ let decapsulate (sz 768) (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) private_key ciphertext +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) + (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) (key_pair: @@ -102,3 +74,32 @@ let init_key_pair (_: Prims.unit) = Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) #FStar.Tactics.Typeclasses.solve () + +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 2) + (sz 768) + (sz 768) + (sz 800) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti index 40ecdcc8d..a4993e55e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.Unpacked.fsti @@ -8,36 +8,9 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Neon in + let open Libcrux_ml_kem.Vector.Traits in () -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 512 (unpacked) -/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Get the serialized public key. val serialized_public_key (public_key: @@ -48,18 +21,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] @@ -71,6 +32,26 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 512 (unpacked) +/// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem512PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate ML-KEM 512 Key Pair in "unpacked" form val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -90,3 +71,23 @@ val init_key_pair: Prims.unit Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst index 58b2f0dc4..d05e003a6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti index 3d846ac51..978e3f095 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst index 54eb129c9..617b0c6a8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fst @@ -8,17 +8,14 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key - randomness +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () let init_public_key (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) @@ -26,25 +23,6 @@ let init_public_key (_: Prims.unit) = #FStar.Tactics.Typeclasses.solve () -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - = - let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - (), - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 2) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 768) - (sz 800) - public_key - serialized - <: - (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - in - serialized - let unpacked_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (unpacked_public_key: @@ -68,6 +46,35 @@ let unpacked_public_key in unpacked_public_key +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 2) (sz 768) (sz 800) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key + randomness + +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + = + let hax_temp_output, serialized:(Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + (), + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 2) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + (sz 768) + (sz 800) + public_key + serialized + <: + (Prims.unit & Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + in + serialized + let decapsulate (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) @@ -97,9 +104,3 @@ let generate_key_pair key_pair in key_pair - -let init_key_pair (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - () diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti index 2aee55d13..0b4b731fb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.Unpacked.fsti @@ -8,8 +8,37 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Traits in () +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) @@ -30,14 +59,6 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Get the serialized public key. val serialized_public_key (public_key: @@ -48,18 +69,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 512 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem512KeyPairUnpacked`] @@ -82,11 +91,3 @@ val generate_key_pair Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Prims.l_True (fun _ -> Prims.l_True) - -/// Create a new, empty unpacked key. -val init_key_pair: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 2) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst index 97dccb937..47ebe2fe6 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) + (sz 768) + (sz 800) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 3) (sz 192) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 2) - (sz 768) - (sz 800) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti index eee7fb43d..277ef3588 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 512 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem512PrivateKey`] and an [`MlKem512Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst index db5293cf8..4898aaa26 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem512 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) - (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 2) (sz 1632) (sz 768) (sz 800) (sz 768) + (sz 768) (sz 640) (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) (sz 800) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 800)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 2) (sz 768) (sz 800) (sz 768) (sz 640) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 3) (sz 192) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) - (sz 768) - (sz 1632) - (sz 800) - (sz 768) - (sz 3) - (sz 192) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 2) + (sz 768) + (sz 1632) + (sz 800) + (sz 768) + (sz 3) + (sz 192) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti index 40a174dcb..9031c5873 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem512.fsti @@ -1,41 +1,66 @@ module Libcrux_ml_kem.Mlkem512 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let v_C1_BLOCK_SIZE_512_: usize = sz 320 +let v_ETA1: usize = sz 3 -let v_C1_SIZE_512_: usize = sz 640 +let v_ETA1_RANDOMNESS_SIZE: usize = v_ETA1 *! sz 64 -let v_C2_SIZE_512_: usize = sz 128 +let v_ETA2: usize = sz 2 -let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = sz 768 +let v_ETA2_RANDOMNESS_SIZE: usize = v_ETA2 *! sz 64 -let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = sz 800 +let v_RANK_512_: usize = sz 2 -let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = sz 768 +let v_CPA_PKE_SECRET_KEY_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA1: usize = sz 3 +let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = + (v_RANK_512_ *! Libcrux_ml_kem.Constants.v_BITS_PER_RING_ELEMENT <: usize) /! sz 8 -let v_ETA1_RANDOMNESS_SIZE: usize = sz 192 +let v_T_AS_NTT_ENCODED_SIZE_512_: usize = + ((v_RANK_512_ *! Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT <: usize) *! + Libcrux_ml_kem.Constants.v_BITS_PER_COEFFICIENT + <: + usize) /! + sz 8 -let v_ETA2: usize = sz 2 +let v_CPA_PKE_PUBLIC_KEY_SIZE_512_: usize = v_T_AS_NTT_ENCODED_SIZE_512_ +! sz 32 -let v_ETA2_RANDOMNESS_SIZE: usize = sz 128 +let v_SECRET_KEY_SIZE_512_: usize = + ((v_CPA_PKE_SECRET_KEY_SIZE_512_ +! v_CPA_PKE_PUBLIC_KEY_SIZE_512_ <: usize) +! + Libcrux_ml_kem.Constants.v_H_DIGEST_SIZE + <: + usize) +! + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE -let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = sz 800 +let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 -let v_RANKED_BYTES_PER_RING_ELEMENT_512_: usize = sz 768 +let v_C1_BLOCK_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_U_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_RANK_512_: usize = sz 2 +let v_C1_SIZE_512_: usize = v_C1_BLOCK_SIZE_512_ *! v_RANK_512_ -let v_SECRET_KEY_SIZE_512_: usize = sz 1632 +let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 -let v_T_AS_NTT_ENCODED_SIZE_512_: usize = sz 768 +let v_C2_SIZE_512_: usize = + (Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! v_VECTOR_V_COMPRESSION_FACTOR_512_ + <: + usize) /! + sz 8 -let v_VECTOR_U_COMPRESSION_FACTOR_512_: usize = sz 10 +let v_CPA_PKE_CIPHERTEXT_SIZE_512_: usize = v_C1_SIZE_512_ +! v_C2_SIZE_512_ -let v_VECTOR_V_COMPRESSION_FACTOR_512_: usize = sz 4 +let v_IMPLICIT_REJECTION_HASH_INPUT_SIZE: usize = + Libcrux_ml_kem.Constants.v_SHARED_SECRET_SIZE +! v_CPA_PKE_CIPHERTEXT_SIZE_512_ /// Validate a private key. /// Returns `true` if valid, and `false` otherwise. @@ -55,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 8 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 1632)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem512_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 512 /// Generates an ([`MlKem512Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -74,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 768) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem512_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 512 Key Pair /// The input is a byte array of size @@ -90,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 1632) (sz 800) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem512_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst index 1a75cf7bf..7e0ebd6ca 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fst @@ -8,62 +8,40 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let init_public_key (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - #FStar.Tactics.Typeclasses.solve - () - -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3) #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector (sz 1152) (sz 1184) - public_key + key_pair serialized in serialized -let unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (unpacked_public_key: +let serialized_public_key + (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - let hax_temp_output, unpacked_public_key:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = - (), - Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3) - (sz 1152) + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector (sz 1152) (sz 1184) public_key - unpacked_public_key - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + serialized in - unpacked_public_key + serialized let decapsulate (private_key: @@ -75,6 +53,16 @@ let decapsulate (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) private_key ciphertext +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) (key_pair: @@ -101,21 +89,11 @@ let init_key_pair (_: Prims.unit) = #FStar.Tactics.Typeclasses.solve () -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) - #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector - (sz 1152) - (sz 1184) - key_pair - serialized - in - serialized +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + #FStar.Tactics.Typeclasses.solve + () let public_key (key_pair: @@ -130,7 +108,7 @@ let public_key Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3) #Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector key_pair <: @@ -138,3 +116,26 @@ let public_key Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) in pk + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Avx2.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti index 4d8df4bc3..36d886da8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.Unpacked.fsti @@ -8,34 +8,19 @@ let _ = (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Avx2 in + let open Libcrux_ml_kem.Vector.Traits in () -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Get the serialized public key. val serialized_public_key (public_key: @@ -46,16 +31,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] @@ -67,6 +42,26 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate ML-KEM 768 Key Pair in "unpacked" form. val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -83,15 +78,11 @@ val init_key_pair: Prims.unit (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) -/// Get the serialized public key. -val key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - Prims.l_True - (fun _ -> Prims.l_True) +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) /// Get the unpacked public key. val public_key @@ -104,3 +95,13 @@ val public_key : Prims.Pure (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Avx2.t_SIMD256Vector) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst index 3ec064b3f..0313c715a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti index 0b2855263..3263527b3 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Avx2.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst index 1b1c3736e..ae48f86a4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fst @@ -9,62 +9,40 @@ let _ = let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Neon in let open Libcrux_ml_kem.Vector.Neon.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness - -let init_public_key (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - #FStar.Tactics.Typeclasses.solve - () - -let serialized_public_key - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +let key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3) #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector (sz 1152) (sz 1184) - public_key + key_pair serialized in serialized -let unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (unpacked_public_key: +let serialized_public_key + (public_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - let hax_temp_output, unpacked_public_key:(Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - (), - Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3) - (sz 1152) + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector (sz 1152) (sz 1184) public_key - unpacked_public_key - <: - (Prims.unit & - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + serialized in - unpacked_public_key + serialized let decapsulate (private_key: @@ -76,6 +54,16 @@ let decapsulate (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) private_key ciphertext +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness + let generate_key_pair (randomness: t_Array u8 (sz 64)) (key_pair: @@ -102,21 +90,11 @@ let init_key_pair (_: Prims.unit) = #FStar.Tactics.Typeclasses.solve () -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) - #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - (sz 1152) - (sz 1184) - key_pair - serialized - in - serialized +let init_public_key (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + #FStar.Tactics.Typeclasses.solve + () let public_key (key_pair: @@ -131,7 +109,7 @@ let public_key Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3) #Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector key_pair <: @@ -139,3 +117,26 @@ let public_key Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) in pk + +let unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + = + let hax_temp_output, unpacked_public_key:(Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + (), + Libcrux_ml_kem.Ind_cca.Instantiations.Neon.Unpacked.unpack_public_key (sz 3) + (sz 1152) + (sz 1152) + (sz 1184) + public_key + unpacked_public_key + <: + (Prims.unit & + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + in + unpacked_public_key diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti index 3c76dc76c..8230f5e69 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.Unpacked.fsti @@ -9,33 +9,16 @@ let _ = let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Neon in let open Libcrux_ml_kem.Vector.Neon.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in () -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Portable in - let open Libcrux_ml_kem.Vector.Neon in - () - -/// Encapsulate ML-KEM 768 (unpacked) -/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. -/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], -/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. -val encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (randomness: t_Array u8 (sz 32)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) @@ -49,18 +32,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] @@ -72,6 +43,26 @@ val decapsulate (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) +let _ = + (* This module has implicit dependencies, here we make them explicit. *) + (* The implicit dependencies arise from typeclasses instances. *) + let open Libcrux_ml_kem.Vector.Portable in + let open Libcrux_ml_kem.Vector.Neon in + () + +/// Encapsulate ML-KEM 768 (unpacked) +/// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. +/// The input is a reference to an unpacked public key of type [`MlKem768PublicKeyUnpacked`], +/// the SHA3-256 hash of this public key, and [`SHARED_SECRET_SIZE`] bytes of `randomness`. +val encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + (randomness: t_Array u8 (sz 32)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) + Prims.l_True + (fun _ -> Prims.l_True) + /// Generate ML-KEM 768 Key Pair in "unpacked" form. val generate_key_pair (randomness: t_Array u8 (sz 64)) @@ -92,13 +83,11 @@ val init_key_pair: Prims.unit Prims.l_True (fun _ -> Prims.l_True) -/// Get the serialized public key. -val key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) @@ -115,3 +104,15 @@ val public_key Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) Prims.l_True (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst index 4608a3923..ecb81f50c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti index 1b4e3414d..c167a2840 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst index 39960a363..88cbacd2a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fst @@ -9,17 +9,14 @@ let _ = let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Portable in let open Libcrux_ml_kem.Vector.Portable.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in () -let encapsulate - (public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (randomness: t_Array u8 (sz 32)) - = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key - randomness +let init_key_pair (_: Prims.unit) = + Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + () let init_public_key (_: Prims.unit) = Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) @@ -27,21 +24,27 @@ let init_public_key (_: Prims.unit) = #FStar.Tactics.Typeclasses.solve () -let serialized_public_key - (public_key: +let public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl__serialized_public_key_mut (sz 3) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (sz 1152) - (sz 1184) - public_key - serialized + let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + #FStar.Tactics.Typeclasses.solve + (Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__public_key (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + key_pair + <: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - serialized + pk let unpacked_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) @@ -66,76 +69,74 @@ let unpacked_public_key in unpacked_public_key -let decapsulate - (private_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) +let encapsulate + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + (randomness: t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) - (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) - (sz 128) (sz 1120) private_key ciphertext + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.encapsulate (sz 3) (sz 1088) (sz 1184) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key + randomness -let generate_key_pair - (randomness: t_Array u8 (sz 64)) +let key_pair_serialized_public_key (key_pair: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) + let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = + Libcrux_ml_kem.Ind_cca.Unpacked.impl_4__serialized_public_key_mut (sz 3) + #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (sz 1152) - (sz 2400) (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness key_pair + serialized in - key_pair - -let init_key_pair (_: Prims.unit) = - Core.Default.f_default #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - () + serialized -let key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) +let serialized_public_key + (public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = let serialized:Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184) = - Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__serialized_public_key_mut (sz 3) + Libcrux_ml_kem.Ind_cca.Unpacked.impl_3__serialized_public_key_mut (sz 3) #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector (sz 1152) (sz 1184) - key_pair + public_key serialized in serialized -let public_key - (key_pair: +let decapsulate + (private_key: Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (pk: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) + = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.decapsulate (sz 3) (sz 2400) (sz 1152) + (sz 1184) (sz 1088) (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) + (sz 128) (sz 1120) private_key ciphertext + +let generate_key_pair + (randomness: t_Array u8 (sz 64)) + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let pk:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + let key_pair:Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Core.Clone.f_clone #(Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - #FStar.Tactics.Typeclasses.solve - (Libcrux_ml_kem.Ind_cca.Unpacked.impl_2__public_key (sz 3) - #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - key_pair - <: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.Unpacked.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness + key_pair in - pk + key_pair diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti index 30956fcb9..9bf968e9a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.Unpacked.fsti @@ -9,8 +9,51 @@ let _ = let open Libcrux_ml_kem.Ind_cca.Unpacked in let open Libcrux_ml_kem.Vector.Portable in let open Libcrux_ml_kem.Vector.Portable.Vector_type in + let open Libcrux_ml_kem.Vector.Traits in () +/// Create a new, empty unpacked key. +val init_key_pair: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Create a new, empty unpacked public key. +val init_public_key: Prims.unit + -> Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (pk: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + +/// Get the unpacked public key. +val unpacked_public_key + (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + (unpacked_public_key: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure + (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + Prims.l_True + (fun _ -> Prims.l_True) + let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) @@ -31,11 +74,13 @@ val encapsulate Prims.l_True (fun _ -> Prims.l_True) -/// Create a new, empty unpacked public key. -val init_public_key: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +/// Get the serialized public key. +val key_pair_serialized_public_key + (key_pair: + Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) @@ -49,18 +94,6 @@ val serialized_public_key Prims.l_True (fun _ -> Prims.l_True) -/// Get the unpacked public key. -val unpacked_public_key - (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - (unpacked_public_key: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - /// Decapsulate ML-KEM 768 (unpacked) /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an unpacked key pair of type [`MlKem768KeyPairUnpacked`] @@ -83,35 +116,3 @@ val generate_key_pair Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) Prims.l_True (fun _ -> Prims.l_True) - -/// Create a new, empty unpacked key. -val init_key_pair: Prims.unit - -> Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the serialized public key. -val key_pair_serialized_public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (serialized: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - Prims.l_True - (fun _ -> Prims.l_True) - -/// Get the unpacked public key. -val public_key - (key_pair: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemKeyPairUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (pk: - Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure - (Libcrux_ml_kem.Ind_cca.Unpacked.t_MlKemPublicKeyUnpacked (sz 3) - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - Prims.l_True - (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst index d98e44837..9690ed48f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -13,6 +13,12 @@ let validate_private_key private_key ciphertext +let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = + Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) + (sz 1152) + (sz 1184) + public_key.Libcrux_ml_kem.Types.f_value + let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) @@ -37,9 +43,3 @@ let generate_key_pair (randomness: t_Array u8 (sz 64)) = (sz 2) (sz 128) randomness - -let validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) = - Libcrux_ml_kem.Ind_cca.Instantiations.Portable.validate_public_key (sz 3) - (sz 1152) - (sz 1184) - public_key.Libcrux_ml_kem.Types.f_value diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti index c14954e5d..a44262014 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,6 +10,11 @@ val validate_private_key (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) +/// Validate a public key. +/// Returns `true` if valid, and `false` otherwise. +val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) + : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) + /// Decapsulate ML-KEM 768 /// Generates an [`MlKemSharedSecret`]. /// The input is a reference to an [`MlKem768PrivateKey`] and an [`MlKem768Ciphertext`]. @@ -34,8 +39,3 @@ val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True (fun _ -> Prims.l_True) - -/// Validate a public key. -/// Returns `true` if valid, and `false` otherwise. -val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) - : Prims.Pure bool Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst index 235881a7e..5d0bec2fe 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -23,35 +23,23 @@ let decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) = - let result:t_Array u8 (sz 32) = - Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) - (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) - private_key ciphertext - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.decapsulate (sz 3) (sz 2400) (sz 1152) (sz 1184) (sz 1088) + (sz 1152) (sz 960) (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) (sz 1120) + private_key ciphertext let encapsulate (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1184)) (randomness: t_Array u8 (sz 32)) = - let result:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = - Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) - (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.encapsulate (sz 3) (sz 1088) (sz 1184) (sz 1152) (sz 960) + (sz 128) (sz 10) (sz 4) (sz 320) (sz 2) (sz 128) (sz 2) (sz 128) public_key randomness let generate_key_pair (randomness: t_Array u8 (sz 64)) = - let result:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = - Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) - (sz 1152) - (sz 2400) - (sz 1184) - (sz 1152) - (sz 2) - (sz 128) - randomness - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Libcrux_ml_kem.Ind_cca.Multiplexing.generate_keypair (sz 3) + (sz 1152) + (sz 2400) + (sz 1184) + (sz 1152) + (sz 2) + (sz 128) + randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti index 34bfea335..16febee24 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Mlkem768.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Mlkem768 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -80,15 +80,7 @@ val validate_public_key (public_key: Libcrux_ml_kem.Types.t_MlKemPublicKey (sz 1 val decapsulate (private_key: Libcrux_ml_kem.Types.t_MlKemPrivateKey (sz 2400)) (ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088)) - : Prims.Pure (t_Array u8 (sz 32)) - Prims.l_True - (ensures - fun res -> - let res:t_Array u8 (sz 32) = res in - let shared_secret, valid = - Spec.MLKEM.Instances.mlkem768_decapsulate private_key.f_value ciphertext.f_value - in - valid ==> res == shared_secret) + : Prims.Pure (t_Array u8 (sz 32)) Prims.l_True (fun _ -> Prims.l_True) /// Encapsulate ML-KEM 768 /// Generates an ([`MlKem768Ciphertext`], [`MlKemSharedSecret`]) tuple. @@ -99,14 +91,7 @@ val encapsulate (randomness: t_Array u8 (sz 32)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) Prims.l_True - (ensures - fun res -> - let res:(Libcrux_ml_kem.Types.t_MlKemCiphertext (sz 1088) & t_Array u8 (sz 32)) = res in - let (ciphertext, shared_secret), valid = - Spec.MLKEM.Instances.mlkem768_encapsulate public_key.f_value randomness - in - let res_ciphertext, res_shared_secret = res in - valid ==> (res_ciphertext.f_value == ciphertext /\ res_shared_secret == shared_secret)) + (fun _ -> Prims.l_True) /// Generate ML-KEM 768 Key Pair /// Generate an ML-KEM key pair. The input is a byte array of size @@ -115,10 +100,4 @@ val encapsulate val generate_key_pair (randomness: t_Array u8 (sz 64)) : Prims.Pure (Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184)) Prims.l_True - (ensures - fun res -> - let res:Libcrux_ml_kem.Types.t_MlKemKeyPair (sz 2400) (sz 1184) = res in - let (secret_key, public_key), valid = - Spec.MLKEM.Instances.mlkem768_generate_keypair randomness - in - valid ==> (res.f_sk.f_value == secret_key /\ res.f_pk.f_value == public_key)) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst index d974fbef3..9462d2024 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -35,27 +35,15 @@ let ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_1) (ntt_re_range_1 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round * 4 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -63,11 +51,6 @@ let ntt_at_layer_1_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -79,10 +62,19 @@ let ntt_at_layer_1_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_1_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 1 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 2 <: usize) <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 3 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 2 <: usize + ] + <: + i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 3 <: usize + ] + <: + i16) <: v_Vector) } @@ -90,15 +82,6 @@ let ntt_at_layer_1_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i +! sz 3 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 6 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -113,27 +96,15 @@ let ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_2) (ntt_re_range_2 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round * 2 /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -141,11 +112,6 @@ let ntt_at_layer_2_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -157,8 +123,11 @@ let ntt_at_layer_2_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_2_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) - (Libcrux_ml_kem.Polynomial.get_zeta (zeta_i +! sz 1 <: usize) <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i +! sz 1 <: usize + ] + <: + i16) <: v_Vector) } @@ -166,15 +135,6 @@ let ntt_at_layer_2_ Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 5 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in @@ -189,27 +149,15 @@ let ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) = - let _:Prims.unit = reveal_opaque (`%ntt_re_range_4) (ntt_re_range_4 #v_Vector) in - let _:Prims.unit = reveal_opaque (`%ntt_re_range_3) (ntt_re_range_3 #v_Vector) in - let v__zeta_i_init:usize = zeta_i in let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun temp_0_ round -> + (fun temp_0_ temp_1_ -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = temp_0_ in - let round:usize = round in - v zeta_i == v v__zeta_i_init + v round /\ - (v round < 16 ==> - (forall (i: nat). - (i >= v round /\ i < 16) ==> - Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) /\ - (forall (i: nat). - i < v round ==> - Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])))) + let _:usize = temp_1_ in + true) (re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) (fun temp_0_ round -> let re, zeta_i:(Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize) = @@ -217,11 +165,6 @@ let ntt_at_layer_3_ in let round:usize = round in let zeta_i:usize = zeta_i +! sz 1 in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 3 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { re with @@ -233,29 +176,18 @@ let ntt_at_layer_3_ (Libcrux_ml_kem.Vector.Traits.f_ntt_layer_3_step #v_Vector #FStar.Tactics.Typeclasses.solve (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ round ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) <: v_Vector) } <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector in - let _:Prims.unit = - reveal_opaque (`%Spec.Utils.is_i16b_array_opaque) - (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b_array_opaque (11207 + 4 * 3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ round ]))) - in re, zeta_i <: (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector & usize)) in let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#push-options "--admit_smt_queries true" - let ntt_at_layer_4_plus (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -265,8 +197,13 @@ let ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer v__initial_coefficient_bound: usize) = + let _:Prims.unit = + if true + then + let _:Prims.unit = Hax_lib.v_assert (layer >=. sz 4 <: bool) in + () + in let step:usize = sz 1 <>! layer <: usize) @@ -303,7 +240,7 @@ let ntt_at_layer_4_plus (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ j +! step_vec <: usize ] <: v_Vector) - (Libcrux_ml_kem.Polynomial.get_zeta zeta_i <: i16) + (Libcrux_ml_kem.Polynomial.v_ZETAS_TIMES_MONTGOMERY_R.[ zeta_i ] <: i16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = { @@ -338,10 +275,6 @@ let ntt_at_layer_4_plus let hax_temp_output:Prims.unit = () <: Prims.unit in zeta_i, re <: (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - -#push-options "--admit_smt_queries true" - let ntt_at_layer_7_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -350,22 +283,17 @@ let ntt_at_layer_7_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = let step:usize = Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT /! sz 2 in - let _:Prims.unit = assert (v step == 8) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) step - (fun re j -> + (fun re temp_1_ -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let j:usize = j in - (v j < 8 ==> - (forall (i: nat). - (i >= v j /\ i < 8) ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])))) + let _:usize = temp_1_ in + true) re (fun re j -> let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in let j:usize = j in - let _:Prims.unit = reveal_opaque (`%ntt_layer_7_pre) (ntt_layer_7_pre #v_Vector) in let t:v_Vector = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant #v_Vector #FStar.Tactics.Typeclasses.solve @@ -413,8 +341,6 @@ let ntt_at_layer_7_ let hax_temp_output:Prims.unit = () <: Prims.unit in re -#pop-options - #push-options "--z3rlimit 200" let ntt_binomially_sampled_ring_element @@ -429,43 +355,43 @@ let ntt_binomially_sampled_ring_element in let zeta_i:usize = sz 1 in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 11207) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 11207 +! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 11207 +! (sz 2 *! sz 3328 <: usize) <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 11207 +! (sz 3 *! sz 3328 <: usize) <: usize) + ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 11207 +! (sz 4 *! sz 3328 <: usize) <: usize) + ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 11207 +! (sz 5 *! sz 3328 <: usize) <: usize) + ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let result, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in @@ -493,43 +419,43 @@ let ntt_vector_u let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 2 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 6) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 5) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 4 *! sz 3328 <: usize) + ntt_at_layer_4_plus #v_Vector zeta_i re (sz 4) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 5 *! sz 3328 <: usize) + ntt_at_layer_3_ #v_Vector zeta_i re (sz 3) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 6 *! sz 3328 <: usize) + ntt_at_layer_2_ #v_Vector zeta_i re (sz 2) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let tmp0, tmp1:(usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 7 *! sz 3328 <: usize) + ntt_at_layer_1_ #v_Vector zeta_i re (sz 1) (sz 3328) in let zeta_i:usize = tmp0 in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = tmp1 in let _:Prims.unit = () in let result, re:(Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - (), Libcrux_ml_kem.Polynomial.impl_2__poly_barrett_reduce #v_Vector re + (), Libcrux_ml_kem.Polynomial.impl__poly_barrett_reduce #v_Vector re <: (Prims.unit & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti index 8cf047654..7369fa656 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,35 +14,7 @@ val ntt_layer_int_vec_step {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a b: v_Vector) (zeta_r: i16) - : Prims.Pure (v_Vector & v_Vector) - (requires - Spec.Utils.is_i16b 1664 zeta_r /\ - (let t = Libcrux_ml_kem.Vector.Traits.montgomery_multiply_fe b zeta_r in - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array a) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))))) - (fun _ -> Prims.l_True) - -[@@ "opaque_to_smt"] - let ntt_re_range_1 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+6*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) - -[@@ "opaque_to_smt"] - let ntt_re_range_2 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+5*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + : Prims.Pure (v_Vector & v_Vector) Prims.l_True (fun _ -> Prims.l_True) val ntt_at_layer_1_ (#v_Vector: Type0) @@ -51,21 +23,8 @@ val ntt_at_layer_1_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 63 /\ ntt_re_range_2 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_1 re_future /\ v zeta_i_future == 127) - -[@@ "opaque_to_smt"] - let ntt_re_range_3 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+4*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_2_ (#v_Vector: Type0) @@ -74,21 +33,8 @@ val ntt_at_layer_2_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 31 /\ ntt_re_range_3 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_2 re_future /\ v zeta_i_future == 63) - -[@@ "opaque_to_smt"] - let ntt_re_range_4 (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - forall (i:nat). i < 16 ==> Spec.Utils.is_i16b_array_opaque (11207+3*3328) - (Libcrux_ml_kem.Vector.Traits.f_to_i16_array (re.f_coefficients.[ sz i ])) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_3_ (#v_Vector: Type0) @@ -97,14 +43,8 @@ val ntt_at_layer_3_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (v__layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires v zeta_i == 15 /\ ntt_re_range_4 re) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_3 re_future /\ v zeta_i_future == 31) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_4_plus (#v_Vector: Type0) @@ -113,46 +53,15 @@ val ntt_at_layer_4_plus (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (layer v__initial_coefficient_bound: usize) : Prims.Pure (usize & Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - v layer >= 4 /\ v layer <= 7 /\ - ((v layer == 4 ==> v zeta_i == 7) /\ (v layer == 5 ==> v zeta_i == 3) /\ - (v layer == 6 ==> v zeta_i == 1) /\ (v layer == 7 ==> v zeta_i == 0))) - (ensures - fun temp_0_ -> - let zeta_i_future, re_future:(usize & - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - temp_0_ - in - ntt_re_range_4 re_future /\ (v layer == 4 ==> v zeta_i_future == 15) /\ - (v layer == 5 ==> v zeta_i_future == 7) /\ (v layer == 6 ==> v zeta_i_future == 3) /\ - (v layer == 7 ==> v zeta_i_future == 1)) - -[@@ "opaque_to_smt"] - let ntt_layer_7_pre (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (re_0 re_1: v_Vector) = - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_1) i) * v (-1600s))) /\ - (let t = Libcrux_ml_kem.Vector.Traits.f_multiply_by_constant re_1 (-1600s) in - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) - - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i))) /\ - (forall i. i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array re_0) i) + - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array t) i)))) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_at_layer_7_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - forall i. - i < 8 ==> - ntt_layer_7_pre (re.f_coefficients.[ sz i ]) (re.f_coefficients.[ sz i +! sz 8 ])) + Prims.l_True (fun _ -> Prims.l_True) val ntt_binomially_sampled_ring_element diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst index 257bb1029..f8397d064 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,19 +9,13 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let get_zeta (i: usize) = - let result:i16 = v_ZETAS_TIMES_MONTGOMERY_R.[ i ] in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let impl_2__add_error_reduce +let impl__add_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self error: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -65,14 +59,13 @@ let impl_2__add_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__add_message_error_reduce +let impl__add_message_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self message result: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -122,14 +115,13 @@ let impl_2__add_message_error_reduce in result -let impl_2__add_standard_error_reduce +let impl__add_standard_error_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self error: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -171,14 +163,13 @@ let impl_2__add_standard_error_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__poly_barrett_reduce +let impl__poly_barrett_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -210,14 +201,13 @@ let impl_2__poly_barrett_reduce let hax_temp_output:Prims.unit = () <: Prims.unit in self -let impl_2__subtract_reduce +let impl__subtract_reduce (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self b: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let b:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -260,7 +250,7 @@ let impl_2__subtract_reduce in b -let impl_2__ZERO +let impl__ZERO (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -280,14 +270,14 @@ let impl_2__ZERO <: t_PolynomialRingElement v_Vector -let impl_2__from_i16_array +let impl__from_i16_array (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (a: t_Slice i16) = - let result:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in + let result:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in let result:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -325,15 +315,14 @@ let impl_2__from_i16_array in result -let impl_2__ntt_multiply +let impl__ntt_multiply (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self rhs: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in - let out:t_PolynomialRingElement v_Vector = impl_2__ZERO #v_Vector () in + let out:t_PolynomialRingElement v_Vector = impl__ZERO #v_Vector () in let out:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) v_VECTORS_IN_RING_ELEMENT @@ -355,10 +344,22 @@ let impl_2__ntt_multiply #FStar.Tactics.Typeclasses.solve (self.f_coefficients.[ i ] <: v_Vector) (rhs.f_coefficients.[ i ] <: v_Vector) - (get_zeta (sz 64 +! (sz 4 *! i <: usize) <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 <: usize) <: i16) - (get_zeta ((sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 <: usize) <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ sz 64 +! (sz 4 *! i <: usize) <: usize ] <: i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 1 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 2 + <: + usize ] + <: + i16) + (v_ZETAS_TIMES_MONTGOMERY_R.[ (sz 64 +! (sz 4 *! i <: usize) <: usize) +! sz 3 + <: + usize ] + <: + i16) <: v_Vector) <: @@ -369,7 +370,7 @@ let impl_2__ntt_multiply in out -let impl_2__add_to_ring_element +let impl__add_to_ring_element (#v_Vector: Type0) (v_K: usize) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -377,7 +378,6 @@ let impl_2__add_to_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (self rhs: t_PolynomialRingElement v_Vector) = - let _:Prims.unit = admit () in let self:t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) (Core.Slice.impl__len #v_Vector (self.f_coefficients <: t_Slice v_Vector) <: usize) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti index 7956d29e4..28cadfac0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Polynomial.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Polynomial -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,7 +10,6 @@ let _ = () let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = - let _:Prims.unit = assert_norm (pow2 16 == 65536) in let list = [ (-1044s); (-758s); (-359s); (-1517s); 1493s; 1422s; 287s; 202s; (-171s); 622s; 1577s; 182s; @@ -29,85 +28,59 @@ let v_ZETAS_TIMES_MONTGOMERY_R: t_Array i16 (sz 128) = FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 128); Rust_primitives.Hax.array_of_list 128 list -val get_zeta (i: usize) - : Prims.Pure i16 - (requires i <. sz 128) - (ensures - fun result -> - let result:i16 = result in - Spec.Utils.is_i16b 1664 result) - type t_PolynomialRingElement (v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} = { f_coefficients:t_Array v_Vector (sz 16) } -let to_spec_poly_t (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (p: t_PolynomialRingElement v_Vector) : Spec.MLKEM.polynomial = - admit() - -let to_spec_vector_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_PolynomialRingElement v_Vector) r) : Spec.MLKEM.vector r = - createi r (fun i -> to_spec_poly_t #v_Vector (m.[i])) - -let to_spec_matrix_t (#r:Spec.MLKEM.rank) (#v_Vector: Type0) - {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (m:t_Array (t_Array (t_PolynomialRingElement v_Vector) r) r) : Spec.MLKEM.matrix r = - createi r (fun i -> to_spec_vector_t #r #v_Vector (m.[i])) - let v_VECTORS_IN_RING_ELEMENT: usize = Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT /! Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR -val impl_2__add_error_reduce +val impl__add_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_message_error_reduce +val impl__add_message_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self message result: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__add_standard_error_reduce +val impl__add_standard_error_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self error: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__poly_barrett_reduce +val impl__poly_barrett_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__subtract_reduce +val impl__subtract_reduce (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self b: t_PolynomialRingElement v_Vector) : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__ZERO: +val impl__ZERO: #v_Vector: Type0 -> {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} -> Prims.unit -> Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) -val impl_2__from_i16_array +val impl__from_i16_array (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: t_Slice i16) - : Prims.Pure (t_PolynomialRingElement v_Vector) - (requires - (v_VECTORS_IN_RING_ELEMENT *! sz 16 <: usize) <=. (Core.Slice.impl__len #i16 a <: usize)) - (fun _ -> Prims.l_True) + : Prims.Pure (t_PolynomialRingElement v_Vector) Prims.l_True (fun _ -> Prims.l_True) /// Given two `KyberPolynomialRingElement`s in their NTT representations, /// compute their product. Given two polynomials in the NTT domain `f^` and `ĵ`, -/// the `iᵗʰ` coefficient of the product `k\u{302}` is determined by the calculation: +/// the `iᵗʰ` coefficient of the product `k̂` is determined by the calculation: /// ```plaintext /// ĥ[2·i] + ĥ[2·i + 1]X = (f^[2·i] + f^[2·i + 1]X)·(ĝ[2·i] + ĝ[2·i + 1]X) mod (X² - ζ^(2·BitRev₇(i) + 1)) /// ``` @@ -121,11 +94,11 @@ val impl_2__from_i16_array /// end for /// return ĥ /// ``` -/// We say \"almost\" because the coefficients of the ring element output by +/// We say "almost" because the coefficients of the ring element output by /// this function are in the Montgomery domain. /// The NIST FIPS 203 standard can be found at /// . -val impl_2__ntt_multiply +val impl__ntt_multiply (#v_Vector: Type0) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (self rhs: t_PolynomialRingElement v_Vector) @@ -133,7 +106,7 @@ val impl_2__ntt_multiply /// Given two polynomial ring elements `lhs` and `rhs`, compute the pointwise /// sum of their constituent coefficients. -val impl_2__add_to_ring_element +val impl__add_to_ring_element (#v_Vector: Type0) (v_K: usize) {| i2: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst index 13f72a5df..a8fe3c259 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -144,8 +144,6 @@ let sample_from_uniform_distribution_next <: (t_Array usize v_K & t_Array (t_Array i16 (sz 272)) v_K & bool) -#push-options "--admit_smt_queries true" - let sample_from_xof (v_K: usize) (#v_Vector #v_Hasher: Type0) @@ -164,13 +162,13 @@ let sample_from_xof Rust_primitives.Hax.repeat (Rust_primitives.Hax.repeat 0s (sz 272) <: t_Array i16 (sz 272)) v_K in let xof_state:v_Hasher = - Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb_final #v_Hasher + Libcrux_ml_kem.Hash_functions.f_shake128_init_absorb #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve seeds in let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 504)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_first_three_blocks #v_Hasher + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_three_blocks #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve xof_state @@ -203,7 +201,7 @@ let sample_from_xof temp_0_ in let tmp0, out1:(v_Hasher & t_Array (t_Array u8 (sz 168)) v_K) = - Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_next_block #v_Hasher + Libcrux_ml_kem.Hash_functions.f_shake128_squeeze_block #v_Hasher #v_K #FStar.Tactics.Typeclasses.solve xof_state @@ -231,7 +229,7 @@ let sample_from_xof out (fun s -> let s:t_Array i16 (sz 272) = s in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (s.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 256 } <: Core.Ops.Range.t_Range usize ] @@ -240,10 +238,6 @@ let sample_from_xof <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) -#pop-options - -#push-options "--z3rlimit 800" - let sample_from_binomial_distribution_2_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -251,10 +245,6 @@ let sample_from_binomial_distribution_2_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = - assert (v (sz 2 *! sz 64) == 128); - assert (Seq.length randomness == 128) - in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 4) @@ -279,10 +269,6 @@ let sample_from_binomial_distribution_2_ in let even_bits:u32 = random_bits_as_u32 &. 1431655765ul in let odd_bits:u32 = (random_bits_as_u32 >>! 1l <: u32) &. 1431655765ul in - let _:Prims.unit = - logand_lemma random_bits_as_u32 1431655765ul; - logand_lemma (random_bits_as_u32 >>! 1l) 1431655765ul - in let coin_toss_outcomes:u32 = even_bits +! odd_bits in Rust_primitives.Hax.Folds.fold_range_step_by 0ul Core.Num.impl__u32__BITS @@ -303,15 +289,6 @@ let sample_from_binomial_distribution_2_ <: i16 in - let _:Prims.unit = - logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 3ul; - logand_lemma (coin_toss_outcomes >>! (outcome_set +! 2ul <: u32) <: u32) 3ul; - assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 3); - assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 3); - assert (v chunk_number <= 31); - assert (v (sz 8 *! chunk_number <: usize) <= 248); - assert (v (cast (outcome_set >>! 2l <: u32) <: usize) <= 7) - in let offset:usize = cast (outcome_set >>! 2l <: u32) <: usize in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s @@ -320,11 +297,7 @@ let sample_from_binomial_distribution_2_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) - -#pop-options - -#push-options "--z3rlimit 800" + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) let sample_from_binomial_distribution_3_ (#v_Vector: Type0) @@ -333,10 +306,6 @@ let sample_from_binomial_distribution_3_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = - assert (v (sz 3 *! sz 64) == 192); - assert (Seq.length randomness == 192) - in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.repeat 0s (sz 256) in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 3) @@ -359,11 +328,6 @@ let sample_from_binomial_distribution_3_ let first_bits:u32 = random_bits_as_u24 &. 2396745ul in let second_bits:u32 = (random_bits_as_u24 >>! 1l <: u32) &. 2396745ul in let third_bits:u32 = (random_bits_as_u24 >>! 2l <: u32) &. 2396745ul in - let _:Prims.unit = - logand_lemma random_bits_as_u24 2396745ul; - logand_lemma (random_bits_as_u24 >>! 1l <: u32) 2396745ul; - logand_lemma (random_bits_as_u24 >>! 2l <: u32) 2396745ul - in let coin_toss_outcomes:u32 = (first_bits +! second_bits <: u32) +! third_bits in Rust_primitives.Hax.Folds.fold_range_step_by 0l 24l @@ -384,15 +348,6 @@ let sample_from_binomial_distribution_3_ <: i16 in - let _:Prims.unit = - logand_lemma (coin_toss_outcomes >>! outcome_set <: u32) 7ul; - logand_lemma (coin_toss_outcomes >>! (outcome_set +! 3l <: i32) <: u32) 7ul; - assert (v outcome_1_ >= 0 /\ v outcome_1_ <= 7); - assert (v outcome_2_ >= 0 /\ v outcome_2_ <= 7); - assert (v chunk_number <= 63); - assert (v (sz 4 *! chunk_number <: usize) <= 252); - assert (v (cast (outcome_set /! 6l <: i32) <: usize) <= 3) - in let offset:usize = cast (outcome_set /! 6l <: i32) <: usize in let sampled_i16s:t_Array i16 (sz 256) = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize sampled_i16s @@ -401,9 +356,7 @@ let sample_from_binomial_distribution_3_ in sampled_i16s)) in - Libcrux_ml_kem.Polynomial.impl_2__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) - -#pop-options + Libcrux_ml_kem.Polynomial.impl__from_i16_array #v_Vector (sampled_i16s <: t_Slice i16) let sample_from_binomial_distribution (v_ETA: usize) @@ -413,7 +366,6 @@ let sample_from_binomial_distribution Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (randomness: t_Slice u8) = - let _:Prims.unit = assert ((v (cast v_ETA <: u32) == 2) \/ (v (cast v_ETA <: u32) == 3)) in let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = match cast (v_ETA <: usize) <: u32 with | 2ul -> sample_from_binomial_distribution_2_ #v_Vector randomness diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti index 701fc9640..737a33ecc 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Sampling.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst index ca0e4382e..5d0e17d89 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -9,7 +9,7 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -let to_unsigned_field_modulus +let to_unsigned_field_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -21,18 +21,63 @@ let to_unsigned_field_modulus let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_then_decompress_11_ +let deserialize_then_decompress_10_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 11) /! sz 8) == 352) + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) + serialized + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let _:usize = temp_1_ in + true) + re + (fun re temp_1_ -> + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in + let i, bytes:(usize & t_Slice u8) = temp_1_ in + let coefficient:v_Vector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector + #FStar.Tactics.Typeclasses.solve + bytes + in + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + { + re with + Libcrux_ml_kem.Polynomial.f_coefficients + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re + .Libcrux_ml_kem.Polynomial.f_coefficients + i + (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector + #FStar.Tactics.Typeclasses.solve + 10l + coefficient + <: + v_Vector) + } + <: + Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector + in + re) + in + re + +let deserialize_then_decompress_11_ + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = + let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 22) @@ -79,11 +124,8 @@ let deserialize_then_decompress_4_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 4) /! sz 8) == 128) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 8) @@ -130,11 +172,8 @@ let deserialize_then_decompress_5_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 5) /! sz 8) == 160) - in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 10) @@ -194,7 +233,7 @@ let deserialize_then_decompress_message (serialized: t_Array u8 (sz 32)) = let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_range (sz 0) @@ -240,7 +279,7 @@ let deserialize_then_decompress_message let _:Prims.unit = admit () (* Panic freedom *) in result -let deserialize_then_decompress_ring_element_v +let deserialize_then_decompress_ring_element_u (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -248,10 +287,27 @@ let deserialize_then_decompress_ring_element_v Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)) + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = + match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with + | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized + | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized + | _ -> + Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" + + <: + Rust_primitives.Hax.t_Never) in + let _:Prims.unit = admit () (* Panic freedom *) in + result + +let deserialize_then_decompress_ring_element_v + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + (#[FStar.Tactics.Typeclasses.tcresolve ()] + i1: + Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) + (serialized: t_Slice u8) + = let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 4ul -> deserialize_then_decompress_4_ #v_Vector serialized @@ -272,9 +328,8 @@ let deserialize_to_reduced_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -311,12 +366,10 @@ let deserialize_to_reduced_ring_element in re) in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:Prims.unit = admit () (* Panic freedom *) in - result + re let deserialize_ring_elements_reduced - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -355,7 +408,7 @@ let deserialize_ring_elements_reduced deserialized_pk let deserialize_ring_elements_reduced_out - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] i1: @@ -367,18 +420,14 @@ let deserialize_ring_elements_reduced_out v_K (fun v__i -> let v__i:usize = v__i in - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () <: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) in let deserialized_pk:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialize_ring_elements_reduced v_K #v_Vector public_key deserialized_pk - in - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - deserialized_pk + deserialize_ring_elements_reduced v_PUBLIC_KEY_SIZE v_K #v_Vector public_key deserialized_pk in - let _:Prims.unit = admit () (* Panic freedom *) in - result + deserialized_pk let deserialize_to_uncompressed_ring_element (#v_Vector: Type0) @@ -387,9 +436,8 @@ let deserialize_to_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert (v Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT / 24 == 16) in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () + Libcrux_ml_kem.Polynomial.impl__ZERO #v_Vector () in let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 24) @@ -432,29 +480,23 @@ let compress_then_serialize_10_ Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = assert_norm (pow2 10 == 1024) in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.repeat 0uy v_OUT_LEN in let serialized:t_Array u8 v_OUT_LEN = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 v_OUT_LEN = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 v_OUT_LEN = serialized in let i:usize = i in - let _:Prims.unit = assert (20 * v i + 20 <= 320) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 10l - (to_unsigned_field_modulus #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -487,11 +529,7 @@ let compress_then_serialize_10_ in serialized) in - let result:t_Array u8 v_OUT_LEN = serialized in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#push-options "--admit_smt_queries true" + serialized let compress_then_serialize_11_ (v_OUT_LEN: usize) @@ -517,7 +555,7 @@ let compress_then_serialize_11_ Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 11l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -552,8 +590,6 @@ let compress_then_serialize_11_ in serialized -#pop-options - let compress_then_serialize_4_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -562,29 +598,22 @@ let compress_then_serialize_4_ (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) = - let _:Prims.unit = assert_norm (pow2 4 == 16) in let serialized:t_Slice u8 = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Slice u8 = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> - (Seq.length serialized == 128 /\ coefficients_field_modulus_range re)) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Slice u8 = serialized in let i:usize = i in - let _:Prims.unit = assert (8 * v i + 8 <= 128) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 4l - (to_unsigned_field_modulus #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -617,13 +646,9 @@ let compress_then_serialize_4_ in serialized) in - let result:Prims.unit = () <: Prims.unit in - let _:Prims.unit = admit () (* Panic freedom *) in - let hax_temp_output:Prims.unit = result in + let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -#push-options "--admit_smt_queries true" - let compress_then_serialize_5_ (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -647,7 +672,7 @@ let compress_then_serialize_5_ Libcrux_ml_kem.Vector.Traits.f_compress #v_Vector #FStar.Tactics.Typeclasses.solve 5l - (Libcrux_ml_kem.Vector.Traits.to_unsigned_representative #v_Vector + (to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) <: v_Vector) @@ -683,8 +708,6 @@ let compress_then_serialize_5_ let hax_temp_output:Prims.unit = () <: Prims.unit in serialized -#pop-options - let compress_then_serialize_message (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -696,21 +719,16 @@ let compress_then_serialize_message let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Folds.fold_range (sz 0) (sz 16) - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 32) = serialized in - let i:usize = i in - v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 (sz 32) = serialized in let i:usize = i in - let _:Prims.unit = assert (2 * v i + 2 <= 32) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector + to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let coefficient_compressed:v_Vector = @@ -758,11 +776,6 @@ let compress_then_serialize_ring_element_u Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in let result:t_Array u8 v_OUT_LEN = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 10ul -> compress_then_serialize_10_ v_OUT_LEN #v_Vector re @@ -785,11 +798,6 @@ let compress_then_serialize_ring_element_v (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (out: t_Slice u8) = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 4) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 5)); - Rust_primitives.Integers.mk_int_equiv_lemma #usize_inttype (v v_COMPRESSION_FACTOR) - in let out, result:(t_Slice u8 & Prims.unit) = match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with | 4ul -> compress_then_serialize_4_ #v_Vector re out, () <: (t_Slice u8 & Prims.unit) @@ -807,85 +815,6 @@ let compress_then_serialize_ring_element_v let hax_temp_output:Prims.unit = result in out -let deserialize_then_decompress_10_ - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = - assert (v ((Libcrux_ml_kem.Constants.v_COEFFICIENTS_IN_RING_ELEMENT *! sz 10) /! sz 8) == 320) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Libcrux_ml_kem.Polynomial.impl_2__ZERO #v_Vector () - in - let v__coefficients_length:usize = - Core.Slice.impl__len #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients <: t_Slice v_Vector) - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - Rust_primitives.Hax.Folds.fold_enumerated_chunked_slice (sz 20) - serialized - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let _:usize = temp_1_ in - true) - re - (fun re temp_1_ -> - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = re in - let i, bytes:(usize & t_Slice u8) = temp_1_ in - let coefficient:v_Vector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #v_Vector - #FStar.Tactics.Typeclasses.solve - bytes - in - let re:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - { - re with - Libcrux_ml_kem.Polynomial.f_coefficients - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize re - .Libcrux_ml_kem.Polynomial.f_coefficients - i - (Libcrux_ml_kem.Vector.Traits.f_decompress_ciphertext_coefficient #v_Vector - #FStar.Tactics.Typeclasses.solve - 10l - coefficient - <: - v_Vector) - } - <: - Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector - in - re) - in - re - -let deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - (#[FStar.Tactics.Typeclasses.tcresolve ()] - i1: - Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) - (serialized: t_Slice u8) - = - let _:Prims.unit = - assert ((v (cast v_COMPRESSION_FACTOR <: u32) == 10) \/ - (v (cast v_COMPRESSION_FACTOR <: u32) == 11)) - in - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = - match cast (v_COMPRESSION_FACTOR <: usize) <: u32 with - | 10ul -> deserialize_then_decompress_10_ #v_Vector serialized - | 11ul -> deserialize_then_decompress_11_ #v_Vector serialized - | _ -> - Rust_primitives.Hax.never_to_any (Core.Panicking.panic "internal error: entered unreachable code" - - <: - Rust_primitives.Hax.t_Never) - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - let serialize_uncompressed_ring_element (#v_Vector: Type0) (#[FStar.Tactics.Typeclasses.tcresolve ()] @@ -893,26 +822,20 @@ let serialize_uncompressed_ring_element Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = - let _:Prims.unit = assert_norm (pow2 12 == 4096) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.repeat 0uy (sz 384) in let serialized:t_Array u8 (sz 384) = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Polynomial.v_VECTORS_IN_RING_ELEMENT - (fun serialized i -> + (fun serialized temp_1_ -> let serialized:t_Array u8 (sz 384) = serialized in - let i:usize = i in - v i >= 0 /\ v i <= 16 /\ v i < 16 ==> coefficients_field_modulus_range re) + let _:usize = temp_1_ in + true) serialized (fun serialized i -> let serialized:t_Array u8 (sz 384) = serialized in let i:usize = i in - let _:Prims.unit = assert (24 * v i + 24 <= 384) in - let _:Prims.unit = - reveal_opaque (`%coefficients_field_modulus_range) - (coefficients_field_modulus_range #v_Vector) - in let coefficient:v_Vector = - to_unsigned_field_modulus #v_Vector + to_unsigned_field_element #v_Vector (re.Libcrux_ml_kem.Polynomial.f_coefficients.[ i ] <: v_Vector) in let bytes:t_Array u8 (sz 24) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti index 415926dbf..2784627b7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Serialize.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -14,8 +14,8 @@ let field_modulus_range (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: v_Vector) = let coef = Libcrux_ml_kem.Vector.Traits.f_to_i16_array a in - forall (i:nat). i < 16 ==> v (Seq.index coef i) > -(v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /\ - v (Seq.index coef i) < v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -3329 /\ + v (Seq.index coef i) < 3329 [@@ "opaque_to_smt"] let coefficients_field_modulus_range (#v_Vector: Type0) @@ -23,7 +23,7 @@ let coefficients_field_modulus_range (#v_Vector: Type0) (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) = forall (i:nat). i < 16 ==> field_modulus_range (Seq.index re.f_coefficients i) -val to_unsigned_field_modulus +val to_unsigned_field_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (a: v_Vector) @@ -35,15 +35,22 @@ val to_unsigned_field_modulus forall (i: nat). i < 16 ==> v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) >= 0 /\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < - v Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array result) i) < 3329) + +val deserialize_then_decompress_10_ + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_then_decompress_11_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 352) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_4_ @@ -51,7 +58,7 @@ val deserialize_then_decompress_4_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 128) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_5_ @@ -59,7 +66,7 @@ val deserialize_then_decompress_5_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_then_decompress_message @@ -74,6 +81,21 @@ val deserialize_then_decompress_message Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == Spec.MLKEM.decode_then_decompress_message serialized) +val deserialize_then_decompress_ring_element_u + (v_COMPRESSION_FACTOR: usize) + (#v_Vector: Type0) + {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} + (serialized: t_Slice u8) + : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) + (requires + (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && + (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) + (ensures + fun result -> + let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in + Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == + Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized) + val deserialize_then_decompress_ring_element_v (v_COMPRESSION_FACTOR: usize) (#v_Vector: Type0) @@ -96,14 +118,12 @@ val deserialize_to_reduced_ring_element {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (serialized: t_Slice u8) : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (Core.Slice.impl__len #u8 serialized <: usize) =. - Libcrux_ml_kem.Constants.v_BYTES_PER_RING_ELEMENT) + Prims.l_True (fun _ -> Prims.l_True) /// See [deserialize_ring_elements_reduced_out]. val deserialize_ring_elements_reduced - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Slice u8) @@ -125,20 +145,13 @@ val deserialize_ring_elements_reduced /// modulus. /// This function MUST NOT be used on secret inputs. val deserialize_ring_elements_reduced_out - (v_K: usize) + (v_PUBLIC_KEY_SIZE v_K: usize) (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (public_key: t_Slice u8) : Prims.Pure (t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K) - (requires - Spec.MLKEM.is_rank v_K /\ - Seq.length public_key == v (Spec.MLKEM.v_T_AS_NTT_ENCODED_SIZE v_K)) - (ensures - fun result -> - let result:t_Array (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) v_K = - result - in - forall (i: nat). i < v v_K ==> coefficients_field_modulus_range (Seq.index result i)) + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_to_uncompressed_ring_element (#v_Vector: Type0) @@ -159,9 +172,7 @@ val compress_then_serialize_10_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - : Prims.Pure (t_Array u8 v_OUT_LEN) - (requires v v_OUT_LEN == 320 /\ coefficients_field_modulus_range re) - (fun _ -> Prims.l_True) + : Prims.Pure (t_Array u8 v_OUT_LEN) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_11_ (v_OUT_LEN: usize) @@ -175,24 +186,14 @@ val compress_then_serialize_4_ {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires Seq.length serialized == 128 /\ coefficients_field_modulus_range re) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_5_ (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} (re: Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) (serialized: t_Slice u8) - : Prims.Pure (t_Slice u8) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 160) - (ensures - fun serialized_future -> - let serialized_future:t_Slice u8 = serialized_future in - Core.Slice.impl__len #u8 serialized_future == Core.Slice.impl__len #u8 serialized) + : Prims.Pure (t_Slice u8) Prims.l_True (fun _ -> Prims.l_True) val compress_then_serialize_message (#v_Vector: Type0) @@ -242,29 +243,6 @@ val compress_then_serialize_ring_element_v Spec.MLKEM.compress_then_encode_v v_COMPRESSION_FACTOR (Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector re)) -val deserialize_then_decompress_10_ - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires (Core.Slice.impl__len #u8 serialized <: usize) =. sz 320) - (fun _ -> Prims.l_True) - -val deserialize_then_decompress_ring_element_u - (v_COMPRESSION_FACTOR: usize) - (#v_Vector: Type0) - {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} - (serialized: t_Slice u8) - : Prims.Pure (Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector) - (requires - (v_COMPRESSION_FACTOR =. sz 10 || v_COMPRESSION_FACTOR =. sz 11) && - (Core.Slice.impl__len #u8 serialized <: usize) =. (sz 32 *! v_COMPRESSION_FACTOR <: usize)) - (ensures - fun result -> - let result:Libcrux_ml_kem.Polynomial.t_PolynomialRingElement v_Vector = result in - Libcrux_ml_kem.Polynomial.to_spec_poly_t #v_Vector result == - Spec.MLKEM.byte_decode_then_decompress (v v_COMPRESSION_FACTOR) serialized) - val serialize_uncompressed_ring_element (#v_Vector: Type0) {| i1: Libcrux_ml_kem.Vector.Traits.t_Operations v_Vector |} diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst index 75ff693ea..9e95712a0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fst @@ -1,27 +1,27 @@ module Libcrux_ml_kem.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let impl_6__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_7__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_13__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_14__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_20__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE +let impl_21__len (v_SIZE: usize) (_: Prims.unit) = v_SIZE -let impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value +let impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) = self.f_value -let impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value +let impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) = self.f_value -let impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value +let impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) = self.f_value -let impl_21__from +let impl__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) = { f_sk = sk; f_pk = pk } <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_21__into_parts +let impl__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = @@ -29,7 +29,7 @@ let impl_21__into_parts <: (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) -let impl_21__new +let impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -51,22 +51,22 @@ let impl_21__new <: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE -let impl_21__pk +let impl__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_20__as_slice v_PUBLIC_KEY_SIZE self.f_pk + = impl_21__as_slice v_PUBLIC_KEY_SIZE self.f_pk -let impl_21__private_key +let impl__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_sk -let impl_21__public_key +let impl__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) = self.f_pk -let impl_21__sk +let impl__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) - = impl_13__as_slice v_PRIVATE_KEY_SIZE self.f_sk + = impl_14__as_slice v_PRIVATE_KEY_SIZE self.f_sk diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti index ca59dbe5c..b47d719e2 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Types.fsti @@ -1,25 +1,25 @@ module Libcrux_ml_kem.Types -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// The number of bytes -val impl_6__len: v_SIZE: usize -> Prims.unit +val impl_7__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_13__len: v_SIZE: usize -> Prims.unit +val impl_14__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) /// The number of bytes -val impl_20__len: v_SIZE: usize -> Prims.unit +val impl_21__len: v_SIZE: usize -> Prims.unit -> Prims.Pure usize Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Ciphertext type t_MlKemCiphertext (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -27,7 +27,7 @@ let impl_2 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = +let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -40,7 +40,7 @@ let impl_3 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemCiphertext v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = +let impl_5 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCiphertext v_SIZE) = { f_from_pre = (fun (value: t_MlKemCiphertext v_SIZE) -> true); f_from_post = (fun (value: t_MlKemCiphertext v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -48,19 +48,14 @@ let impl_4 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemCip } /// A reference to the raw byte slice. -val impl_6__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_7__as_slice (v_SIZE: usize) (self: t_MlKemCiphertext v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Private key type t_MlKemPrivateKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -68,7 +63,7 @@ let impl_9 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -81,7 +76,7 @@ let impl_10 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = +let impl_12 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPrivateKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPrivateKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPrivateKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -89,19 +84,14 @@ let impl_11 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPr } /// A reference to the raw byte slice. -val impl_13__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_14__as_slice (v_SIZE: usize) (self: t_MlKemPrivateKey v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) ///An ML-KEM Public key type t_MlKemPublicKey (v_SIZE: usize) = { f_value:t_Array u8 v_SIZE } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -109,7 +99,7 @@ let impl_16 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = +let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_Array u8 v_SIZE) = { f_from_pre = (fun (value: t_Array u8 v_SIZE) -> true); f_from_post = (fun (value: t_Array u8 v_SIZE) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -122,7 +112,7 @@ let impl_17 (v_SIZE: usize) : Core.Convert.t_From (t_MlKemPublicKey v_SIZE) (t_A } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = +let impl_19 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPublicKey v_SIZE) = { f_from_pre = (fun (value: t_MlKemPublicKey v_SIZE) -> true); f_from_post = (fun (value: t_MlKemPublicKey v_SIZE) (out: t_Array u8 v_SIZE) -> true); @@ -130,13 +120,8 @@ let impl_18 (v_SIZE: usize) : Core.Convert.t_From (t_Array u8 v_SIZE) (t_MlKemPu } /// A reference to the raw byte slice. -val impl_20__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) - : Prims.Pure (t_Array u8 v_SIZE) - Prims.l_True - (ensures - fun result -> - let result:t_Array u8 v_SIZE = result in - result == self.f_value) +val impl_21__as_slice (v_SIZE: usize) (self: t_MlKemPublicKey v_SIZE) + : Prims.Pure (t_Array u8 v_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// An ML-KEM key pair type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { @@ -145,19 +130,16 @@ type t_MlKemKeyPair (v_PRIVATE_KEY_SIZE: usize) (v_PUBLIC_KEY_SIZE: usize) = { } /// Create a new [`MlKemKeyPair`] from the secret and public key. -val impl_21__from +val impl__from (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) (pk: t_MlKemPublicKey v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) Prims.l_True - (ensures - fun result -> - let result:t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE = result in - result.f_sk == sk /\ result.f_pk == pk) + (fun _ -> Prims.l_True) /// Separate this key into the public and private key. -val impl_21__into_parts +val impl__into_parts (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE & t_MlKemPublicKey v_PUBLIC_KEY_SIZE) @@ -165,7 +147,7 @@ val impl_21__into_parts (fun _ -> Prims.l_True) /// Creates a new [`MlKemKeyPair`]. -val impl_21__new +val impl__new (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (sk: t_Array u8 v_PRIVATE_KEY_SIZE) (pk: t_Array u8 v_PUBLIC_KEY_SIZE) @@ -174,31 +156,31 @@ val impl_21__new (fun _ -> Prims.l_True) /// Get a reference to the raw public key bytes. -val impl_21__pk +val impl__pk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPrivateKey`]. -val impl_21__private_key +val impl__private_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPrivateKey v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the [`MlKemPublicKey`]. -val impl_21__public_key +val impl__public_key (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_MlKemPublicKey v_PUBLIC_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) /// Get a reference to the raw private key bytes. -val impl_21__sk +val impl__sk (v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE: usize) (self: t_MlKemKeyPair v_PRIVATE_KEY_SIZE v_PUBLIC_KEY_SIZE) : Prims.Pure (t_Array u8 v_PRIVATE_KEY_SIZE) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = +let impl_1 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = { f_default_pre = (fun (_: Prims.unit) -> true); f_default_post = (fun (_: Prims.unit) (out: t_MlKemCiphertext v_SIZE) -> true); @@ -209,7 +191,7 @@ let impl (v_SIZE: usize) : Core.Default.t_Default (t_MlKemCiphertext v_SIZE) = } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = +let impl_8 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = { f_default_pre = (fun (_: Prims.unit) -> true); f_default_post = (fun (_: Prims.unit) (out: t_MlKemPrivateKey v_SIZE) -> true); @@ -220,7 +202,7 @@ let impl_7 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPrivateKey v_SIZE) = } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = +let impl_15 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = { f_default_pre = (fun (_: Prims.unit) -> true); f_default_post = (fun (_: Prims.unit) (out: t_MlKemPublicKey v_SIZE) -> true); @@ -231,7 +213,7 @@ let impl_14 (v_SIZE: usize) : Core.Default.t_Default (t_MlKemPublicKey v_SIZE) = } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_2 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemCiphertext v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemCiphertext v_SIZE) (out: t_Slice u8) -> true); @@ -239,7 +221,7 @@ let impl_1 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemCiphertext v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_9 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPrivateKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPrivateKey v_SIZE) (out: t_Slice u8) -> true); @@ -247,7 +229,7 @@ let impl_8 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPrivateKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_16 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_as_ref_pre = (fun (self: t_MlKemPublicKey v_SIZE) -> true); f_as_ref_post = (fun (self: t_MlKemPublicKey v_SIZE) (out: t_Slice u8) -> true); @@ -255,7 +237,7 @@ let impl_15 (v_SIZE: usize) : Core.Convert.t_AsRef (t_MlKemPublicKey v_SIZE) (t_ } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = +let impl_6 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -286,7 +268,7 @@ let impl_5 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemCiphertext v_SIZE) ( } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = +let impl_13 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); @@ -317,7 +299,7 @@ let impl_12 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPrivateKey v_SIZE) } [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_19 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = +let impl_20 (v_SIZE: usize) : Core.Convert.t_TryFrom (t_MlKemPublicKey v_SIZE) (t_Slice u8) = { f_Error = Core.Array.t_TryFromSliceError; f_try_from_pre = (fun (value: t_Slice u8) -> true); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst index 2ee26ba5e..7af62082c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -26,21 +26,4 @@ let into_padded_array (v_LEN: usize) (slice: t_Slice u8) = <: t_Slice u8) in - let _:Prims.unit = assert (Seq.slice out 0 (Seq.length slice) == slice) in - let _:Prims.unit = - assert (Seq.slice out (Seq.length slice) (v v_LEN) == - Seq.slice (Seq.create (v v_LEN) 0uy) (Seq.length slice) (v v_LEN)) - in - let _:Prims.unit = - assert (forall i. i < Seq.length slice ==> Seq.index out i == Seq.index slice i) - in - let _:Prims.unit = - assert (forall i. - (i >= Seq.length slice && i < v v_LEN) ==> - Seq.index out i == - Seq.index (Seq.slice out (Seq.length slice) (v v_LEN)) (i - Seq.length slice)) - in - let _:Prims.unit = - Seq.lemma_eq_intro out (Seq.append slice (Seq.create (v v_LEN - Seq.length slice) 0uy)) - in out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti index c87b2d316..df9ce411d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Utils.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Utils -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,8 +7,4 @@ open FStar.Mul val into_padded_array (v_LEN: usize) (slice: t_Slice u8) : Prims.Pure (t_Array u8 v_LEN) (requires (Core.Slice.impl__len #u8 slice <: usize) <=. v_LEN) - (ensures - fun result -> - let result:t_Array u8 v_LEN = result in - result == Seq.append slice (Seq.create (v v_LEN - v (Core.Slice.impl__len #u8 slice)) 0uy) - ) + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti index 0d74da846..6f90dfca8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Variant.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Variant -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -27,18 +27,18 @@ class t_Variant (v_Self: Type0) = { v_CIPHERTEXT_SIZE: usize -> #v_Hasher: Type0 -> {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE - -> pred: Type0{(Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32 ==> pred}; + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE + -> Type0; f_kdf_post: v_K: usize -> v_CIPHERTEXT_SIZE: usize -> #v_Hasher: Type0 -> {| i1: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - shared_secret: t_Slice u8 -> - ciphertext: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == shared_secret}; + t_Slice u8 -> + Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE -> + t_Array u8 (sz 32) + -> Type0; f_kdf: v_K: usize -> v_CIPHERTEXT_SIZE: usize -> @@ -53,15 +53,15 @@ class t_Variant (v_Self: Type0) = { v_K: usize -> #v_Hasher: Type0 -> {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 randomness <: usize) =. sz 32 ==> pred}; + t_Slice u8 + -> Type0; f_entropy_preprocess_post: v_K: usize -> #v_Hasher: Type0 -> {| i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K |} -> - randomness: t_Slice u8 -> - res: t_Array u8 (sz 32) - -> pred: Type0{pred ==> res == randomness}; + t_Slice u8 -> + t_Array u8 (sz 32) + -> Type0; f_entropy_preprocess: v_K: usize -> #v_Hasher: Type0 -> @@ -112,7 +112,7 @@ let impl: t_Variant t_MlKem = (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) -> - (Core.Slice.impl__len #u8 shared_secret <: usize) =. sz 32); + true); f_kdf_post = (fun @@ -124,9 +124,9 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (shared_secret: t_Slice u8) (_: Libcrux_ml_kem.Types.t_MlKemCiphertext v_CIPHERTEXT_SIZE) - (res: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> - res == shared_secret); + true); f_kdf = (fun @@ -152,7 +152,7 @@ let impl: t_Variant t_MlKem = Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) -> - (Core.Slice.impl__len #u8 randomness <: usize) =. sz 32); + true); f_entropy_preprocess_post = (fun @@ -162,9 +162,9 @@ let impl: t_Variant t_MlKem = i3: Libcrux_ml_kem.Hash_functions.t_Hash v_Hasher v_K) (randomness: t_Slice u8) - (res: t_Array u8 (sz 32)) + (out1: t_Array u8 (sz 32)) -> - res == randomness); + true); f_entropy_preprocess = (fun diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst index 14c6d47e2..81d8b74e0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fst @@ -1,204 +1,59 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let lemma_add_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i)))) - (ensures (v (add_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) + v (get_lane rhs i)))) - [SMTPat (v (add_mod (get_lane lhs i) (get_lane rhs i)))] = () +let add (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i +. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) + v (get_lane rhs i)) - in - result +let bitwise_and_with_constant (vector: u8) (constant: i16) = + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8) -let bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_and_si256 vector cv - in - let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - result +let multiply_by_constant (vector: u8) (constant: i16) = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant <: u8) -let lemma_mul_i (lhs: t_Vec256) (i:nat) (c:i16): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) * v c))) - (ensures (v (mul_mod (get_lane lhs i) c) == - (v (get_lane lhs i) * v c))) - [SMTPat (v (mul_mod (get_lane lhs i) c))] = () +let shift_right (v_SHIFT_BY: i32) (vector: u8) = + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector -let multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) = - let cv:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector cv - in - let _:Prims.unit = - Seq.lemma_eq_intro (vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x *. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane vector i *. constant); - assert (forall i. v (get_lane vector i *. constant) == v (get_lane vector i) * v constant); - assert (forall i. v (get_lane result i) == v (get_lane vector i) * v constant) - in - result +let sub (lhs rhs: u8) = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs -let shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 v_SHIFT_BY vector - in - let _:Prims.unit = - Seq.lemma_eq_intro (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - in - result - -let lemma_sub_i (lhs rhs: t_Vec256) (i:nat): Lemma - (requires (i < 16 /\ Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i)))) - (ensures (v (sub_mod (get_lane lhs i) (get_lane rhs i)) == - (v (get_lane lhs i) - v (get_lane rhs i)))) - [SMTPat (v (sub_mod (get_lane lhs i) (get_lane rhs i)))] = () - -let sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 lhs rhs - in - let _:Prims.unit = - assert (forall i. get_lane result i == get_lane lhs i -. get_lane rhs i); - assert (forall i. v (get_lane result i) == v (get_lane lhs i) - v (get_lane rhs i)) - in - result - -#push-options "--z3rlimit 200" - -let barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let t0:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let barrett_reduce (vector: u8) = + let t:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector - (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = - assert (forall i. - get_lane t0 i == - (cast (((cast (get_lane vector i) <: i32) *. (cast v_BARRETT_MULTIPLIER <: i32)) >>! 16l) - <: - i16)) - in - let t512:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 v_BARRETT_MULTIPLIER <: u8) in - let _:Prims.unit = assert (forall i. get_lane t512 i == 512s) in - let t1:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t0 t512 + let t:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 t + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 512s <: u8) in - let _:Prims.unit = assert (forall i. get_lane t1 i == get_lane t0 i +. 512s) in - let quotient:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t1 - in - let _:Prims.unit = - assert (forall i. get_lane quotient i == (((get_lane t1 i) <: i16) >>! (10l <: i32))) - in - let quotient_times_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let quotient:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 10l t in + let quotient_times_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 quotient (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = - assert (forall i. - get_lane quotient_times_field_modulus i == - get_lane quotient i *. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) + u8) in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == get_lane vector i -. get_lane quotient_times_field_modulus i); - assert (forall i. get_lane result i == Spec.Utils.barrett_red (get_lane vector i)); - assert (forall i. v (get_lane result i) % 3329 == v (get_lane vector i) % 3329); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) - in - result - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector quotient_times_field_modulus -#push-options "--z3rlimit 100" - -let cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let cond_subtract_3329_ (vector: u8) = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS in - let _:Prims.unit = assert (forall i. get_lane field_modulus i == 3329s) in - let vv_minus_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let vv_minus_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 vector field_modulus in - let _:Prims.unit = - assert (forall i. get_lane vv_minus_field_modulus i == get_lane vector i -. 3329s) - in - let sign_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus - in - let _:Prims.unit = - assert (forall i. get_lane sign_mask i == (get_lane vv_minus_field_modulus i >>! 15l)) - in - let conditional_add_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sign_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srai_epi16 15l vv_minus_field_modulus in + let conditional_add_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_and_si256 sign_mask field_modulus in - let _:Prims.unit = - assert (forall i. get_lane conditional_add_field_modulus i == (get_lane sign_mask i &. 3329s)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus - conditional_add_field_modulus - in - let _:Prims.unit = - assert (forall i. - get_lane result i == - (get_lane vv_minus_field_modulus i +. get_lane conditional_add_field_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.cond_sub (get_lane vector i)); - assert (forall i. - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i)) - in - result - -#pop-options + Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 vv_minus_field_modulus + conditional_add_field_modulus -#push-options "--z3rlimit 200" - -let montgomery_multiply_by_constant - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i16) - = - let vec_constant:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant - in - let _:Prims.unit = assert (forall i. get_lane vec_constant i == constant) in - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector vec_constant - in - let _:Prims.unit = assert (forall i. get_lane value_low i == get_lane vector i *. constant) in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let montgomery_multiply_by_constant (vector: u8) (constant: i16) = + let constant:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 constant in + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vector constant in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -206,68 +61,20 @@ let montgomery_multiply_by_constant <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus)); - assert (forall i. - get_lane k_times_modulus i == - (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l) - <: - i16)) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector vec_constant - in - let _:Prims.unit = - assert (forall i. - get_lane value_high i == - (cast (((cast (get_lane vector i) <: i32) *. (cast (get_lane vec_constant i) <: i32)) >>! - 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + u8) in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i)); - assert (forall i. get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vector i) constant); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)); - assert (forall i. - v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result - -#pop-options + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vector constant in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus -#push-options "--z3rlimit 100" - -let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. get_lane value_low i == get_lane vec i *. get_lane constants i) - in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let montgomery_multiply_by_constants (v c: u8) = + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v c in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -275,69 +82,20 @@ let montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_ext <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let _:Prims.unit = assert (forall i. get_lane k i == get_lane value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 k) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 modulus)); - assert (forall i. - get_lane k_times_modulus i == - (cast (((cast (get_lane k i) <: i32) *. (cast (get_lane modulus i) <: i32)) >>! 16l) - <: - i16)) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. - get_lane value_high i == - (cast (((cast (get_lane vec i) <: i32) *. (cast (get_lane constants i) <: i32)) >>! 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus + u8) in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. get_lane result i == (get_lane value_high i) -. (get_lane k_times_modulus i)); - assert (forall i. - get_lane result i == Spec.Utils.mont_mul_red_i16 (get_lane vec i) (get_lane constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (get_lane result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)); - assert (forall i. - v (get_lane result i) % 3329 == - ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 v c in + Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus -#pop-options - -#push-options "--z3rlimit 100" - -let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) = - let value_low:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. get_lane128 value_low i == get_lane128 vec i *. get_lane128 constants i) - in - let k:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let montgomery_multiply_m128i_by_constants (v c: u8) = + let value_low:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 v c in + let k:u8 = Libcrux_intrinsics.Avx2_extract.mm_mullo_epi16 value_low (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: @@ -345,74 +103,29 @@ let montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Av <: i16) <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let _:Prims.unit = assert (forall i. get_lane128 k i == get_lane128 value_low i *. (neg 3327s)) in - let modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS - in - let _:Prims.unit = assert (forall i. get_lane128 modulus i == 3329s) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k modulus - in - let _:Prims.unit = - assert (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k_times_modulus == - Spec.Utils.map2 (fun x y -> cast (((cast x <: i32) *. (cast y <: i32)) >>! 16l) <: i16) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 k) - (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 modulus)); - assert (forall i. - get_lane128 k_times_modulus i == - (cast (((cast (get_lane128 k i) <: i32) *. (cast (get_lane128 modulus i) <: i32)) >>! 16l) - <: - i16)) + u8) in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 vec constants - in - let _:Prims.unit = - assert (forall i. - get_lane128 value_high i == - (cast (((cast (get_lane128 vec i) <: i32) *. (cast (get_lane128 constants i) <: i32)) >>! - 16l) - <: - i16)) - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus - in - let _:Prims.unit = - Spec.Utils.lemma_range_at_percent 3329 (pow2 32); - assert (v (cast 3329s <: i32) == (3329 @% pow2 32)); - assert (v (cast 3329s <: i32) == 3329); - assert ((cast 3329s <: i32) == 3329l); - assert (forall i. - get_lane128 result i == (get_lane128 value_high i) -. (get_lane128 k_times_modulus i)); - assert (forall i. - get_lane128 result i == - Spec.Utils.mont_mul_red_i16 (get_lane128 vec i) (get_lane128 constants i)); - assert (forall i. Spec.Utils.is_i16b 3328 (get_lane128 result i)); - assert (forall (i: nat). i < 8 ==> Spec.Utils.is_i16b 3328 (get_lane128 result i)); - assert (Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result)); - assert (forall i. - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329)) + let k_times_modulus:u8 = + Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 k + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS + <: + u8) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm_mulhi_epi16 v c in + Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 value_high k_times_modulus -#pop-options - -let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let k:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 vec +let montgomery_reduce_i32s (v: u8) = + let k:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 v (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let k_times_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let k_times_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mulhi_epi16 k (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: @@ -420,19 +133,9 @@ let montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let value_high:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l vec - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result - in - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result + u8) in - let _:Prims.unit = admit () (* Panic freedom *) in - result + let value_high:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi32 16l v in + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_sub_epi16 value_high k_times_modulus in + let result:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l result in + Libcrux_intrinsics.Avx2_extract.mm256_srai_epi32 16l result diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti index 9bc156305..ad8d448c9 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Arithmetic.fsti @@ -1,139 +1,34 @@ module Libcrux_ml_kem.Vector.Avx2.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let v_BARRETT_MULTIPLIER: i16 = 20159s -open Libcrux_intrinsics.Avx2_extract +val add (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val add (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) + v (get_lane rhs i))) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) + v (get_lane rhs i))) +val bitwise_and_with_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val bitwise_and_with_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x &. constant) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) +val multiply_by_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val multiply_by_constant (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane vector i) * v constant)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane vector i) * v constant)) +val shift_right (v_SHIFT_BY: i32) (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result == - Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - -val sub (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (get_lane lhs i) - v (get_lane rhs i))) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. i < 16 ==> v (get_lane result i) == (v (get_lane lhs i) - v (get_lane rhs i))) +val sub (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) /// See Section 3.2 of the implementation notes document for an explanation /// of this code. -val barrett_reduce (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array 28296 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. i < 16 ==> v (get_lane result i) % 3329 == (v (get_lane vector i) % 3329))) +val barrett_reduce (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val cond_subtract_3329_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (pow2 12 - 1) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vector)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall i. - i < 16 ==> - get_lane result i == - (if (get_lane vector i) >=. 3329s then get_lane vector i -! 3329s else get_lane vector i - )) +val cond_subtract_3329_ (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constant - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (constant: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 constant) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. - i < 16 ==> - v (get_lane result i) % 3329 == ((v (get_lane vector i) * v constant * 169) % 3329))) +val montgomery_multiply_by_constant (vector: u8) (constant: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (forall i. - i < 16 ==> - v (get_lane result i) % 3329 == - ((v (get_lane vec i) * v (get_lane constants i) * 169) % 3329))) +val montgomery_multiply_by_constants (v c: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_multiply_m128i_by_constants (vec constants: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec128 - (requires - Spec.Utils.is_i16b_array 1664 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 constants)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec128 = result in - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec128_as_i16x8 result) /\ - (forall i. - i < 8 ==> - v (get_lane128 result i) % 3329 == - ((v (get_lane128 vec i) * v (get_lane128 constants i) * 169) % 3329))) +val montgomery_multiply_m128i_by_constants (v c: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val montgomery_reduce_i32s (vec: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b_array (3328 * pow2 16) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec)) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - Spec.Utils.is_i16b_array (3328 + 1665) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result) /\ - (Spec.Utils.is_i16b_array (3328 * pow2 15) - (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 vec) ==> - Spec.Utils.is_i16b_array 3328 (Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 result)) /\ - (forall i. i < 16 ==> v (get_lane result i) % 3329 == ((v (get_lane vec i) * 169) % 3329)) - ) +val montgomery_reduce_i32s (v: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst index 87c17cd2a..d40f2d67a 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Compress.fst @@ -1,36 +1,27 @@ module Libcrux_ml_kem.Vector.Avx2.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let mulhi_mm256_epi32 (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let prod02:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs - in - let prod13:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let mulhi_mm256_epi32 (lhs rhs: u8) = + let prod02:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 lhs rhs in + let prod13:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mul_epu32 (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l lhs <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l rhs <: u8) in Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi64 (Libcrux_intrinsics.Avx2_extract.mm256_unpacklo_epi32 prod02 prod13 <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) + (Libcrux_intrinsics.Avx2_extract.mm256_unpackhi_epi32 prod02 prod13 <: u8) -let compress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - = - let field_modulus_halved:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) = + let field_modulus_halved:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 (((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) @@ -43,63 +34,47 @@ let compress_ciphertext_coefficient <: i32) in - let compression_factor:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l - in - let coefficient_bits_mask:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let compression_factor:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 10321340l in + let coefficient_bits_mask:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi32 ((1l < Prims.l_True) +val mulhi_mm256_epi32 (lhs rhs: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype /\ - range (v (1l < Prims.l_True) +val compress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val compress_message_coefficient (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) +val compress_message_coefficient (vector: u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val decompress_ciphertext_coefficient - (v_COEFFICIENT_BITS: i32) - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires v v_COEFFICIENT_BITS >= 0 /\ v v_COEFFICIENT_BITS < bits i32_inttype) - (fun _ -> Prims.l_True) +val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) (vector: u8) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst index 7fb1ccee4..68f788df8 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fst @@ -1,118 +1,76 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - -let inv_ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s (-1s) (-1s) 1s 1s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs - in - let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta3 zeta3 0s 0s zeta2 zeta2 0s 0s zeta1 zeta1 0s 0s zeta0 zeta0 0s 0s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum + u8) in + let sum:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.barrett_reduce sum in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 204l sum sum_times_zetas -#pop-options - -let inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 245l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 160l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s (-1s) (-1s) (-1s) (-1s) 1s 1s 1s 1s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let sum:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs + u8) in - let sum_times_zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let sum:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs in + let sum_times_zetas:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants sum (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 zeta1 zeta1 zeta1 zeta1 0s 0s 0s 0s zeta0 zeta0 zeta0 zeta0 0s 0s 0s 0s <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 240l sum sum_times_zetas -let inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let inv_ntt_layer_3_step (vector: u8) (zeta: i16) = + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants upper_coefficients - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8) in + let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta3 <: i16) (Core.Ops.Arith.Neg.neg zeta3 <: i16) zeta3 zeta3 (Core.Ops.Arith.Neg.neg zeta2 <: i16) (Core.Ops.Arith.Neg.neg zeta2 <: i16) zeta2 zeta2 (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector - in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 245l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 160l vector in Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) = - let zetas:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) = + let zetas:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) (Core.Ops.Arith.Neg.neg zeta1 <: i16) zeta1 zeta1 zeta1 zeta1 @@ -120,92 +78,44 @@ let ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 z (Core.Ops.Arith.Neg.neg zeta0 <: i16) (Core.Ops.Arith.Neg.neg zeta0 <: i16) zeta0 zeta0 zeta0 zeta0 in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector - in + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 238l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_by_constants rhs zetas in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi32 68l vector in Libcrux_intrinsics.Avx2_extract.mm256_add_epi16 lhs rhs -let ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) = - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector - in - let rhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = +let ntt_layer_3_step (vector: u8) (zeta: i16) = + let rhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l vector in + let rhs:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_multiply_m128i_by_constants rhs - (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let lhs:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector - in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs - in - let combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set1_epi16 zeta <: u8) in + let lhs:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 vector in + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_add_epi16 lhs rhs in + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_sub_epi16 lhs rhs in + let combined:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l combined upper_coefficients -let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) = - let shuffle_with:Libcrux_intrinsics.Avx2_extract.t_Vec256 = +let ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) = + let shuffle_with:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y 15y 14y 11y 10y 7y 6y 3y 2y 13y 12y 9y 8y 5y 4y 1y 0y in - let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with - in - let lhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled - in - let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled - in - let lhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens - in - let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled - in - let lhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds - in - let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with - in - let rhs_shuffled:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled - in - let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled - in - let rhs_evens:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens - in - let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled - in - let rhs_odds:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds - in - let left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right - in - let right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 lhs shuffle_with in + let lhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l lhs_shuffled in + let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 lhs_shuffled in + let lhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_evens in + let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l lhs_shuffled in + let lhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 lhs_odds in + let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs shuffle_with in + let rhs_shuffled:u8 = Libcrux_intrinsics.Avx2_extract.mm256_permute4x64_epi64 216l rhs_shuffled in + let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 rhs_shuffled in + let rhs_evens:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_evens in + let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l rhs_shuffled in + let rhs_odds:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cvtepi16_epi32 rhs_odds in + let left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_evens rhs_evens in + let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 lhs_odds rhs_odds in + let right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s right in + let right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi32 right (Libcrux_intrinsics.Avx2_extract.mm256_set_epi32 (Core.Ops.Arith.Neg.neg (cast (zeta3 <: i16) <: @@ -220,28 +130,24 @@ let ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta (Core.Ops.Arith.Neg.neg (cast (zeta0 <: i16) <: i32) <: i32) (cast (zeta0 <: i16) <: i32) <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right - in - let products_left:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_left:u8 = Libcrux_intrinsics.Avx2_extract.mm256_add_epi32 left right in + let products_left:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_left in - let rhs_adjacent_swapped:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let rhs_adjacent_swapped:u8 = Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 rhs (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y 13y 12y 15y 14y 9y 8y 11y 10y 5y 4y 7y 6y 1y 0y 3y 2y <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) + u8) in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 lhs rhs_adjacent_swapped in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let products_right:u8 = Libcrux_ml_kem.Vector.Avx2.Arithmetic.montgomery_reduce_i32s products_right in - let products_right:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right - in + let products_right:u8 = Libcrux_intrinsics.Avx2_extract.mm256_slli_epi32 16l products_right in Libcrux_intrinsics.Avx2_extract.mm256_blend_epi16 170l products_left products_right diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti index b7f8a6c7d..e86b8344d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Ntt.fsti @@ -1,51 +1,26 @@ module Libcrux_ml_kem.Vector.Avx2.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let ntt_multiply__PERMUTE_WITH: i32 = 216l -val inv_ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) - -val inv_ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) - (fun _ -> Prims.l_True) - -val inv_ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta) - (fun _ -> Prims.l_True) - -val ntt_layer_1_step - (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) - -val ntt_layer_2_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1) - (fun _ -> Prims.l_True) - -val ntt_layer_3_step (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Spec.Utils.is_i16b 1664 zeta) - (fun _ -> Prims.l_True) - -val ntt_multiply (lhs rhs: Libcrux_intrinsics.Avx2_extract.t_Vec256) (zeta0 zeta1 zeta2 zeta3: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3) - (fun _ -> Prims.l_True) +val inv_ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val inv_ntt_layer_3_step (vector: u8) (zeta: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_1_step (vector: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_2_step (vector: u8) (zeta0 zeta1: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_layer_3_step (vector: u8) (zeta: i16) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) + +val ntt_multiply (lhs rhs: u8) (zeta0 zeta1 zeta2 zeta3: i16) + : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst index a36ffa505..33c894793 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fst @@ -1,36 +1,19 @@ module Libcrux_ml_kem.Vector.Avx2.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = - let field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS in - let potential_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input - in - let compare_with_field_modulus:Libcrux_intrinsics.Avx2_extract.t_Vec256 = + let potential_coefficients:u8 = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_12_ input in + let compare_with_field_modulus:u8 = Libcrux_intrinsics.Avx2_extract.mm256_cmpgt_epi16 field_modulus potential_coefficients in let good:t_Array u8 (sz 2) = Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_1_ compare_with_field_modulus in - let _:Prims.unit = - assert (v (cast (good.[ sz 0 ] <: u8) <: usize) < 256); - assert (v (cast (good.[ sz 1 ] <: u8) <: usize) < 256); - assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) <= 8); - assume (v (cast (Core.Num.impl__u8__count_ones good.[ sz 1 ]) <: usize) <= 8); - assume (Core.Ops.Index.f_index_pre output - ({ - Core.Ops.Range.f_start = cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize; - Core.Ops.Range.f_end - = - (cast (Core.Num.impl__u8__count_ones good.[ sz 0 ]) <: usize) +! sz 8 - })) - in let lower_shuffles:t_Array u8 (sz 16) = Libcrux_ml_kem.Vector.Rej_sample_table.v_REJECTION_SAMPLE_SHUFFLE_TABLE.[ cast (good.[ sz 0 ] <: @@ -38,13 +21,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = <: usize ] in - let lower_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (lower_shuffles <: t_Slice u8) in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 potential_coefficients in - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let lower_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients lower_shuffles in let output:t_Slice i16 = @@ -60,13 +43,13 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = <: usize ] in - let upper_shuffles:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_shuffles:u8 = Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (upper_shuffles <: t_Slice u8) in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l potential_coefficients in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = + let upper_coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients upper_shuffles in let output:t_Slice i16 = @@ -93,5 +76,3 @@ let rejection_sample (input: t_Slice u8) (output: t_Slice i16) = sampled_count +! (cast (Core.Num.impl__u8__count_ones (good.[ sz 1 ] <: u8) <: u32) <: usize) in output, hax_temp_output <: (t_Slice i16 & usize) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti index d75884373..361ba6196 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Sampling.fsti @@ -1,14 +1,7 @@ module Libcrux_ml_kem.Vector.Avx2.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul val rejection_sample (input: t_Slice u8) (output: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) - (requires - (Core.Slice.impl__len #u8 input <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 output <: usize) =. sz 16) - (ensures - fun temp_0_ -> - let output_future, res:(t_Slice i16 & usize) = temp_0_ in - Seq.length output_future == Seq.length output /\ v res <= 16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst index d0c07fe84..14ccc0878 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Avx2.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -10,213 +10,236 @@ let _ = let open Libcrux_ml_kem.Vector.Traits in () -[@@"opaque_to_smt"] +let deserialize_1_ (bytes: t_Slice u8) = + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 1 ] <: u8) <: i16) + (cast (bytes.[ sz 1 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) (cast (bytes.[ sz 0 ] <: u8) <: i16) + (cast (bytes.[ sz 0 ] <: u8) <: i16) + in + let shift_lsb_to_msb:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - (); - (Tactics.Utils.prove_forall_nat_pointwise (fun _ -> - Tactics.compute (); - Tactics.smt_sync ()))) + let upper_coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients + (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy + 8uy 7uy 6uy 5uy 5uy 4uy + <: + u8) in - let bits_packed:i32 = Libcrux_intrinsics.Avx2_extract.mm_movemask_epi8 msbs in - let result:t_Array u8 (sz 2) = - let list = [cast (bits_packed <: i32) <: u8; cast (bits_packed >>! 8l <: i32) <: u8] in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); - Rust_primitives.Hax.array_of_list 2 list + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi128_si256 lower_coefficients in + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_inserti128_si256 1l coefficients upper_coefficients in - let _:Prims.unit = - assert (forall (i: nat{i < 8}). - get_bit (bits_packed >>! 8l <: i32) (sz i) == get_bit bits_packed (sz (i + 8))) + let coefficients:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients shift_lsbs_to_msbs in - result - -#pop-options + let coefficients:u8 = Libcrux_intrinsics.Avx2_extract.mm256_srli_epi16 4l coefficients in + Libcrux_intrinsics.Avx2_extract.mm256_and_si256 coefficients + (Libcrux_intrinsics.Avx2_extract.mm256_set1_epi16 ((1s <>! 8l <: i32) <: u8) in - let _:Prims.unit = - introduce forall (i: nat{i < 80}) . lower_8_ i = vector ((i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> lower_8_ i = vector ((i / 10) * 16 + i % 10))); - introduce forall (i: nat{i < 80}) . upper_8_ i = vector (128 + (i / 10) * 16 + i % 10) - with assert_norm (BitVec.Utils.forall_n 80 - (fun i -> upper_8_ i = vector (128 + (i / 10) * 16 + i % 10))) - in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) + serialized -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let adjacent_2_combined:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_concat_pairs_n 12uy vector +let serialize_10_ (vector: u8) = + let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < lower_8_ i = vector ((i / 12) * 16 + i % 12))); - introduce forall (i: nat{i < 96}) . upper_8_ i = vector (128 + (i / 12) * 16 + i % 12) - with assert_norm (BitVec.Utils.forall_n 96 - (fun i -> upper_8_ i = vector (128 + (i / 12) * 16 + i % 12))) - in - lower_8_, upper_8_ - <: - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_10___serialize_10_vec vector + u8) in - let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in + let lower_8_:u8 = Libcrux_intrinsics.Avx2_extract.mm256_castsi256_si128 adjacent_8_combined in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } @@ -234,6 +257,9 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: t_Slice u8) in + let upper_8_:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_extracti128_si256 1l adjacent_8_combined + in let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.Monomorphized_update_at.update_at_range serialized ({ Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 26 } @@ -264,15 +290,33 @@ let serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = <: Core.Result.t_Result (t_Array u8 (sz 20)) Core.Array.t_TryFromSliceError) -#pop-options - -#push-options "--ext context_pruning --split_queries always" - -let serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) = +let serialize_12_ (vector: u8) = let serialized:t_Array u8 (sz 32) = Rust_primitives.Hax.repeat 0uy (sz 32) in - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - serialize_12___serialize_12_vec vector + let adjacent_2_combined:u8 = + Libcrux_intrinsics.Avx2_extract.mm256_madd_epi16 vector + (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < combined i = vector ((i / 4) * 16 + i % 4))); - assert (forall (i: nat{i < 64}). - bit_vec_of_int_t_array serialized 8 i == vector ((i / 4) * 16 + i % 4)) - in - Core.Result.impl__unwrap #(t_Array u8 (sz 8)) - #Core.Array.t_TryFromSliceError - (Core.Convert.f_try_into #(t_Slice u8) - #(t_Array u8 (sz 8)) - #FStar.Tactics.Typeclasses.solve - (serialized.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - <: - Core.Result.t_Result (t_Array u8 (sz 8)) Core.Array.t_TryFromSliceError) - -#pop-options - -[@@"opaque_to_smt"] - -let deserialize_10___deserialize_10_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 9uy 8uy 8uy 7uy 7uy 6uy 6uy 5uy 4uy 3uy 3uy 2uy - 2uy 1uy 1uy 0uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 13uy 12uy 12uy 11uy 10uy 9uy - 9uy 8uy 8uy 7uy 7uy 6uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 lower_coefficients upper_coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - coefficients i = - (if i % 16 < 10 - then - let j = (i / 16) * 10 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32) - else 0))) - in - coefficients - -let deserialize_10_ (bytes: t_Slice u8) = - let lower_coefficients:t_Slice u8 = - bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 16 } - <: - Core.Ops.Range.t_Range usize ] - in - let upper_coefficients:t_Slice u8 = - bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 20 } - <: - Core.Ops.Range.t_Range usize ] - in - deserialize_10___deserialize_10_vec (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 lower_coefficients - - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - (Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 upper_coefficients - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - -[@@"opaque_to_smt"] - -let deserialize_12___deserialize_12_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 lower_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 11uy 10uy 10uy 9uy 8uy 7uy 7uy 6uy 5uy 4uy 4uy - 3uy 2uy 1uy 1uy 0uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_shuffle_epi8 upper_coefficients0 - (Libcrux_intrinsics.Avx2_extract.mm_set_epi8 15uy 14uy 14uy 13uy 12uy 11uy 11uy 10uy 9uy 8uy - 8uy 7uy 6uy 5uy 5uy 4uy - <: - Libcrux_intrinsics.Avx2_extract.t_Vec128) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 lower_coefficients upper_coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - coefficients i = - (if i % 16 < 12 - then - let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64) - else 0))) - in - coefficients - -let deserialize_12_ (bytes: t_Slice u8) = - let lower_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - let upper_coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_loadu_si128 (bytes.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 24 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) - in - deserialize_12___deserialize_12_vec lower_coefficients upper_coefficients - -let deserialize_5_ (bytes: t_Slice u8) = - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec128 = - Libcrux_intrinsics.Avx2_extract.mm_set_epi8 (bytes.[ sz 9 ] <: u8) (bytes.[ sz 8 ] <: u8) - (bytes.[ sz 8 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 7 ] <: u8) (bytes.[ sz 6 ] <: u8) - (bytes.[ sz 6 ] <: u8) (bytes.[ sz 5 ] <: u8) (bytes.[ sz 4 ] <: u8) (bytes.[ sz 3 ] <: u8) - (bytes.[ sz 3 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 2 ] <: u8) (bytes.[ sz 1 ] <: u8) - (bytes.[ sz 1 ] <: u8) (bytes.[ sz 0 ] <: u8) - in - let coefficients_loaded:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - mm256_si256_from_two_si128 coefficients coefficients - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_shuffle_epi8 coefficients_loaded - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi8 15y 14y 15y 14y 13y 12y 13y 12y 11y 10y 11y - 10y 9y 8y 9y 8y 7y 6y 7y 6y 5y 4y 5y 4y 3y 2y 3y 2y 1y 0y 1y 0y - <: - Libcrux_intrinsics.Avx2_extract.t_Vec256) - in - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = - Libcrux_intrinsics.Avx2_extract.mm256_mullo_epi16 coefficients - (Libcrux_intrinsics.Avx2_extract.mm256_set_epi16 (1s < - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) +val deserialize_1_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1___deserialize_1_u8s (a b: u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - if i < 128 then get_bit a (sz j) else get_bit b (sz (j - 8)))) +val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 2) - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 1 - then 0 - else - let j = (i / 16) * 1 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 2)) 8 j)) +val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4___deserialize_4_i16s (b0 b1 b2 b3 b4 b5 b6 b7: i16) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 < 4 - then - let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit b0 (sz j) - | 1 -> get_bit b1 (sz (j - 8)) - | 2 -> get_bit b2 (sz (j - 16)) - | 3 -> get_bit b3 (sz (j - 24)) - | 4 -> get_bit b4 (sz (j - 32)) - | 5 -> get_bit b5 (sz (j - 40)) - | 6 -> get_bit b6 (sz (j - 48)) - | 7 -> get_bit b7 (sz (j - 56))) - else 0)) +val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4___deserialize_4_u8s (b0 b1 b2 b3 b4 b5 b6 b7: u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 < 4 - then - let j = (i / 16) * 4 + i % 16 in - (match i / 32 with - | 0 -> get_bit b0 (sz j) - | 1 -> get_bit b1 (sz (j - 8)) - | 2 -> get_bit b2 (sz (j - 16)) - | 3 -> get_bit b3 (sz (j - 24)) - | 4 -> get_bit b4 (sz (j - 32)) - | 5 -> get_bit b5 (sz (j - 40)) - | 6 -> get_bit b6 (sz (j - 48)) - | 7 -> get_bit b7 (sz (j - 56))) - else 0)) +val deserialize_5_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires (Core.Slice.impl__len #u8 bytes <: usize) =. sz 8) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 4 - then 0 - else - let j = (i / 16) * 4 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 8)) 8 j)) +val serialize_1_ (vector: u8) : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -include BitVec.Intrinsics {mm256_concat_pairs_n} +val serialize_10_ (vector: u8) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_1_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 2)) - (requires forall i. i % 16 >= 1 ==> vector i == 0) - (ensures - fun result -> - let result:t_Array u8 (sz 2) = result in - forall i. bit_vec_of_int_t_array result 8 i == vector (i * 16)) +val serialize_12_ (vector: u8) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_10___serialize_10_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun temp_0_ -> - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - temp_0_ - in - forall (i: nat{i < 160}). - vector ((i / 10) * 16 + i % 10) == (if i < 80 then lower_8_ i else upper_8_ (i - 80))) +val serialize_5_ (vector: u8) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) -val serialize_12___serialize_12_vec (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure - (Libcrux_intrinsics.Avx2_extract.t_Vec128 & Libcrux_intrinsics.Avx2_extract.t_Vec128) - (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) - (ensures - fun temp_0_ -> - let lower_8_, upper_8_:(Libcrux_intrinsics.Avx2_extract.t_Vec128 & - Libcrux_intrinsics.Avx2_extract.t_Vec128) = - temp_0_ - in - forall (i: nat{i < 192}). - vector ((i / 12) * 16 + i % 12) == (if i < 96 then lower_8_ i else upper_8_ (i - 96))) +val deserialize_11_ (bytes: t_Slice u8) : Prims.Pure u8 Prims.l_True (fun _ -> Prims.l_True) -val serialize_10_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 20)) - (requires forall (i: nat{i < 256}). i % 16 < 10 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 20) = r in - forall (i: nat{i < 160}). bit_vec_of_int_t_array r 8 i == vector ((i / 10) * 16 + i % 10)) - -val serialize_12_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 24)) - (requires forall (i: nat{i < 256}). i % 16 < 12 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 24) = r in - forall (i: nat{i < 192}). bit_vec_of_int_t_array r 8 i == vector ((i / 12) * 16 + i % 12)) - -val serialize_5_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) - : Prims.Pure (t_Array u8 (sz 8)) - (requires forall (i: nat{i < 256}). i % 16 < 4 || vector i = 0) - (ensures - fun r -> - let r:t_Array u8 (sz 8) = r in - forall (i: nat{i < 64}). bit_vec_of_int_t_array r 8 i == vector ((i / 4) * 16 + i % 4)) - -include BitVec.Intrinsics {mm256_si256_from_two_si128 as mm256_si256_from_two_si128} - -val deserialize_10___deserialize_10_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 10 - then 0 - else - let j = (i / 16) * 10 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 32))) - -val deserialize_10_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 20) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 10 - then 0 - else - let j = (i / 16) * 10 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 20)) 8 j)) - -val deserialize_12___deserialize_12_vec - (lower_coefficients0 upper_coefficients0: Libcrux_intrinsics.Avx2_extract.t_Vec128) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - Prims.l_True - (ensures - fun coefficients -> - let coefficients:Libcrux_intrinsics.Avx2_extract.t_Vec256 = coefficients in - forall (i: nat{i < 256}). - coefficients i = - (if i % 16 >= 12 - then 0 - else - let j = (i / 16) * 12 + i % 16 in - if i < 128 then lower_coefficients0 j else upper_coefficients0 (j - 64))) - -val deserialize_12_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 24) - (ensures - fun result -> - let result:Libcrux_intrinsics.Avx2_extract.t_Vec256 = result in - forall (i: nat{i < 256}). - result i = - (if i % 16 >= 12 - then 0 - else - let j = (i / 16) * 12 + i % 16 in - bit_vec_of_int_t_array (bytes <: t_Array _ (sz 24)) 8 j)) - -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 - (requires Seq.length bytes == 10) - (fun _ -> Prims.l_True) - -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_intrinsics.Avx2_extract.t_Vec256 Prims.l_True (fun _ -> Prims.l_True) - -val serialize_11_ (vector: Libcrux_intrinsics.Avx2_extract.t_Vec256) +val serialize_11_ (vector: u8) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_4_ (vector: u8) : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst index 8a9c2057c..5297d904c 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fst @@ -1,33 +1,17 @@ module Libcrux_ml_kem.Vector.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () +let from_i16_array (array: t_Slice i16) = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector -let vec_from_i16_array (array: t_Slice i16) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_loadu_si256_i16 array } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -let vec_zero (_: Prims.unit) = - let result:t_SIMD256Vector = - { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result +let zero (_: Prims.unit) = + { f_elements = Libcrux_intrinsics.Avx2_extract.mm256_setzero_si256 () } <: t_SIMD256Vector -let vec_to_i16_array (v: t_SIMD256Vector) = +let to_i16_array (v: t_SIMD256Vector) = let output:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in let output:t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.mm256_storeu_si256_i16 output v.f_elements in - let result:t_Array i16 (sz 16) = output in - let _:Prims.unit = admit () (* Panic freedom *) in - result + output diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti index b15ca262d..b1401a90e 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Avx2.fsti @@ -1,77 +1,40 @@ module Libcrux_ml_kem.Vector.Avx2 -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let _ = - (* This module has implicit dependencies, here we make them explicit. *) - (* The implicit dependencies arise from typeclasses instances. *) - let open Libcrux_ml_kem.Vector.Traits in - () +type t_SIMD256Vector = { f_elements:u8 } -noeq +val from_i16_array (array: t_Slice i16) + : Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) -type t_SIMD256Vector = { f_elements:Libcrux_intrinsics.Avx2_extract.t_Vec256 } +val zero: Prims.unit -> Prims.Pure t_SIMD256Vector Prims.l_True (fun _ -> Prims.l_True) -let repr (x:t_SIMD256Vector) : t_Array i16 (sz 16) = Libcrux_intrinsics.Avx2_extract.vec256_as_i16x16 x.f_elements - -val vec_from_i16_array (array: t_Slice i16) - : Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == array) - -val vec_zero: Prims.unit - -> Prims.Pure t_SIMD256Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD256Vector = result in - repr result == Seq.create 16 0s) - -val vec_to_i16_array (v: t_SIMD256Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr t_SIMD256Vector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: t_SIMD256Vector) -> true); - f_repr_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> true); - f_repr = fun (x: t_SIMD256Vector) -> vec_to_i16_array x - } +val to_i16_array (v: t_SIMD256Vector) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = +let impl_2: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = (fun (_: Prims.unit) (out: t_SIMD256Vector) -> impl.f_repr out == Seq.create 16 0s); - f_ZERO = (fun (_: Prims.unit) -> vec_zero ()); + f_ZERO = (fun (_: Prims.unit) -> zero ()); f_from_i16_array_pre = (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); f_from_i16_array_post = (fun (array: t_Slice i16) (out: t_SIMD256Vector) -> impl.f_repr out == array); - f_from_i16_array = (fun (array: t_Slice i16) -> vec_from_i16_array array); + f_from_i16_array = (fun (array: t_Slice i16) -> from_i16_array array); f_to_i16_array_pre = (fun (x: t_SIMD256Vector) -> true); f_to_i16_array_post = (fun (x: t_SIMD256Vector) (out: t_Array i16 (sz 16)) -> out == impl.f_repr x); - f_to_i16_array = (fun (x: t_SIMD256Vector) -> vec_to_i16_array x); + f_to_i16_array = (fun (x: t_SIMD256Vector) -> to_i16_array x); f_add_pre = (fun (lhs: t_SIMD256Vector) (rhs: t_SIMD256Vector) -> @@ -173,7 +136,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_cond_subtract_3329_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Arithmetic.cond_subtract_3329_ vector.f_elements } <: t_SIMD256Vector); @@ -217,7 +179,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_compress_1_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = @@ -244,7 +205,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_compress = (fun (v_COEFFICIENT_BITS: i32) (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in { f_elements = @@ -292,7 +252,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -312,7 +271,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_2_step vector.f_elements zeta0 zeta1 } @@ -330,7 +288,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -354,7 +311,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_1_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -378,7 +334,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_2_step = (fun (vector: t_SIMD256Vector) (zeta0: i16) (zeta1: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -397,7 +352,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_inv_ntt_layer_3_step = (fun (vector: t_SIMD256Vector) (zeta: i16) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Ntt.inv_ntt_layer_3_step vector.f_elements zeta } <: t_SIMD256Vector); @@ -437,7 +391,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = (zeta2: i16) (zeta3: i16) -> - let _:Prims.unit = admit () in { f_elements = @@ -505,7 +458,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_serialize_5_ = (fun (vector: t_SIMD256Vector) -> - let _:Prims.unit = admit () in Libcrux_ml_kem.Vector.Avx2.Serialize.serialize_5_ vector.f_elements); f_deserialize_5_pre = @@ -514,7 +466,6 @@ let impl_3: Libcrux_ml_kem.Vector.Traits.t_Operations t_SIMD256Vector = f_deserialize_5_ = (fun (bytes: t_Slice u8) -> - let _:Prims.unit = admit () in { f_elements = Libcrux_ml_kem.Vector.Avx2.Serialize.deserialize_5_ bytes } <: t_SIMD256Vector); diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst index a36b00a94..3e4a911e1 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti index b765f0915..9bd656a73 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Arithmetic.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst index c6f54fd1c..42233fa2d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti index 0a2c883cb..c2afb3843 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Compress.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst index d00b944c4..d95f4879d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti index a280dcc7a..b676dbeec 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Ntt.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst index cadc20681..82205d443 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -360,6 +360,150 @@ let serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in result +let deserialize_10_ (v: t_Slice u8) = + let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let array:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + output + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_11_ (v: t_Slice u8) = + let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let array:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + output + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_4_ (v: t_Slice u8) = + let input:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let input_i16s:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + input + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + +let deserialize_5_ (v: t_Slice u8) = + let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + v + in + let array:t_Array i16 (sz 16) = + Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + output + in + { + Libcrux_ml_kem.Vector.Neon.Vector_type.f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + Libcrux_ml_kem.Vector.Neon.Vector_type.f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } + <: + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector + let deserialize_1_ (a: t_Slice u8) = let one:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 1s in let low:u8 = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 (cast (a.[ sz 0 ] <: u8) <: i16) in @@ -499,6 +643,17 @@ let serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 2); Rust_primitives.Hax.array_of_list 2 list +let serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = + let out_i16s:t_Array i16 (sz 16) = Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array v in + let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + Libcrux_ml_kem.Vector.Traits.f_from_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + (out_i16s <: t_Slice i16) + in + Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + #FStar.Tactics.Typeclasses.solve + out + let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let (shifter: t_Array i16 (sz 8)):t_Array i16 (sz 8) = let list = [0s; 4s; 8s; 12s; 0s; 4s; 8s; 12s] in @@ -566,161 +721,6 @@ let serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = in Core.Num.impl__u64__to_le_bytes sum -let deserialize_10_ (v: t_Slice u8) = - let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_10_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let array:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - output - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_11_ (v: t_Slice u8) = - let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let array:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - output - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_4_ (v: t_Slice u8) = - let input:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_4_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let input_i16s:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - input - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (input_i16s.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let deserialize_5_ (v: t_Slice u8) = - let output:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_deserialize_5_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - v - in - let array:t_Array i16 (sz 16) = - Libcrux_ml_kem.Vector.Traits.f_to_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - output - in - { - Libcrux_ml_kem.Vector.Neon.Vector_type.f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16); - Libcrux_ml_kem.Vector.Neon.Vector_type.f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice i16) - } - <: - Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector - -let serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = - let out_i16s:t_Array i16 (sz 16) = Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array v in - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - Libcrux_ml_kem.Vector.Traits.f_from_i16_array #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - (out_i16s <: t_Slice i16) - in - Libcrux_ml_kem.Vector.Traits.f_serialize_11_ #Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - #FStar.Tactics.Typeclasses.solve - out - let serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) = let out_i16s:t_Array i16 (sz 16) = Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array v in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti index 3de7409f7..024da1972 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Serialize.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -16,44 +16,44 @@ val serialize_10_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) val serialize_12_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_ (a: t_Slice u8) +val deserialize_10_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_ (v: t_Slice u8) +val deserialize_11_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val deserialize_10_ (v: t_Slice u8) +val deserialize_4_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (v: t_Slice u8) +val deserialize_5_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_ (v: t_Slice u8) +val deserialize_1_ (a: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) -val deserialize_5_ (v: t_Slice u8) +val deserialize_12_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) +val serialize_1_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_11_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_4_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_5_ (v: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst index 116acadf7..12686d3bb 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fst @@ -1,51 +1,41 @@ module Libcrux_ml_kem.Vector.Neon.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -let repr (x:t_SIMD128Vector) = admit() - let v_ZERO (_: Prims.unit) = - let result:t_SIMD128Vector = - { - f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; - f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + { + f_low = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s; + f_high = Libcrux_intrinsics.Arm64_extract.v__vdupq_n_s16 0s + } + <: + t_SIMD128Vector let from_i16_array (array: t_Slice i16) = - let result:t_SIMD128Vector = - { - f_low - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 0; - Core.Ops.Range.f_end = sz 8 - } - <: - Core.Ops.Range.t_Range usize ] + { + f_low + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: - t_Slice i16); - f_high - = - Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { - Core.Ops.Range.f_start = sz 8; - Core.Ops.Range.f_end = sz 16 - } - <: - Core.Ops.Range.t_Range usize ] + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16); + f_high + = + Libcrux_intrinsics.Arm64_extract.v__vld1q_s16 (array.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: - t_Slice i16) - } - <: - t_SIMD128Vector - in - let _:Prims.unit = admit () (* Panic freedom *) in - result + Core.Ops.Range.t_Range usize ] + <: + t_Slice i16) + } + <: + t_SIMD128Vector let to_i16_array (v: t_SIMD128Vector) = let out:t_Array i16 (sz 16) = Rust_primitives.Hax.repeat 0s (sz 16) in @@ -83,6 +73,4 @@ let to_i16_array (v: t_SIMD128Vector) = <: t_Slice i16) in - let result:t_Array i16 (sz 16) = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti index c5dd6b6ab..d80603ff5 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.Vector_type.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -8,28 +8,10 @@ type t_SIMD128Vector = { f_high:u8 } -val repr (x:t_SIMD128Vector) : t_Array i16 (sz 16) - -val v_ZERO: Prims.unit - -> Prims.Pure t_SIMD128Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD128Vector = result in - repr result == Seq.create 16 0s) +val v_ZERO: Prims.unit -> Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) val from_i16_array (array: t_Slice i16) - : Prims.Pure t_SIMD128Vector - Prims.l_True - (ensures - fun result -> - let result:t_SIMD128Vector = result in - repr result == array) + : Prims.Pure t_SIMD128Vector Prims.l_True (fun _ -> Prims.l_True) val to_i16_array (v: t_SIMD128Vector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == repr v) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst index f41cefe46..d33fcee14 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,7 +7,6 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Neon.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () let rej_sample (a: t_Slice u8) (result: t_Slice i16) = diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti index f3280f83e..b68a453af 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Neon.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Neon -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,48 +7,26 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Neon.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () val rej_sample (a: t_Slice u8) (result: t_Slice i16) : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); - f_repr_post - = - (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - Libcrux_ml_kem.Vector.Neon.Vector_type.to_i16_array x - } - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = - (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - impl.f_repr out == Seq.create 16 0s); + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Neon.Vector_type.v_ZERO ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); f_from_i16_array_post = - (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> - impl.f_repr out == array); + (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> true); f_from_i16_array = (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Neon.Vector_type.from_i16_array array); @@ -56,7 +34,7 @@ Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector = f_to_i16_array_post = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) (out: t_Array i16 (sz 16)) -> - out == impl.f_repr x); + true); f_to_i16_array = (fun (x: Libcrux_ml_kem.Vector.Neon.Vector_type.t_SIMD128Vector) -> diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst index bcb88d903..3eb5abd35 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fst @@ -1,34 +1,9 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--z3rlimit 150 --split_queries always" - -let get_n_least_significant_bits (n: u8) (value: u32) = - let res:u32 = value &. ((1ul <>! 1l <: i32) - in - let _:Prims.unit = - assert_norm (v v_BARRETT_MULTIPLIER == (pow2 27 + 3329) / (2 * 3329)); - assert (v t = v value * v v_BARRETT_MULTIPLIER + pow2 25) - in - let _:Prims.unit = assert (v t / pow2 26 < 9) in - let _:Prims.unit = assert (v t / pow2 26 > - 9) in - let quotient:i16 = cast (t >>! Libcrux_ml_kem.Vector.Traits.v_BARRETT_SHIFT <: i32) <: i16 in - let _:Prims.unit = assert (v quotient = v t / pow2 26) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 9 quotient) in - let result:i16 = value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) in - let _:Prims.unit = - calc ( == ) { - v result % 3329; - ( == ) { () } - (v value - (v quotient * 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v value) (v quotient * 3329) 3329 } - (v value - (v quotient * 3329) % 3329) % 3329; - ( == ) { Math.Lemmas.cancel_mul_mod (v quotient) 3329 } - (v value - 0) % 3329; - ( == ) { () } - (v value) % 3329; - } + (v_BARRETT_R >>! 1l <: i32) in - result - -#pop-options - -#push-options "--z3rlimit 500 --split_queries always" + let quotient:i16 = cast (t >>! v_BARRETT_SHIFT <: i32) <: i16 in + value -! (quotient *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) let montgomery_reduce_element (value: i32) = let _:i32 = v_MONTGOMERY_R in @@ -73,320 +22,181 @@ let montgomery_reduce_element (value: i32) = (cast (cast (value <: i32) <: i16) <: i32) *! (cast (Libcrux_ml_kem.Vector.Traits.v_INVERSE_OF_MODULUS_MOD_MONTGOMERY_R <: u32) <: i32) in - let _:Prims.unit = - assert (v (cast (cast (value <: i32) <: i16) <: i32) == v value @% pow2 16); - assert (v k == (v value @% pow2 16) * 62209); - assert (v (cast (cast (k <: i32) <: i16) <: i32) == v k @% pow2 16); - assert (v (cast (cast (k <: i32) <: i16) <: i32) < pow2 15); - assert (v (cast (cast (k <: i32) <: i16) <: i32) >= - pow2 15); - assert (v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) == 3329) - in let k_times_modulus:i32 = (cast (cast (k <: i32) <: i16) <: i32) *! (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) in - let _:Prims.unit = - Spec.Utils.lemma_mul_i16b (pow2 15) - (3329) - (cast (k <: i32) <: i16) - Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS; - assert (Spec.Utils.is_i32b (pow2 15 * 3329) k_times_modulus) - in let c:i16 = cast (k_times_modulus >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in - let _:Prims.unit = - assert (v k_times_modulus < pow2 31); - assert (v k_times_modulus / pow2 16 < pow2 15); - assert (v c == (v k_times_modulus / pow2 16) @% pow2 16); - assert (v c == v k_times_modulus / pow2 16); - assert (Spec.Utils.is_i16b 1665 c) - in let value_high:i16 = cast (value >>! v_MONTGOMERY_SHIFT <: i32) <: i16 in - let _:Prims.unit = - assert (v value < pow2 31); - assert (v value / pow2 16 < pow2 15); - assert (v value_high == (v value / pow2 16) @% pow2 16); - Spec.Utils.lemma_div_at_percent (v value) (pow2 16); - assert (v value_high == (v value / pow2 16)); - assert (Spec.Utils.is_i32b (3328 * 3328) value ==> Spec.Utils.is_i16b 169 value_high); - assert (Spec.Utils.is_i16b 3328 value_high) - in - let res:i16 = value_high -! c in - let _:Prims.unit = assert (Spec.Utils.is_i16b (3328 + 1665) res) in - let _:Prims.unit = - assert (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 res) - in - let _:Prims.unit = - calc ( == ) { - v k_times_modulus % pow2 16; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v k @% pow2 16) * 3329) % pow2 16; - ( == ) { assert (v k = (v value @% pow2 16) * 62209) } - ((((v value @% pow2 16) * 62209) @% pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_sub ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) - (pow2 16) - 3329 } - ((((v value @% pow2 16) * 62209) % pow2 16) * 3329) % pow2 16; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v value @% pow2 16) * 62209) 3329 (pow2 16) } - ((((v value @% pow2 16) * 62209) * 3329) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r (v value @% pow2 16) (62209 * 3329) (pow2 16) } - ((v value @% pow2 16) % pow2 16); - ( == ) { Math.Lemmas.lemma_mod_sub (v value) (pow2 16) 1 } - (v value) % pow2 16; - }; - Math.Lemmas.modulo_add (pow2 16) (- (v k_times_modulus)) (v value) (v k_times_modulus); - assert ((v value - v k_times_modulus) % pow2 16 == 0) - in - let _:Prims.unit = - calc ( == ) { - v res % 3329; - ( == ) { assert (v res == v value_high - v c) } - (v value / pow2 16 - v k_times_modulus / pow2 16) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) / pow2 16) % 3329; - ( == ) { assert ((pow2 16 * 169) % 3329 == 1) } - (((v value - v k_times_modulus) / pow2 16) * ((pow2 16 * 169) % 3329)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_r ((v value - v k_times_modulus) / pow2 16) - (pow2 16 * 169) - 3329 } - (((v value - v k_times_modulus) / pow2 16) * pow2 16 * 169) % 3329; - ( == ) { Math.Lemmas.lemma_div_exact (v value - v k_times_modulus) (pow2 16) } - ((v value - v k_times_modulus) * 169) % 3329; - ( == ) { assert (v k_times_modulus == (v k @% pow2 16) * 3329) } - ((v value * 169) - ((v k @% pow2 16) * 3329 * 169)) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub (v value * 169) 3329 ((v k @% pow2 16) * 169) } - (v value * 169) % 3329; - } - in - res - -#pop-options - -#push-options "--z3rlimit 300" + value_high -! c let montgomery_multiply_fe_by_fer (fe fer: i16) = - let _:Prims.unit = Spec.Utils.lemma_mul_i16b (pow2 15) (1664) fe fer in - let product:i32 = (cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) in - montgomery_reduce_element product - -#pop-options - -#push-options "--z3rlimit 150" + montgomery_reduce_element ((cast (fe <: i16) <: i32) *! (cast (fer <: i16) <: i32) <: i32) let add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> + (fun lhs temp_1_ -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let i:usize = i in - (forall j. - j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) +! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + let _:usize = temp_1_ in + true) lhs (fun lhs i -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) + v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in lhs -#pop-options - -#push-options "--z3rlimit 150" - -let barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - (forall j. - j < v i ==> - (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j) /\ - v (Seq.index vec.f_elements j) % 3329 == (v (Seq.index v__vec0.f_elements j) % 3329) - )) /\ - (forall j. - j >= v i ==> - (Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j /\ - Spec.Utils.is_i16b 28296 (Seq.index vec.f_elements j)))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - let vi:i16 = - barrett_reduce_element (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (barrett_reduce_element (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) <: i16) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - vi - } <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (mk_int #usize_inttype (v i + 1)) == v i + 1); - assert (forall j. j < v i ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)); - assert (Spec.Utils.is_i16b 3328 vi); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements (v i))); - assert (forall j. j < v i + 1 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements j)) - in - vec) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec - -#pop-options + v let bitwise_and_with_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. j < v i ==> Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j &. c) - ) /\ (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j) - ) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) &. c <: i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements (Spec.Utils.map_array (fun x -> x &. c) v__vec0.f_elements) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -let cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - Seq.index vec.f_elements j == - (let x = Seq.index v__vec0.f_elements j in - if x >=. 3329s then x -! 3329s else x)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - if - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s - <: - bool + let _:Prims.unit = + if true + then + let _:Prims.unit = + Hax_lib.v_assert (((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) >=. + 0s + <: + bool) && + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <. 4096s + <: + bool)) + in + () + in + if (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >=. 3329s then { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! 3329s <: i16) - <: - t_Array i16 (sz 16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - else vec) + else v) in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) v__vec0.f_elements) - in - vec - -#push-options "--z3rlimit 150" + v let montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - (let vecj = Seq.index vec.f_elements j in - (Spec.Utils.is_i16b 3328 vecj /\ - v vecj % 3329 == (v (Seq.index v__vec0.f_elements j) * v c * 169) % 3329))) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - (montgomery_multiply_fe_by_fer (vec + (montgomery_multiply_fe_by_fer (v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) @@ -399,125 +209,93 @@ let montgomery_multiply_by_constant <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -#pop-options - -let multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j) *! c) /\ - (forall j. j >= v i ==> (Seq.index vec.f_elements j) == (Seq.index v__vec0.f_elements j))) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) *! c <: i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - assert (forall i. v (Seq.index vec.f_elements i) == v (Seq.index v__vec0.f_elements i) * v c) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v -let shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__vec0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in - let i:usize = i in - (forall j. - j < v i ==> - Seq.index vec.f_elements j == (Seq.index v__vec0.f_elements j >>! v_SHIFT_BY)) /\ - (forall j. j >= v i ==> Seq.index vec.f_elements j == Seq.index v__vec0.f_elements j)) - vec - (fun vec i -> - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - vec with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! - v_SHIFT_BY - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) >>! v_SHIFT_BY + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - vec) - in - let _:Prims.unit = - Seq.lemma_eq_intro vec.f_elements - (Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) v__vec0.f_elements) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - vec + v let sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let v__lhs0:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun lhs i -> + (fun lhs temp_1_ -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in - let i:usize = i in - (forall j. - j < v i ==> - (Seq.index lhs.f_elements j) == - (Seq.index v__lhs0.f_elements j) -! (Seq.index rhs.f_elements j)) /\ - (forall j. j >= v i ==> (Seq.index lhs.f_elements j) == (Seq.index v__lhs0.f_elements j))) + let _:usize = temp_1_ in + true) lhs (fun lhs i -> let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = lhs in let i:usize = i in - let lhs:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - lhs with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! - (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - i16) - } + { + lhs with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize lhs + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + ((lhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! + (rhs.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - lhs) - in - let _:Prims.unit = - assert (forall i. - v (Seq.index lhs.f_elements i) == - v (Seq.index v__lhs0.f_elements i) - v (Seq.index rhs.f_elements i)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in lhs diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti index 92516558b..860b97328 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Arithmetic.fsti @@ -1,22 +1,30 @@ module Libcrux_ml_kem.Vector.Portable.Arithmetic -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul /// This is calculated as ⌊(BARRETT_R / FIELD_MODULUS) + 1/2⌋ let v_BARRETT_MULTIPLIER: i32 = 20159l +let v_BARRETT_SHIFT: i32 = 26l + +let v_BARRETT_R: i32 = 1l < let result:u32 = result in - v result == v value % pow2 (v n)) + result <. + (Core.Num.impl__u32__pow 2ul + (Core.Convert.f_into #u8 #u32 #FStar.Tactics.Typeclasses.solve n <: u32) + <: + u32)) /// Signed Barrett Reduction /// Given an input `value`, `barrett_reduce` outputs a representative `result` @@ -24,142 +32,102 @@ val get_n_least_significant_bits (n: u8) (value: u32) /// - result ≡ value (mod FIELD_MODULUS) /// - the absolute value of `result` is bound as follows: /// `|result| ≤ FIELD_MODULUS / 2 · (|value|/BARRETT_R + 1) -/// -/// Note: The input bound is 28296 to prevent overflow in the multiplication of quotient by FIELD_MODULUS -/// +/// In particular, if `|value| < BARRETT_R`, then `|result| < FIELD_MODULUS`. val barrett_reduce_element (value: i16) : Prims.Pure i16 - (requires Spec.Utils.is_i16b 28296 value) + (requires + (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) >. + (Core.Ops.Arith.Neg.neg v_BARRETT_R <: i32) && + (Core.Convert.f_from #i32 #i16 #FStar.Tactics.Typeclasses.solve value <: i32) <. v_BARRETT_R + ) (ensures fun result -> let result:i16 = result in - Spec.Utils.is_i16b 3328 result /\ v result % 3329 == v value % 3329) + result >. (Core.Ops.Arith.Neg.neg Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) && + result <. Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) /// Signed Montgomery Reduction /// Given an input `value`, `montgomery_reduce` outputs a representative `o` /// such that: /// - o ≡ value · MONTGOMERY_R^(-1) (mod FIELD_MODULUS) /// - the absolute value of `o` is bound as follows: -/// `|result| ≤ ceil(|value| / MONTGOMERY_R) + 1665 -/// In particular, if `|value| ≤ FIELD_MODULUS-1 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS-1`. -/// And, if `|value| ≤ pow2 16 * FIELD_MODULUS-1`, then `|o| <= FIELD_MODULUS + 1664 -/// +/// `|result| ≤ (|value| / MONTGOMERY_R) + (FIELD_MODULUS / 2) +/// In particular, if `|value| ≤ FIELD_MODULUS * MONTGOMERY_R`, then `|o| < (3 · FIELD_MODULUS) / 2`. val montgomery_reduce_element (value: i32) : Prims.Pure i16 - (requires Spec.Utils.is_i32b (3328 * pow2 16) value) + (requires + value >=. + ((Core.Ops.Arith.Neg.neg (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) + <: + i32) *! + v_MONTGOMERY_R + <: + i32) && + value <=. + ((cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) <: i32) *! v_MONTGOMERY_R + <: + i32)) (ensures fun result -> let result:i16 = result in - Spec.Utils.is_i16b (3328 + 1665) result /\ - (Spec.Utils.is_i32b (3328 * pow2 15) value ==> Spec.Utils.is_i16b 3328 result) /\ - v result % 3329 == (v value * 169) % 3329) + result >=. + ((Core.Ops.Arith.Neg.neg (3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) + <: + i16) /! + 2s + <: + i16) && + result <=. ((3s *! Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS <: i16) /! 2s <: i16)) -/// If `fe` is some field element \'x\' of the Kyber field and `fer` is congruent to +/// If `fe` is some field element 'x' of the Kyber field and `fer` is congruent to /// `y · MONTGOMERY_R`, this procedure outputs a value that is congruent to /// `x · y`, as follows: /// `fe · fer ≡ x · y · MONTGOMERY_R (mod FIELD_MODULUS)` /// `montgomery_reduce` takes the value `x · y · MONTGOMERY_R` and outputs a representative /// `x · y · MONTGOMERY_R * MONTGOMERY_R^{-1} ≡ x · y (mod FIELD_MODULUS)`. val montgomery_multiply_fe_by_fer (fe fer: i16) - : Prims.Pure i16 - (requires Spec.Utils.is_i16b 1664 fer) - (ensures - fun result -> - let result:i16 = result in - Spec.Utils.is_i16b 3328 result /\ v result % 3329 == (v fe * v fer * 169) % 3329) + : Prims.Pure i16 Prims.l_True (fun _ -> Prims.l_True) val add (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))) + Prims.l_True + (fun _ -> Prims.l_True) -val barrett_reduce (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val barrett_reduce (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b_array 28296 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - (v (Seq.index result.f_elements i) % 3329) == (v (Seq.index vec.f_elements i) % 3329)) - ) + Prims.l_True + (fun _ -> Prims.l_True) val bitwise_and_with_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector Prims.l_True - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - result.f_elements == Spec.Utils.map_array (fun x -> x &. c) (vec.f_elements)) + (fun _ -> Prims.l_True) -/// Note: This function is not secret independent -/// Only use with public values. -val cond_subtract_3329_ (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val cond_subtract_3329_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b_array (pow2 12 - 1) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - result.f_elements == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (vec.f_elements)) + Prims.l_True + (fun _ -> Prims.l_True) val montgomery_multiply_by_constant - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b 1664 c) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) % 3329 == - (v (Seq.index vec.f_elements i) * v c * 169) % 3329))) - -val multiply_by_constant (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) + Prims.l_True + (fun _ -> Prims.l_True) + +val multiply_by_constant (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)) + Prims.l_True + (fun _ -> Prims.l_True) -val shift_right (v_SHIFT_BY: i32) (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val shift_right (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - result.f_elements == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (vec.f_elements)) + Prims.l_True + (fun _ -> Prims.l_True) val sub (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst index aa963a309..208427e8b 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -75,127 +75,73 @@ let compress let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun a i -> + (fun a temp_1_ -> let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in - let i:usize = i in - (v i < 16 ==> - (forall (j: nat). - (j >= v i /\ j < 16) ==> - v (cast (a.f_elements.[ sz j ]) <: u16) < - v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ - (forall (j: nat). - j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ - v (a.f_elements.[ sz j ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32)))) + let _:usize = temp_1_ in + true) a (fun a i -> let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in let i:usize = i in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - a with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) - (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - <: - u16) - <: - i16) - } + { + a with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (compress_ciphertext_coefficient (cast (v_COEFFICIENT_BITS <: i32) <: u8) + (cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + <: + u16) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ - v (a.f_elements.[ i ] <: i16) < pow2 (v (cast (v_COEFFICIENT_BITS) <: u32))) - in - a) - in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - v (a.f_elements.[ sz i ] <: i16) >= 0 /\ - v (a.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in a #pop-options -#push-options "--fuel 0 --ifuel 0 --z3rlimit 2000" - -let compress_message_coefficient_range_helper (fe: u16) : Lemma - (requires fe <. (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - (ensures v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) = - assert (v (cast (compress_message_coefficient fe) <: i16) >= 0 /\ - v (cast (compress_message_coefficient fe) <: i16) < 2) - -let compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> - (cast (a.f_elements.[ sz i ]) <: u16) <. - (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16)) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = +let compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Rust_primitives.Hax.Folds.fold_range (sz 0) Libcrux_ml_kem.Vector.Traits.v_FIELD_ELEMENTS_IN_VECTOR - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in + (fun v temp_1_ -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in + let _:usize = temp_1_ in + true) + v + (fun v i -> + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = v in let i:usize = i in - (v i < 16 ==> - (forall (j: nat). - (j >= v i /\ j < 16) ==> - v (cast (a.f_elements.[ sz j ]) <: u16) < - v (cast (Libcrux_ml_kem.Vector.Traits.v_FIELD_MODULUS) <: u16))) /\ - (forall (j: nat). - j < v i ==> - v (a.f_elements.[ sz j ] <: i16) >= 0 /\ v (a.f_elements.[ sz j ] <: i16) < 2)) - a - (fun a i -> - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = a in - let i:usize = i in - let _:Prims.unit = - compress_message_coefficient_range_helper (cast (a.f_elements.[ i ]) <: u16) - in - let a:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - a with - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - i - (cast (compress_message_coefficient (cast (a - .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] - <: - i16) - <: - u16) - <: - u8) - <: - i16) - } + { + v with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (compress_message_coefficient (cast (v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + u16) + <: + u8) + <: + i16) <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - in - let _:Prims.unit = - assert (v (a.f_elements.[ i ] <: i16) >= 0 /\ v (a.f_elements.[ i ] <: i16) < 2) - in - a) - in - let _:Prims.unit = - assert (forall (i: nat). - i < 16 ==> v (a.f_elements.[ sz i ] <: i16) >= 0 /\ v (a.f_elements.[ sz i ] <: i16) < 2) + t_Array i16 (sz 16) + } + <: + Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) in - a - -#pop-options + v #push-options "--z3rlimit 300 --ext context_pruning" diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti index cdba6253e..e697451d4 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Compress.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Compress -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -62,17 +62,10 @@ val compress v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < pow2 (v v_COEFFICIENT_BITS)) -val compress_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) +val compress_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - forall (i: nat). - i < 16 ==> v (Seq.index a.f_elements i) >= 0 /\ v (Seq.index a.f_elements i) < 3329) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - forall (i: nat). - i < 16 ==> - v (result.f_elements.[ sz i ] <: i16) >= 0 /\ v (result.f_elements.[ sz i ] <: i16) < 2) + Prims.l_True + (fun _ -> Prims.l_True) val decompress_ciphertext_coefficient (v_COEFFICIENT_BITS: i32) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst index 06bc6c676..99ab0e5b0 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fst @@ -1,289 +1,199 @@ module Libcrux_ml_kem.Vector.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul let inv_ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) = let a_minus_b:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -! - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) -! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) in - let a_plus_b:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) +! - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) - in - let _:Prims.unit = - assert (v a_minus_b = v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))); - assert (v a_plus_b = v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) - in - let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element a_plus_b in - let o1:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta - in - let _:Prims.unit = - calc ( == ) { - v o0 % 3329; - ( == ) { () } - v a_plus_b % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v j)) + v (Seq.index vec.f_elements (v i))) % 3329; - }; - calc ( == ) { - v o1 % 3329; - ( == ) { () } - (v a_minus_b * v zeta * 169) % 3329; - ( == ) { () } - ((v (Seq.index vec.f_elements (v j)) - v (Seq.index vec.f_elements (v i))) * v zeta * 169) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - o0 + (Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce_element ((v + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) +! + (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) + <: + i16) + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements j - o1 + (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer a_minus_b zeta + <: + i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == o0); - assert (Seq.index vec.f_elements (v j) == o1) - in - vec - -#push-options "--z3rlimit 200" + v let inv_ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 0) (sz 2) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 1) (sz 3) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 4) (sz 6) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 5) (sz 7) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta2 (sz 8) (sz 10) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta2 (sz 9) (sz 11) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta3 (sz 12) (sz 14) - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta3 (sz 13) (sz 15) - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 13)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 15)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 12)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 14)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 9)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 11)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 8)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 10)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 5)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 7)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 4)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 6)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 1)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 3)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 0)); - assert (Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements 2)); - assert (forall (i: nat). i < 16 ==> Spec.Utils.is_i16b 3328 (Seq.index vec.f_elements i)) - in - vec - -#pop-options - -#push-options "--z3rlimit 100" + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 0) (sz 2) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 1) (sz 3) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 4) (sz 6) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 5) (sz 7) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta2 (sz 8) (sz 10) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta2 (sz 9) (sz 11) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta3 (sz 12) (sz 14) + in + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta3 (sz 13) (sz 15) + in + v let inv_ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 0) (sz 4) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 0) (sz 4) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 1) (sz 5) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 1) (sz 5) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 2) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 2) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta0 (sz 3) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta0 (sz 3) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 8) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 8) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 9) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 9) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 10) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 10) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta1 (sz 11) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta1 (sz 11) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let inv_ntt_layer_3_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 0) (sz 8) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 0) (sz 8) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 1) (sz 9) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 1) (sz 9) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 2) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 2) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 3) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 3) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 4) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 4) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 5) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 5) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 6) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 6) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - inv_ntt_step vec zeta (sz 7) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + inv_ntt_step v zeta (sz 7) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 250 --split_queries always --query_stats --ext context_prune" + v let ntt_multiply_binomials (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - (i: usize) + (i j: usize) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let ai:i16 = a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in - let bi:i16 = b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 2 *! i <: usize ] in - let aj:i16 = - a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize - ] - in - let bj:i16 = - b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ (sz 2 *! i <: usize) +! sz 1 <: usize - ] - in - let _:Prims.unit = - assert (Spec.Utils.is_i16b 3328 ai); - assert (Spec.Utils.is_i16b 3328 bi); - assert (Spec.Utils.is_i16b 3328 aj); - assert (Spec.Utils.is_i16b 3328 bj); - assert_norm (3328 * 3328 < pow2 31) - in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bi in - let ai_bi:i32 = (cast (ai <: i16) <: i32) *! (cast (bi <: i16) <: i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bj in - let aj_bj___:i32 = (cast (aj <: i16) <: i32) *! (cast (bj <: i16) <: i32) in - let _:Prims.unit = assert_norm (3328 * 3328 <= 3328 * pow2 15) in - let aj_bj:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element aj_bj___ in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 1664 aj_bj zeta in - let aj_bj_zeta:i32 = (cast (aj_bj <: i16) <: i32) *! (cast (zeta <: i16) <: i32) in - let ai_bi_aj_bj:i32 = ai_bi +! aj_bj_zeta in - let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 1664) ai_bi_aj_bj) in - let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 1664 <= 3328 * pow2 15) in - let o0:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bi_aj_bj in - let _:Prims.unit = - calc ( == ) { - v o0 % 3329; - ( == ) { () } - (v ai_bi_aj_bj * 169) % 3329; - ( == ) { assert (v ai_bi_aj_bj == v ai_bi + v aj_bj_zeta) } - ((v ai_bi + v aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v ai_bi == v ai * v bi) } - (((v ai * v bi) + v aj_bj_zeta) * 169) % 3329; - ( == ) { assert (v aj_bj_zeta == v aj_bj * v zeta) } - (((v ai * v bi) + (v aj_bj * v zeta)) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + (v aj_bj * v zeta)) 169 3329 } - ((((v ai * v bi) + (v aj_bj * v zeta)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj_bj * v zeta) 3329 } - ((((v ai * v bi) + ((v aj_bj * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj_bj) (v zeta) 3329 } - ((((v ai * v bi) + (((v aj_bj % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { assert (v aj_bj % 3329 == (v aj_bj___ * 169) % 3329) } - ((((v ai * v bi) + ((((v aj_bj___ * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { assert (v aj_bj___ == v aj * v bj) } - ((((v ai * v bi) + ((((v aj * v bj * 169) % 3329) * v zeta) % 3329)) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l (v aj * v bj * 169) (v zeta) 3329 } - ((((v ai * v bi) + (((v aj * v bj * 169 * v zeta) % 3329))) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v ai * v bi) (v aj * v bj * 169 * v zeta) 3329 } - ((((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) % 3329) * 169) % 3329; - ( == ) { Math.Lemmas.lemma_mod_mul_distr_l ((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) - 169 - 3329 } - (((v ai * v bi) + ((v aj * v bj * 169 * v zeta))) * 169) % 3329; - } + let o0:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) + <: + i32) +! + ((cast (Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) + <: + i32) + <: + i32) + <: + i16) + <: + i32) *! + (cast (zeta <: i16) <: i32) + <: + i32) + <: + i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 ai bj in - let ai_bj:i32 = (cast (ai <: i16) <: i32) *! (cast (bj <: i16) <: i32) in - let _:Prims.unit = Spec.Utils.lemma_mul_i16b 3328 3328 aj bi in - let aj_bi:i32 = (cast (aj <: i16) <: i32) *! (cast (bi <: i16) <: i32) in - let ai_bj_aj_bi:i32 = ai_bj +! aj_bi in - let _:Prims.unit = assert (Spec.Utils.is_i32b (3328 * 3328 + 3328 * 3328) ai_bj_aj_bi) in - let _:Prims.unit = assert_norm (3328 * 3328 + 3328 * 3328 <= 3328 * pow2 15) in - let o1:i16 = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element ai_bj_aj_bi in - let _:Prims.unit = - calc ( == ) { - v o1 % 3329; - ( == ) { () } - (v ai_bj_aj_bi * 169) % 3329; - ( == ) { assert (v ai_bj_aj_bi == v ai_bj + v aj_bi) } - ((v ai_bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v ai_bj == v ai * v bj) } - ((v ai * v bj + v aj_bi) * 169) % 3329; - ( == ) { assert (v aj_bi == v aj * v bi) } - ((v ai * v bj + v aj * v bi) * 169) % 3329; - } + let o1:i16 = + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_reduce_element (((cast (a + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] + <: + i16) + <: + i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) + <: + i32) +! + ((cast (a.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) <: i32) *! + (cast (b.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: i32) + <: + i32) + <: + i32) in - let v__out0:t_Array i16 (sz 16) = out.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { out with @@ -291,7 +201,7 @@ let ntt_multiply_binomials = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - (sz 2 *! i <: usize) + i o0 } <: @@ -304,264 +214,170 @@ let ntt_multiply_binomials = Rust_primitives.Hax.Monomorphized_update_at.update_at_usize out .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - ((sz 2 *! i <: usize) +! sz 1 <: usize) + j o1 } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index out.f_elements (2 * v i) == o0); - assert (Seq.index out.f_elements (2 * v i + 1) == o1); - assert (Spec.Utils.is_i16b_array 3328 out.f_elements); - assert (forall k. - (k <> 2 * v i /\ k <> 2 * v i + 1) ==> Seq.index out.f_elements k == Seq.index v__out0 k) - in - let hax_temp_output:Prims.unit = admit () (* Panic freedom *) in out -#pop-options - let ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) = let t:i16 = - Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (vec + Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_fe_by_fer (v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ j ] <: i16) zeta in - let _:Prims.unit = - assert (v t % 3329 == ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) - in - let a_minus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t - in - let _:Prims.unit = - calc ( == ) { - v a_minus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) - (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) - - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_sub_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let a_plus_t:i16 = - (vec.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t - in - let _:Prims.unit = - calc ( == ) { - v a_plus_t % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + v t) % 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) (v t) 3329 } - (v (Seq.index vec.f_elements (v i)) + (v t % 3329)) % 3329; - ( == ) { () } - (v (Seq.index vec.f_elements (v i)) + - ((v (Seq.index vec.f_elements (v j)) * v zeta * 169) % 3329)) % - 3329; - ( == ) { Math.Lemmas.lemma_mod_add_distr (v (Seq.index vec.f_elements (v i))) - (v (Seq.index vec.f_elements (v j)) * v zeta * 169) - 3329 } - (v (Seq.index vec.f_elements (v i)) + (v (Seq.index vec.f_elements (v j)) * v zeta * 169)) % - 3329; - } - in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements j - a_minus_t + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) -! t <: i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { - vec with + v with Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements = - Rust_primitives.Hax.Monomorphized_update_at.update_at_usize vec + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize v .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements i - a_plus_t + ((v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) +! t <: i16) } <: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector in - let _:Prims.unit = - assert (Seq.index vec.f_elements (v i) == a_plus_t); - assert (Seq.index vec.f_elements (v j) == a_minus_t) - in - vec - -#push-options "--z3rlimit 100" + v let ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 2) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 0) (sz 2) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 3) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 1) (sz 3) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 4) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 4) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 5) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 5) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 8) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta2 (sz 8) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta2 (sz 9) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta2 (sz 9) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 12) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta3 (sz 12) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta3 (sz 13) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta3 (sz 13) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 0) (sz 4) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 0) (sz 4) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 1) (sz 5) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 1) (sz 5) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 2) (sz 6) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 2) (sz 6) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta0 (sz 3) (sz 7) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta0 (sz 3) (sz 7) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 8) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 8) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 9) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 9) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 10) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 10) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta1 (sz 11) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta1 (sz 11) (sz 15) in - vec - -#pop-options + v -#push-options "--z3rlimit 100" - -let ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 0) (sz 8) +let ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) = + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 0) (sz 8) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 1) (sz 9) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 1) (sz 9) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 2) (sz 10) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 2) (sz 10) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 3) (sz 11) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 3) (sz 11) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 4) (sz 12) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 4) (sz 12) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 5) (sz 13) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 5) (sz 13) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 6) (sz 14) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 6) (sz 14) in - let vec:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_step vec zeta (sz 7) (sz 15) + let v:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = + ntt_step v zeta (sz 7) (sz 15) in - vec - -#pop-options - -#push-options "--z3rlimit 100" + v let ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) = - let nzeta0:i16 = Core.Ops.Arith.Neg.neg zeta0 in - let nzeta1:i16 = Core.Ops.Arith.Neg.neg zeta1 in - let nzeta2:i16 = Core.Ops.Arith.Neg.neg zeta2 in - let nzeta3:i16 = Core.Ops.Arith.Neg.neg zeta3 in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta0) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta1) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta2) in - let _:Prims.unit = assert (Spec.Utils.is_i16b 1664 nzeta3) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Vector_type.zero () in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta0 (sz 0) out + ntt_multiply_binomials lhs rhs zeta0 (sz 0) (sz 1) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta0 (sz 1) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta0 <: i16) (sz 2) (sz 3) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta1 (sz 2) out + ntt_multiply_binomials lhs rhs zeta1 (sz 4) (sz 5) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta1 (sz 3) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta1 <: i16) (sz 6) (sz 7) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta2 (sz 4) out + ntt_multiply_binomials lhs rhs zeta2 (sz 8) (sz 9) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta2 (sz 5) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta2 <: i16) (sz 10) (sz 11) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs zeta3 (sz 6) out + ntt_multiply_binomials lhs rhs zeta3 (sz 12) (sz 13) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - ntt_multiply_binomials lhs rhs nzeta3 (sz 7) out + ntt_multiply_binomials lhs rhs (Core.Ops.Arith.Neg.neg zeta3 <: i16) (sz 14) (sz 15) out in - let _:Prims.unit = assert (Spec.Utils.is_i16b_array 3328 out.f_elements) in - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - let _:Prims.unit = admit () (* Panic freedom *) in - result - -#pop-options + out diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti index 1b1a575e4..3c826a279 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Ntt.fsti @@ -1,65 +1,36 @@ module Libcrux_ml_kem.Vector.Portable.Ntt -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -[@@ "opaque_to_smt"] - val inv_ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - Spec.Utils.is_i16b_array (4 * 3328) vec_future.f_elements /\ - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v i)) /\ - Spec.Utils.is_i16b 3328 (Seq.index vec_future.f_elements (v j)) /\ - Spec.Utils.inv_ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val inv_ntt_layer_3_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements) - -[@@ "opaque_to_smt"] + Prims.l_True + (fun _ -> Prims.l_True) /// Compute the product of two Kyber binomials with respect to the /// modulus `X² - zeta`. @@ -73,127 +44,49 @@ val inv_ntt_layer_3_step /// c₁ ← a₀·b₁ + a₁·b₀ /// return c₀, c₁ /// ``` -/// We say \"almost\" because the coefficients output by this function are in +/// We say "almost" because the coefficients output by this function are in /// the Montgomery domain (unlike in the specification). /// The NIST FIPS 203 standard can be found at /// . val ntt_multiply_binomials (a b: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) - (i: usize) + (i j: usize) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 8 /\ Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 a.f_elements /\ - Spec.Utils.is_i16b_array 3328 b.f_elements /\ Spec.Utils.is_i16b_array 3328 out.f_elements) - (ensures - fun out_future -> - let out_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out_future in - Spec.Utils.is_i16b_array 3328 out_future.f_elements /\ - (forall k. - (k <> 2 * v i /\ k <> 2 * v i + 1) ==> - Seq.index out_future.f_elements k == Seq.index out.f_elements k) /\ - (let ai = Seq.index a.f_elements (2 * v i) in - let aj = Seq.index a.f_elements (2 * v i + 1) in - let bi = Seq.index b.f_elements (2 * v i) in - let bj = Seq.index b.f_elements (2 * v i + 1) in - let oi = Seq.index out_future.f_elements (2 * v i) in - let oj = Seq.index out_future.f_elements (2 * v i + 1) in - ((v oi % 3329) == (((v ai * v bi + (v aj * v bj * v zeta * 169)) * 169) % 3329)) /\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))) - -[@@ "opaque_to_smt"] + Prims.l_True + (fun _ -> Prims.l_True) val ntt_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) (i j: usize) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - v i < 16 /\ v j < 16 /\ v i <> v j /\ Spec.Utils.is_i16b 1664 zeta /\ - Spec.Utils.is_i16b_array (11207 + 6 * 3328) vec.f_elements /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b (11207 + 5 * 3328) vec.f_elements.[ j ]) - (ensures - fun vec_future -> - let vec_future:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = vec_future in - (forall k. - (k <> v i /\ k <> v j) ==> - Seq.index vec_future.f_elements k == Seq.index vec.f_elements k) /\ - (forall b. - (Spec.Utils.is_i16b b vec.f_elements.[ i ] /\ - Spec.Utils.is_i16b b vec.f_elements.[ j ]) ==> - (Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ i ] /\ - Spec.Utils.is_i16b (b + 3328) vec_future.f_elements.[ j ])) /\ - Spec.Utils.ntt_spec vec.f_elements (v zeta) (v i) (v j) vec_future.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_layer_1_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 6 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_layer_2_step - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 5 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) -val ntt_layer_3_step (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) +val ntt_layer_3_step (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) vec.f_elements) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array (11207 + 4 * 3328) result.f_elements) + Prims.l_True + (fun _ -> Prims.l_True) val ntt_multiply (lhs rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta0 zeta1 zeta2 zeta3: i16) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 lhs.f_elements /\ Spec.Utils.is_i16b_array 3328 rhs.f_elements - ) - (ensures - fun result -> - let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in - Spec.Utils.is_i16b_array 3328 result.f_elements /\ - (let zetas = - Seq.seq_of_list [ - v zeta0; - - v zeta0; - v zeta1; - - v zeta1; - v zeta2; - - v zeta2; - v zeta3; - - v zeta3 - ] - in - (forall (i: nat). - i < 8 ==> - (let ai = Seq.index lhs.f_elements (2 * i) in - let aj = Seq.index lhs.f_elements (2 * i + 1) in - let bi = Seq.index rhs.f_elements (2 * i) in - let bj = Seq.index rhs.f_elements (2 * i + 1) in - let oi = Seq.index result.f_elements (2 * i) in - let oj = Seq.index result.f_elements (2 * i + 1) in - ((v oi % 3329) == - (((v ai * v bi + (v aj * v bj * (Seq.index zetas i) * 169)) * 169) % 3329)) /\ - ((v oj % 3329) == (((v ai * v bj + v aj * v bi) * 169) % 3329)))))) + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst index b9c0febd3..aec49a64f 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fst @@ -1,10 +1,8 @@ module Libcrux_ml_kem.Vector.Portable.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -#push-options "--admit_smt_queries true" - let rej_sample (a: t_Slice u8) (result: t_Slice i16) = let sampled:usize = sz 0 in let result, sampled:(t_Slice i16 & usize) = @@ -42,5 +40,3 @@ let rej_sample (a: t_Slice u8) (result: t_Slice i16) = in let hax_temp_output:usize = sampled in result, hax_temp_output <: (t_Slice i16 & usize) - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti index cbbc36deb..fc5f15276 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Sampling.fsti @@ -1,14 +1,7 @@ module Libcrux_ml_kem.Vector.Portable.Sampling -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul val rej_sample (a: t_Slice u8) (result: t_Slice i16) - : Prims.Pure (t_Slice i16 & usize) - (requires - (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 result <: usize) =. sz 16) - (ensures - fun temp_0_ -> - let result_future, res:(t_Slice i16 & usize) = temp_0_ in - Seq.length result_future == Seq.length result /\ v res <= 16) + : Prims.Pure (t_Slice i16 & usize) Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst index 37ca063e4..9a88facf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Serialize.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Serialize -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -244,65 +244,159 @@ let serialize_5_int (v: t_Slice i16) = in r0, r1, r2, r3, r4 <: (u8 & u8 & u8 & u8 & u8) -let deserialize_11_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_11_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 11 } +let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result:t_Array u8 (sz 2) = Rust_primitives.Hax.repeat 0uy (sz 2) in + let result:t_Array u8 (sz 2) = + Rust_primitives.Hax.Folds.fold_range (sz 0) + (sz 8) + (fun result temp_1_ -> + let result:t_Array u8 (sz 2) = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 0) + ((result.[ sz 0 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) < + let result:t_Array u8 (sz 2) = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:t_Array u8 (sz 2) = result in + let i:usize = i in + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + (sz 1) + ((result.[ sz 1 ] <: u8) |. + ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ i ] <: i16) <: u8) <>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result2:i16 = cast (((v.[ sz 0 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result3:i16 = cast (((v.[ sz 0 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result4:i16 = cast (((v.[ sz 0 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result5:i16 = cast (((v.[ sz 0 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result6:i16 = cast (((v.[ sz 0 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result7:i16 = cast (((v.[ sz 0 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - let result8:i16 = cast ((v.[ sz 1 ] <: u8) &. 1uy <: u8) <: i16 in - let result9:i16 = cast (((v.[ sz 1 ] <: u8) >>! 1l <: u8) &. 1uy <: u8) <: i16 in - let result10:i16 = cast (((v.[ sz 1 ] <: u8) >>! 2l <: u8) &. 1uy <: u8) <: i16 in - let result11:i16 = cast (((v.[ sz 1 ] <: u8) >>! 3l <: u8) &. 1uy <: u8) <: i16 in - let result12:i16 = cast (((v.[ sz 1 ] <: u8) >>! 4l <: u8) &. 1uy <: u8) <: i16 in - let result13:i16 = cast (((v.[ sz 1 ] <: u8) >>! 5l <: u8) &. 1uy <: u8) <: i16 in - let result14:i16 = cast (((v.[ sz 1 ] <: u8) >>! 6l <: u8) &. 1uy <: u8) <: i16 in - let result15:i16 = cast (((v.[ sz 1 ] <: u8) >>! 7l <: u8) &. 1uy <: u8) <: i16 in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - result0; result1; result2; result3; result4; result5; result6; result7; result8; result9; - result10; result11; result12; result13; result14; result15 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_1_bit_vec_lemma (v: t_Array u8 (sz 2)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_1_ v).f_elements 1 in - (forall (i: nat {i < 16}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_1_lemma inputs = - deserialize_1_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_1_bounded_lemma inputs = - admit() - -let deserialize_10_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 10 } + let r6_8_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 4; + Core.Ops.Range.f_end = sz 6 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_10_int (bytes.[ { Core.Ops.Range.f_start = sz 10; Core.Ops.Range.f_end = sz 20 } + let r9_11_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 6; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_10_bit_vec_lemma (v: t_Array u8 (sz 20)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_10_ v).f_elements 10 in - (forall (i: nat {i < 160}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_10_lemma inputs = - deserialize_10_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_10_bounded_lemma inputs = - admit() - -let deserialize_12_ (bytes: t_Slice u8) = - let v0_1_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 3 } + let r12_14_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 10 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v2_3_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 3; Core.Ops.Range.f_end = sz 6 } + let r15_17_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 10; + Core.Ops.Range.f_end = sz 12 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v4_5_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 6; Core.Ops.Range.f_end = sz 9 } + let r18_20_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 12; + Core.Ops.Range.f_end = sz 14 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v6_7_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 9; Core.Ops.Range.f_end = sz 12 } + let r21_23_:(u8 & u8 & u8) = + serialize_12_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 14; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_9_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 12; Core.Ops.Range.f_end = sz 15 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + let result:t_Array u8 (sz 24) = Rust_primitives.Hax.repeat 0uy (sz 24) in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_2_._1 in - let v10_11_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 15; Core.Ops.Range.f_end = sz 18 } + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_2_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_2_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r3_5_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r3_5_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r3_5_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r6_8_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r6_8_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r6_8_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r9_11_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 10) r9_11_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 11) r9_11_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 12) r12_14_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 13) r12_14_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 14) r12_14_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 15) r15_17_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 16) r15_17_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 17) r15_17_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 18) r18_20_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 19) r18_20_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 20) r18_20_._3 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 21) r21_23_._1 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 22) r21_23_._2 + in + let result:t_Array u8 (sz 24) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 23) r21_23_._3 + in + result + +let serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let result0_3_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v12_13_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 18; Core.Ops.Range.f_end = sz 21 } + let result4_7_:(u8 & u8 & u8 & u8) = + serialize_4_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v14_15_:(i16 & i16) = - deserialize_12_int (bytes.[ { Core.Ops.Range.f_start = sz 21; Core.Ops.Range.f_end = sz 24 } + let result:t_Array u8 (sz 8) = Rust_primitives.Hax.repeat 0uy (sz 8) in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) result0_3_._1 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) result0_3_._2 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) result0_3_._3 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) result0_3_._4 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) result4_7_._1 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) result4_7_._2 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) result4_7_._3 + in + let result:t_Array u8 (sz 8) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) result4_7_._4 + in + result + +let serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = + let r0_4_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 0; + Core.Ops.Range.f_end = sz 8 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_1_._1; v0_1_._2; v2_3_._1; v2_3_._2; v4_5_._1; v4_5_._2; v6_7_._1; v6_7_._2; v8_9_._1; - v8_9_._2; v10_11_._1; v10_11_._2; v12_13_._1; v12_13_._2; v14_15_._1; v14_15_._2 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_12_bit_vec_lemma (v: t_Array u8 (sz 24)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_12_ v).f_elements 12 in - (forall (i: nat {i < 192}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_12_lemma inputs = - deserialize_12_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_12_bounded_lemma inputs = - admit() - -let deserialize_4_ (bytes: t_Slice u8) = - let v0_7_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 0; Core.Ops.Range.f_end = sz 4 } + let r5_9_:(u8 & u8 & u8 & u8 & u8) = + serialize_5_int (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ { + Core.Ops.Range.f_start = sz 8; + Core.Ops.Range.f_end = sz 16 + } <: Core.Ops.Range.t_Range usize ] <: - t_Slice u8) + t_Slice i16) in - let v8_15_:(i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) = - deserialize_4_int (bytes.[ { Core.Ops.Range.f_start = sz 4; Core.Ops.Range.f_end = sz 8 } - <: - Core.Ops.Range.t_Range usize ] - <: - t_Slice u8) + let result:t_Array u8 (sz 10) = Rust_primitives.Hax.repeat 0uy (sz 10) in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 0) r0_4_._1 in - { - Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements - = - let list = - [ - v0_7_._1; v0_7_._2; v0_7_._3; v0_7_._4; v0_7_._5; v0_7_._6; v0_7_._7; v0_7_._8; v8_15_._1; - v8_15_._2; v8_15_._3; v8_15_._4; v8_15_._5; v8_15_._6; v8_15_._7; v8_15_._8 - ] - in - FStar.Pervasives.assert_norm (Prims.eq2 (List.Tot.length list) 16); - Rust_primitives.Hax.array_of_list 16 list - } - <: - Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - -#push-options "--compat_pre_core 2 --z3rlimit 300 --z3refresh" - -let deserialize_4_bit_vec_lemma (v: t_Array u8 (sz 8)) - : squash ( - let inputs = bit_vec_of_int_t_array v 8 in - let outputs = bit_vec_of_int_t_array (deserialize_4_ v).f_elements 4 in - (forall (i: nat {i < 64}). inputs i == outputs i) - ) = - _ by (Tactics.GetBit.prove_bit_vector_equality' ()) - -#pop-options - -#push-options "--z3rlimit 300" - -let deserialize_4_lemma inputs = - deserialize_4_bit_vec_lemma inputs; - BitVecEq.bit_vec_equal_intro (bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4) - (BitVecEq.retype (bit_vec_of_int_t_array inputs 8)) - -#pop-options - -let deserialize_4_bounded_lemma inputs = - admit() + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 1) r0_4_._2 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 2) r0_4_._3 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 3) r0_4_._4 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 4) r0_4_._5 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 5) r5_9_._1 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 6) r5_9_._2 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 7) r5_9_._3 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 8) r5_9_._4 + in + let result:t_Array u8 (sz 10) = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result (sz 9) r5_9_._5 + in + result -let serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) = - let result0:u8 = - (((((((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 0 ] <: i16) <: u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 1 ] <: i16) - <: - u8) < + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 0 ] <: u8) >>! i <: u8) &. 1uy <: u8) <: i16) <: - u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 4 ] <: i16) <: u8) < + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let _:usize = temp_1_ in + true) + result + (fun result i -> + let result:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = result in + let i:usize = i in + { + result with + Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + = + Rust_primitives.Hax.Monomorphized_update_at.update_at_usize result + .Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements + i + (cast (((v.[ sz 1 ] <: u8) >>! (i -! sz 8 <: usize) <: u8) &. 1uy <: u8) <: i16) <: - u8) + t_Array i16 (sz 16) + } <: - u8) |. - ((cast (v.Libcrux_ml_kem.Vector.Portable.Vector_type.f_elements.[ sz 5 ] <: i16) <: u8) < Prims.l_True) val deserialize_11_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 11) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_12_int (bytes: t_Slice u8) - : Prims.Pure (i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 3) - (fun _ -> Prims.l_True) + : Prims.Pure (i16 & i16) Prims.l_True (fun _ -> Prims.l_True) val deserialize_4_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 4) + Prims.l_True (fun _ -> Prims.l_True) val deserialize_5_int (bytes: t_Slice u8) : Prims.Pure (i16 & i16 & i16 & i16 & i16 & i16 & i16 & i16) - (requires Core.Slice.impl__len #u8 bytes =. sz 5) + Prims.l_True (fun _ -> Prims.l_True) val serialize_10_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 4) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_11_int (v: t_Slice i16) : Prims.Pure (u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) + Prims.l_True (fun _ -> Prims.l_True) val serialize_12_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 2) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_4_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) val serialize_5_int (v: t_Slice i16) - : Prims.Pure (u8 & u8 & u8 & u8 & u8) - (requires Core.Slice.impl__len #i16 v =. sz 8) - (fun _ -> Prims.l_True) + : Prims.Pure (u8 & u8 & u8 & u8 & u8) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_11_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 22) - (fun _ -> Prims.l_True) +val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) -val deserialize_5_ (bytes: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 10) - (fun _ -> Prims.l_True) +val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) val serialize_11_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) +val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) + +val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) + val serialize_5_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) val deserialize_1_ (v: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 v =. sz 2) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_1_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_1_ inputs).f_elements 1 == bit_vec_of_int_t_array inputs 8) - -val deserialize_1_bounded_lemma (inputs: t_Array u8 (sz 2)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_1_ inputs).f_elements i) 1) - val deserialize_10_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 20) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_10_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_10_ inputs).f_elements 10 == bit_vec_of_int_t_array inputs 8) - -val deserialize_10_bounded_lemma (inputs: t_Array u8 (sz 20)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_10_ inputs).f_elements i) 10) +val deserialize_11_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) val deserialize_12_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 24) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_12_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_12_ inputs).f_elements 12 == bit_vec_of_int_t_array inputs 8) - -val deserialize_12_bounded_lemma (inputs: t_Array u8 (sz 24)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_12_ inputs).f_elements i) 12) - val deserialize_4_ (bytes: t_Slice u8) : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires Core.Slice.impl__len #u8 bytes =. sz 8) + Prims.l_True (fun _ -> Prims.l_True) -val deserialize_4_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures bit_vec_of_int_t_array (deserialize_4_ inputs).f_elements 4 == bit_vec_of_int_t_array inputs 8) - -val deserialize_4_bounded_lemma (inputs: t_Array u8 (sz 8)) : Lemma - (ensures forall i. i < 16 ==> bounded (Seq.index (deserialize_4_ inputs).f_elements i) 4) - -val serialize_1_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_1_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 1)) - (ensures bit_vec_of_int_t_array (serialize_1_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 1) - -val serialize_10_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 20)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_10_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 10)) - (ensures bit_vec_of_int_t_array (serialize_10_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 10) - -val serialize_12_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 24)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_12_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 12)) - (ensures bit_vec_of_int_t_array (serialize_12_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 12) - -val serialize_4_ (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_4_lemma (inputs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) : Lemma - (requires (forall i. Rust_primitives.bounded (Seq.index inputs.f_elements i) 4)) - (ensures bit_vec_of_int_t_array (serialize_4_ inputs) 8 == bit_vec_of_int_t_array inputs.f_elements 4) +val deserialize_5_ (bytes: t_Slice u8) + : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector + Prims.l_True + (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst index 948ac409c..962c322cf 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti index 7f42fe833..4c354edf7 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.Vector_type.fsti @@ -1,30 +1,14 @@ module Libcrux_ml_kem.Vector.Portable.Vector_type -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul type t_PortableVector = { f_elements:t_Array i16 (sz 16) } val from_i16_array (array: t_Slice i16) - : Prims.Pure t_PortableVector - (requires (Core.Slice.impl__len #i16 array <: usize) =. sz 16) - (ensures - fun result -> - let result:t_PortableVector = result in - result.f_elements == array) + : Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) val to_i16_array (x: t_PortableVector) - : Prims.Pure (t_Array i16 (sz 16)) - Prims.l_True - (ensures - fun result -> - let result:t_Array i16 (sz 16) = result in - result == x.f_elements) + : Prims.Pure (t_Array i16 (sz 16)) Prims.l_True (fun _ -> Prims.l_True) -val zero: Prims.unit - -> Prims.Pure t_PortableVector - Prims.l_True - (ensures - fun result -> - let result:t_PortableVector = result in - result.f_elements == Seq.create 16 0s) +val zero: Prims.unit -> Prims.Pure t_PortableVector Prims.l_True (fun _ -> Prims.l_True) diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti index 10098ed48..164f28caa 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Portable.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Portable -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul @@ -7,135 +7,24 @@ let _ = (* This module has implicit dependencies, here we make them explicit. *) (* The implicit dependencies arise from typeclasses instances. *) let open Libcrux_ml_kem.Vector.Portable.Vector_type in - let open Libcrux_ml_kem.Vector.Traits in () -val deserialize_11_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 22) - (fun _ -> Prims.l_True) - -val deserialize_5_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 10) - (fun _ -> Prims.l_True) - -val serialize_11_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 22)) Prims.l_True (fun _ -> Prims.l_True) - -val serialize_5_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 10)) Prims.l_True (fun _ -> Prims.l_True) - -[@@ FStar.Tactics.Typeclasses.tcinstance] -let impl: Libcrux_ml_kem.Vector.Traits.t_Repr -Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = - { - _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; - _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - f_repr_pre = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_repr_post - = - (fun - (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (out: t_Array i16 (sz 16)) - -> - true); - f_repr - = - fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Vector_type.to_i16_array x - } - -val deserialize_1_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 2) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)) - -val deserialize_10_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 20) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)) - -val deserialize_12_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 24) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)) - -val deserialize_4_ (a: t_Slice u8) - : Prims.Pure Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector - (requires (Core.Slice.impl__len #u8 a <: usize) =. sz 8) - (ensures - fun out -> - let out:Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = out in - sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)) - -val serialize_1_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 2)) - (requires Spec.MLKEM.serialize_pre 1 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 2) = out in - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out) - -val serialize_10_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 20)) - (requires Spec.MLKEM.serialize_pre 10 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 20) = out in - Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr a) out) - -val serialize_12_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 24)) - (requires Spec.MLKEM.serialize_pre 12 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 24) = out in - Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr a) out) - -val serialize_4_ (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - : Prims.Pure (t_Array u8 (sz 8)) - (requires Spec.MLKEM.serialize_pre 4 (impl.f_repr a)) - (ensures - fun out -> - let out:t_Array u8 (sz 8) = out in - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out) - -#push-options "--z3rlimit 400 --split_queries always" - [@@ FStar.Tactics.Typeclasses.tcinstance] -let impl_1: Libcrux_ml_kem.Vector.Traits.t_Operations +let impl: Libcrux_ml_kem.Vector.Traits.t_Operations Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = { _super_11581440318597584651 = FStar.Tactics.Typeclasses.solve; _super_9442900250278684536 = FStar.Tactics.Typeclasses.solve; - _super_8706949974463268012 = FStar.Tactics.Typeclasses.solve; f_ZERO_pre = (fun (_: Prims.unit) -> true); f_ZERO_post = - (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == Seq.create 16 0s); + (fun (_: Prims.unit) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_ZERO = (fun (_: Prims.unit) -> Libcrux_ml_kem.Vector.Portable.Vector_type.zero ()); - f_from_i16_array_pre - = - (fun (array: t_Slice i16) -> (Core.Slice.impl__len #i16 array <: usize) =. sz 16); + f_from_i16_array_pre = (fun (array: t_Slice i16) -> true); f_from_i16_array_post = (fun (array: t_Slice i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == array); + true); f_from_i16_array = (fun (array: t_Slice i16) -> Libcrux_ml_kem.Vector.Portable.Vector_type.from_i16_array array); @@ -148,7 +37,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array i16 (sz 16)) -> - out == impl.f_repr x); + true); f_to_i16_array = (fun (x: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> @@ -159,21 +48,15 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))); + true); f_add_post = (fun (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) + v (Seq.index rhs.f_elements i))); + true); f_add = (fun @@ -187,21 +70,15 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))); + true); f_sub_post = (fun (lhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (rhs: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> - (v (Seq.index result.f_elements i) == - v (Seq.index lhs.f_elements i) - v (Seq.index rhs.f_elements i))); + true); f_sub = (fun @@ -211,22 +88,19 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.sub lhs rhs); f_multiply_by_constant_pre = - (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> - forall i. i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index vec.f_elements i) * v c) - ); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); f_multiply_by_constant_post = (fun - (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) - (result: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall i. - i < 16 ==> (v (Seq.index result.f_elements i) == v (Seq.index vec.f_elements i) * v c)); + true); f_multiply_by_constant = - (fun (vec: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> - Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant vec c); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> + Libcrux_ml_kem.Vector.Portable.Arithmetic.multiply_by_constant v c); f_bitwise_and_with_constant_pre = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> true); @@ -237,15 +111,14 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (c: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == Spec.Utils.map_array (fun x -> x &. c) (impl.f_repr v)); + true); f_bitwise_and_with_constant = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (c: i16) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.bitwise_and_with_constant v c); f_shift_right_pre = - (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l); + (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_shift_right_post = (fun @@ -253,32 +126,28 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - impl.f_repr out == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (impl.f_repr v)); + true); f_shift_right = (fun (v_SHIFT_BY: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.shift_right v_SHIFT_BY v); f_cond_subtract_3329_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (pow2 12 - 1) (impl.f_repr v)); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_cond_subtract_3329_post = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - impl.f_repr out == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (impl.f_repr v)); + true); f_cond_subtract_3329_ = (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> Libcrux_ml_kem.Vector.Portable.Arithmetic.cond_subtract_3329_ v); f_barrett_reduce_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 28296 (impl.f_repr v)); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_barrett_reduce_post = (fun @@ -292,8 +161,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.barrett_reduce v); f_montgomery_multiply_by_constant_pre = - (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> - Spec.Utils.is_i16b 1664 r); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (r: i16) -> true); f_montgomery_multiply_by_constant_post = (fun @@ -308,57 +176,47 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Arithmetic.montgomery_multiply_by_constant v r); f_compress_1_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall (i: nat). - i < 16 ==> v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_compress_1_post = (fun - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) 1); + true); f_compress_1_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ a); + (fun (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Compress.compress_1_ v); f_compress_pre = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> - v (Seq.index (impl.f_repr a) i) >= 0 /\ v (Seq.index (impl.f_repr a) i) < 3329)); + true); f_compress_post = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (impl.f_repr out) i) (v v_COEFFICIENT_BITS)) - ); + true); f_compress = (fun (v_COEFFICIENT_BITS: i32) - (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) + (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS a); + Libcrux_ml_kem.Vector.Portable.Compress.compress v_COEFFICIENT_BITS v); f_decompress_ciphertext_coefficient_pre = (fun (v_COEFFICIENT_BITS: i32) (v: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l); + true); f_decompress_ciphertext_coefficient_post = (fun @@ -384,9 +242,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr a)); + true); f_ntt_layer_1_step_post = (fun @@ -397,7 +253,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 6 * 3328) (impl.f_repr out)); + true); f_ntt_layer_1_step = (fun @@ -415,8 +271,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr a)); + true); f_ntt_layer_2_step_post = (fun @@ -425,7 +280,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta1: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (impl.f_repr out)); + true); f_ntt_layer_2_step = (fun @@ -436,8 +291,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.ntt_layer_2_step a zeta0 zeta1); f_ntt_layer_3_step_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); f_ntt_layer_3_step_post = (fun @@ -445,7 +299,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (impl.f_repr out)); + true); f_ntt_layer_3_step = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> @@ -459,9 +313,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (impl.f_repr a)); + true); f_inv_ntt_layer_1_step_post = (fun @@ -472,7 +324,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_1_step = (fun @@ -490,8 +342,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta0: i16) (zeta1: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr a)); + true); f_inv_ntt_layer_2_step_post = (fun @@ -500,7 +351,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta1: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_2_step = (fun @@ -511,8 +362,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.inv_ntt_layer_2_step a zeta0 zeta1); f_inv_ntt_layer_3_step_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> - Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> true); f_inv_ntt_layer_3_step_post = (fun @@ -520,7 +370,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_inv_ntt_layer_3_step = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (zeta: i16) -> @@ -535,10 +385,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta2: i16) (zeta3: i16) -> - Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr lhs) /\ - Spec.Utils.is_i16b_array 3328 (impl.f_repr rhs)); + true); f_ntt_multiply_post = (fun @@ -550,7 +397,7 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = (zeta3: i16) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.Utils.is_i16b_array 3328 (impl.f_repr out)); + true); f_ntt_multiply = (fun @@ -564,46 +411,46 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = Libcrux_ml_kem.Vector.Portable.Ntt.ntt_multiply lhs rhs zeta0 zeta1 zeta2 zeta3); f_serialize_1_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_1_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 2)) -> - Spec.MLKEM.serialize_pre 1 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 1 (impl.f_repr a) out); + true); f_serialize_1_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_1_ a); - f_deserialize_1_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 2); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_1_ a); + f_deserialize_1_pre = (fun (a: t_Slice u8) -> true); f_deserialize_1_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (impl.f_repr out)); - f_deserialize_1_ = (fun (a: t_Slice u8) -> deserialize_1_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_1_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_1_ a); f_serialize_4_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_4_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 8)) -> - Spec.MLKEM.serialize_pre 4 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 4 (impl.f_repr a) out); + true); f_serialize_4_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_4_ a); - f_deserialize_4_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 8); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_4_ a); + f_deserialize_4_pre = (fun (a: t_Slice u8) -> true); f_deserialize_4_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (impl.f_repr out)); - f_deserialize_4_ = (fun (a: t_Slice u8) -> deserialize_4_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_4_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_4_ a); f_serialize_5_pre = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); @@ -616,33 +463,36 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = true); f_serialize_5_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_5_ a); - f_deserialize_5_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 10); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_5_ a); + f_deserialize_5_pre = (fun (a: t_Slice u8) -> true); f_deserialize_5_post = (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_deserialize_5_ = (fun (a: t_Slice u8) -> deserialize_5_ a); + f_deserialize_5_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_5_ a); f_serialize_10_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_10_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 20)) -> - Spec.MLKEM.serialize_pre 10 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 10 (impl.f_repr a) out); + true); f_serialize_10_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_10_ a); - f_deserialize_10_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 20); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_10_ a); + f_deserialize_10_pre = (fun (a: t_Slice u8) -> true); f_deserialize_10_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (impl.f_repr out)); - f_deserialize_10_ = (fun (a: t_Slice u8) -> deserialize_10_ a); + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_10_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_10_ a); f_serialize_11_pre = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); @@ -655,42 +505,40 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = true); f_serialize_11_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_11_ a); - f_deserialize_11_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 22); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_11_ a); + f_deserialize_11_pre = (fun (a: t_Slice u8) -> true); f_deserialize_11_post = (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); - f_deserialize_11_ = (fun (a: t_Slice u8) -> deserialize_11_ a); + f_deserialize_11_ + = + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_11_ a); f_serialize_12_pre = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr a)); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); f_serialize_12_post = (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) (out: t_Array u8 (sz 24)) -> - Spec.MLKEM.serialize_pre 12 (impl.f_repr a) ==> - Spec.MLKEM.serialize_post 12 (impl.f_repr a) out); + true); f_serialize_12_ = - (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> serialize_12_ a); - f_deserialize_12_pre = (fun (a: t_Slice u8) -> (Core.Slice.impl__len #u8 a <: usize) =. sz 24); + (fun (a: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> + Libcrux_ml_kem.Vector.Portable.Serialize.serialize_12_ a); + f_deserialize_12_pre = (fun (a: t_Slice u8) -> true); f_deserialize_12_post = - (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> - sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (impl.f_repr out)); - f_deserialize_12_ = (fun (a: t_Slice u8) -> deserialize_12_ a); - f_rej_sample_pre + (fun (a: t_Slice u8) (out: Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector) -> true); + f_deserialize_12_ = - (fun (a: t_Slice u8) (out: t_Slice i16) -> - (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 out <: usize) =. sz 16); + (fun (a: t_Slice u8) -> Libcrux_ml_kem.Vector.Portable.Serialize.deserialize_12_ a); + f_rej_sample_pre = (fun (a: t_Slice u8) (out: t_Slice i16) -> true); f_rej_sample_post = - (fun (a: t_Slice u8) (out: t_Slice i16) (out_future, result: (t_Slice i16 & usize)) -> - Seq.length out_future == Seq.length out /\ v result <= 16); + (fun (a: t_Slice u8) (out: t_Slice i16) (out2: (t_Slice i16 & usize)) -> true); f_rej_sample = fun (a: t_Slice u8) (out: t_Slice i16) -> @@ -701,5 +549,3 @@ Libcrux_ml_kem.Vector.Portable.Vector_type.t_PortableVector = let hax_temp_output:usize = out1 in out, hax_temp_output <: (t_Slice i16 & usize) } - -#pop-options diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti index f1aa1ee53..ce3906fea 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Rej_sample_table.fsti @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Rej_sample_table -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst index cbc90050c..5f3adf035 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fst @@ -1,5 +1,5 @@ module Libcrux_ml_kem.Vector.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul diff --git a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti index cb32321d0..8c907c14d 100644 --- a/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti +++ b/libcrux-ml-kem/proofs/fstar/extraction/Libcrux_ml_kem.Vector.Traits.fsti @@ -1,323 +1,142 @@ module Libcrux_ml_kem.Vector.Traits -#set-options "--fuel 0 --ifuel 1 --z3rlimit 100" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul -class t_Repr (v_Self: Type0) = { - [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - f_repr_pre:x: v_Self -> pred: Type0{true ==> pred}; - f_repr_post:v_Self -> t_Array i16 (sz 16) -> Type0; - f_repr:x0: v_Self - -> Prims.Pure (t_Array i16 (sz 16)) (f_repr_pre x0) (fun result -> f_repr_post x0 result) -} - class t_Operations (v_Self: Type0) = { [@@@ FStar.Tactics.Typeclasses.no_method]_super_11581440318597584651:Core.Marker.t_Copy v_Self; [@@@ FStar.Tactics.Typeclasses.no_method]_super_9442900250278684536:Core.Clone.t_Clone v_Self; - [@@@ FStar.Tactics.Typeclasses.no_method]_super_8706949974463268012:t_Repr v_Self; - f_ZERO_pre:x: Prims.unit - -> pred: - Type0 - { (let _:Prims.unit = x in - true) ==> - pred }; - f_ZERO_post:x: Prims.unit -> result: v_Self - -> pred: - Type0 - { pred ==> - (let _:Prims.unit = x in - f_repr result == Seq.create 16 0s) }; + f_ZERO_pre:Prims.unit -> Type0; + f_ZERO_post:Prims.unit -> v_Self -> Type0; f_ZERO:x0: Prims.unit -> Prims.Pure v_Self (f_ZERO_pre x0) (fun result -> f_ZERO_post x0 result); - f_from_i16_array_pre:array: t_Slice i16 - -> pred: Type0{(Core.Slice.impl__len #i16 array <: usize) =. sz 16 ==> pred}; - f_from_i16_array_post:array: t_Slice i16 -> result: v_Self - -> pred: Type0{pred ==> f_repr result == array}; + f_from_i16_array_pre:t_Slice i16 -> Type0; + f_from_i16_array_post:t_Slice i16 -> v_Self -> Type0; f_from_i16_array:x0: t_Slice i16 -> Prims.Pure v_Self (f_from_i16_array_pre x0) (fun result -> f_from_i16_array_post x0 result); - f_to_i16_array_pre:x: v_Self -> pred: Type0{true ==> pred}; - f_to_i16_array_post:x: v_Self -> result: t_Array i16 (sz 16) - -> pred: Type0{pred ==> f_repr x == result}; + f_to_i16_array_pre:v_Self -> Type0; + f_to_i16_array_post:v_Self -> t_Array i16 (sz 16) -> Type0; f_to_i16_array:x0: v_Self -> Prims.Pure (t_Array i16 (sz 16)) (f_to_i16_array_pre x0) (fun result -> f_to_i16_array_post x0 result); - f_add_pre:lhs: v_Self -> rhs: v_Self - -> pred: - Type0 - { (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) ==> - pred }; - f_add_post:lhs: v_Self -> rhs: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> - (v (Seq.index (f_repr result) i) == - v (Seq.index (f_repr lhs) i) + v (Seq.index (f_repr rhs) i))) }; + f_add_pre:v_Self -> v_Self -> Type0; + f_add_post:v_Self -> v_Self -> v_Self -> Type0; f_add:x0: v_Self -> x1: v_Self -> Prims.Pure v_Self (f_add_pre x0 x1) (fun result -> f_add_post x0 x1 result); - f_sub_pre:lhs: v_Self -> rhs: v_Self - -> pred: - Type0 - { (forall i. - i < 16 ==> - Spec.Utils.is_intb (pow2 15 - 1) - (v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) ==> - pred }; - f_sub_post:lhs: v_Self -> rhs: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> - (v (Seq.index (f_repr result) i) == - v (Seq.index (f_repr lhs) i) - v (Seq.index (f_repr rhs) i))) }; + f_sub_pre:v_Self -> v_Self -> Type0; + f_sub_post:v_Self -> v_Self -> v_Self -> Type0; f_sub:x0: v_Self -> x1: v_Self -> Prims.Pure v_Self (f_sub_pre x0 x1) (fun result -> f_sub_post x0 x1 result); - f_multiply_by_constant_pre:vec: v_Self -> c: i16 - -> pred: - Type0 - { (forall i. - i < 16 ==> Spec.Utils.is_intb (pow2 15 - 1) (v (Seq.index (f_repr vec) i) * v c)) ==> - pred }; - f_multiply_by_constant_post:vec: v_Self -> c: i16 -> result: v_Self - -> pred: - Type0 - { pred ==> - (forall i. - i < 16 ==> (v (Seq.index (f_repr result) i) == v (Seq.index (f_repr vec) i) * v c)) }; + f_multiply_by_constant_pre:v_Self -> i16 -> Type0; + f_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0; f_multiply_by_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_multiply_by_constant_pre x0 x1) (fun result -> f_multiply_by_constant_post x0 x1 result); - f_bitwise_and_with_constant_pre:v: v_Self -> c: i16 -> pred: Type0{true ==> pred}; - f_bitwise_and_with_constant_post:v: v_Self -> c: i16 -> result: v_Self - -> pred: Type0{pred ==> f_repr result == Spec.Utils.map_array (fun x -> x &. c) (f_repr v)}; + f_bitwise_and_with_constant_pre:v_Self -> i16 -> Type0; + f_bitwise_and_with_constant_post:v_Self -> i16 -> v_Self -> Type0; f_bitwise_and_with_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_bitwise_and_with_constant_pre x0 x1) (fun result -> f_bitwise_and_with_constant_post x0 x1 result); - f_shift_right_pre:v_SHIFT_BY: i32 -> v: v_Self - -> pred: Type0{v_SHIFT_BY >=. 0l && v_SHIFT_BY <. 16l ==> pred}; - f_shift_right_post:v_SHIFT_BY: i32 -> v: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (v_SHIFT_BY >=. 0l /\ v_SHIFT_BY <. 16l) ==> - f_repr result == Spec.Utils.map_array (fun x -> x >>! v_SHIFT_BY) (f_repr v) }; + f_shift_right_pre:v_SHIFT_BY: i32 -> v_Self -> Type0; + f_shift_right_post:v_SHIFT_BY: i32 -> v_Self -> v_Self -> Type0; f_shift_right:v_SHIFT_BY: i32 -> x0: v_Self -> Prims.Pure v_Self (f_shift_right_pre v_SHIFT_BY x0) (fun result -> f_shift_right_post v_SHIFT_BY x0 result); - f_cond_subtract_3329_pre:v: v_Self - -> pred: Type0{Spec.Utils.is_i16b_array (pow2 12 - 1) (f_repr v) ==> pred}; - f_cond_subtract_3329_post:v: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - f_repr result == - Spec.Utils.map_array (fun x -> if x >=. 3329s then x -! 3329s else x) (f_repr v) }; + f_cond_subtract_3329_pre:v_Self -> Type0; + f_cond_subtract_3329_post:v_Self -> v_Self -> Type0; f_cond_subtract_3329_:x0: v_Self -> Prims.Pure v_Self (f_cond_subtract_3329_pre x0) (fun result -> f_cond_subtract_3329_post x0 result); - f_barrett_reduce_pre:vector: v_Self - -> pred: Type0{Spec.Utils.is_i16b_array 28296 (f_repr vector) ==> pred}; + f_barrett_reduce_pre:v_Self -> Type0; f_barrett_reduce_post:v_Self -> v_Self -> Type0; f_barrett_reduce:x0: v_Self -> Prims.Pure v_Self (f_barrett_reduce_pre x0) (fun result -> f_barrett_reduce_post x0 result); - f_montgomery_multiply_by_constant_pre:v: v_Self -> c: i16 - -> pred: Type0{Spec.Utils.is_i16b 1664 c ==> pred}; + f_montgomery_multiply_by_constant_pre:v_Self -> i16 -> Type0; f_montgomery_multiply_by_constant_post:v_Self -> i16 -> v_Self -> Type0; f_montgomery_multiply_by_constant:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_montgomery_multiply_by_constant_pre x0 x1) (fun result -> f_montgomery_multiply_by_constant_post x0 x1 result); - f_compress_1_pre:a: v_Self - -> pred: - Type0 - { (forall (i: nat). - i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> - pred }; - f_compress_1_post:a: v_Self -> result: v_Self - -> pred: Type0{pred ==> (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) 1)}; + f_compress_1_pre:v_Self -> Type0; + f_compress_1_post:v_Self -> v_Self -> Type0; f_compress_1_:x0: v_Self -> Prims.Pure v_Self (f_compress_1_pre x0) (fun result -> f_compress_1_post x0 result); - f_compress_pre:v_COEFFICIENT_BITS: i32 -> a: v_Self - -> pred: - Type0 - { (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) /\ - (forall (i: nat). - i < 16 ==> v (Seq.index (f_repr a) i) >= 0 /\ v (Seq.index (f_repr a) i) < 3329) ==> - pred }; - f_compress_post:v_COEFFICIENT_BITS: i32 -> a: v_Self -> result: v_Self - -> pred: - Type0 - { pred ==> - (v v_COEFFICIENT_BITS == 4 \/ v v_COEFFICIENT_BITS == 5 \/ v v_COEFFICIENT_BITS == 10 \/ - v v_COEFFICIENT_BITS == 11) ==> - (forall (i: nat). i < 16 ==> bounded (Seq.index (f_repr result) i) (v v_COEFFICIENT_BITS)) - }; + f_compress_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0; + f_compress_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; f_compress:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_compress_pre v_COEFFICIENT_BITS x0) (fun result -> f_compress_post v_COEFFICIENT_BITS x0 result); - f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v: v_Self - -> pred: - Type0 - { v_COEFFICIENT_BITS =. 4l || v_COEFFICIENT_BITS =. 5l || v_COEFFICIENT_BITS =. 10l || - v_COEFFICIENT_BITS =. 11l ==> - pred }; + f_decompress_ciphertext_coefficient_pre:v_COEFFICIENT_BITS: i32 -> v_Self -> Type0; f_decompress_ciphertext_coefficient_post:v_COEFFICIENT_BITS: i32 -> v_Self -> v_Self -> Type0; f_decompress_ciphertext_coefficient:v_COEFFICIENT_BITS: i32 -> x0: v_Self -> Prims.Pure v_Self (f_decompress_ciphertext_coefficient_pre v_COEFFICIENT_BITS x0) (fun result -> f_decompress_ciphertext_coefficient_post v_COEFFICIENT_BITS x0 result); - f_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_1_step_post: - a: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 6 * 3328) (f_repr out)}; + f_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16 -> Prims.Pure v_Self (f_ntt_layer_1_step_pre x0 x1 x2 x3 x4) (fun result -> f_ntt_layer_1_step_post x0 x1 x2 x3 x4 result); - f_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 5 * 3328) (f_repr out)}; + f_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0; + f_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0; f_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16 -> Prims.Pure v_Self (f_ntt_layer_2_step_pre x0 x1 x2) (fun result -> f_ntt_layer_2_step_post x0 x1 x2 result); - f_ntt_layer_3_step_pre:a: v_Self -> zeta: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array (11207 + 3 * 3328) (f_repr a) ==> - pred }; - f_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array (11207 + 4 * 3328) (f_repr out)}; + f_ntt_layer_3_step_pre:v_Self -> i16 -> Type0; + f_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0; f_ntt_layer_3_step:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_ntt_layer_3_step_pre x0 x1) (fun result -> f_ntt_layer_3_step_post x0 x1 result); - f_inv_ntt_layer_1_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 -> zeta2: i16 -> zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array (4 * 3328) (f_repr a) ==> - pred }; - f_inv_ntt_layer_1_step_post: - a: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_1_step_pre:v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_inv_ntt_layer_1_step_post:v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_inv_ntt_layer_1_step:x0: v_Self -> x1: i16 -> x2: i16 -> x3: i16 -> x4: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_1_step_pre x0 x1 x2 x3 x4) (fun result -> f_inv_ntt_layer_1_step_post x0 x1 x2 x3 x4 result); - f_inv_ntt_layer_2_step_pre:a: v_Self -> zeta0: i16 -> zeta1: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b_array 3328 (f_repr a) ==> - pred }; - f_inv_ntt_layer_2_step_post:a: v_Self -> zeta0: i16 -> zeta1: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_2_step_pre:v_Self -> i16 -> i16 -> Type0; + f_inv_ntt_layer_2_step_post:v_Self -> i16 -> i16 -> v_Self -> Type0; f_inv_ntt_layer_2_step:x0: v_Self -> x1: i16 -> x2: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_2_step_pre x0 x1 x2) (fun result -> f_inv_ntt_layer_2_step_post x0 x1 x2 result); - f_inv_ntt_layer_3_step_pre:a: v_Self -> zeta: i16 - -> pred: - Type0{Spec.Utils.is_i16b 1664 zeta /\ Spec.Utils.is_i16b_array 3328 (f_repr a) ==> pred}; - f_inv_ntt_layer_3_step_post:a: v_Self -> zeta: i16 -> out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_inv_ntt_layer_3_step_pre:v_Self -> i16 -> Type0; + f_inv_ntt_layer_3_step_post:v_Self -> i16 -> v_Self -> Type0; f_inv_ntt_layer_3_step:x0: v_Self -> x1: i16 -> Prims.Pure v_Self (f_inv_ntt_layer_3_step_pre x0 x1) (fun result -> f_inv_ntt_layer_3_step_post x0 x1 result); - f_ntt_multiply_pre: - lhs: v_Self -> - rhs: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 - -> pred: - Type0 - { Spec.Utils.is_i16b 1664 zeta0 /\ Spec.Utils.is_i16b 1664 zeta1 /\ - Spec.Utils.is_i16b 1664 zeta2 /\ Spec.Utils.is_i16b 1664 zeta3 /\ - Spec.Utils.is_i16b_array 3328 (f_repr lhs) /\ Spec.Utils.is_i16b_array 3328 (f_repr rhs) ==> - pred }; - f_ntt_multiply_post: - lhs: v_Self -> - rhs: v_Self -> - zeta0: i16 -> - zeta1: i16 -> - zeta2: i16 -> - zeta3: i16 -> - out: v_Self - -> pred: Type0{pred ==> Spec.Utils.is_i16b_array 3328 (f_repr out)}; + f_ntt_multiply_pre:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> Type0; + f_ntt_multiply_post:v_Self -> v_Self -> i16 -> i16 -> i16 -> i16 -> v_Self -> Type0; f_ntt_multiply:x0: v_Self -> x1: v_Self -> x2: i16 -> x3: i16 -> x4: i16 -> x5: i16 -> Prims.Pure v_Self (f_ntt_multiply_pre x0 x1 x2 x3 x4 x5) (fun result -> f_ntt_multiply_post x0 x1 x2 x3 x4 x5 result); - f_serialize_1_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 1 (f_repr a) ==> pred}; - f_serialize_1_post:a: v_Self -> result: t_Array u8 (sz 2) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 1 (f_repr a) ==> Spec.MLKEM.serialize_post 1 (f_repr a) result }; + f_serialize_1_pre:v_Self -> Type0; + f_serialize_1_post:v_Self -> t_Array u8 (sz 2) -> Type0; f_serialize_1_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 2)) (f_serialize_1_pre x0) (fun result -> f_serialize_1_post x0 result); - f_deserialize_1_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 2 ==> pred}; - f_deserialize_1_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0{pred ==> sz (Seq.length a) =. sz 2 ==> Spec.MLKEM.deserialize_post 1 a (f_repr result)}; + f_deserialize_1_pre:t_Slice u8 -> Type0; + f_deserialize_1_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_1_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_1_pre x0) (fun result -> f_deserialize_1_post x0 result); - f_serialize_4_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 4 (f_repr a) ==> pred}; - f_serialize_4_post:a: v_Self -> result: t_Array u8 (sz 8) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 4 (f_repr a) ==> Spec.MLKEM.serialize_post 4 (f_repr a) result }; + f_serialize_4_pre:v_Self -> Type0; + f_serialize_4_post:v_Self -> t_Array u8 (sz 8) -> Type0; f_serialize_4_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 8)) (f_serialize_4_pre x0) (fun result -> f_serialize_4_post x0 result); - f_deserialize_4_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 8 ==> pred}; - f_deserialize_4_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0{pred ==> sz (Seq.length a) =. sz 8 ==> Spec.MLKEM.deserialize_post 4 a (f_repr result)}; + f_deserialize_4_pre:t_Slice u8 -> Type0; + f_deserialize_4_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_4_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_4_pre x0) (fun result -> f_deserialize_4_post x0 result); f_serialize_5_pre:v_Self -> Type0; @@ -326,28 +145,18 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Array u8 (sz 10)) (f_serialize_5_pre x0) (fun result -> f_serialize_5_post x0 result); - f_deserialize_5_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 10 ==> pred}; + f_deserialize_5_pre:t_Slice u8 -> Type0; f_deserialize_5_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_5_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_5_pre x0) (fun result -> f_deserialize_5_post x0 result); - f_serialize_10_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 10 (f_repr a) ==> pred}; - f_serialize_10_post:a: v_Self -> result: t_Array u8 (sz 20) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 10 (f_repr a) ==> Spec.MLKEM.serialize_post 10 (f_repr a) result - }; + f_serialize_10_pre:v_Self -> Type0; + f_serialize_10_post:v_Self -> t_Array u8 (sz 20) -> Type0; f_serialize_10_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 20)) (f_serialize_10_pre x0) (fun result -> f_serialize_10_post x0 result); - f_deserialize_10_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 20 ==> pred}; - f_deserialize_10_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0 - {pred ==> sz (Seq.length a) =. sz 20 ==> Spec.MLKEM.deserialize_post 10 a (f_repr result)}; + f_deserialize_10_pre:t_Slice u8 -> Type0; + f_deserialize_10_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_10_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_10_pre x0) (fun result -> f_deserialize_10_post x0 result); f_serialize_11_pre:v_Self -> Type0; @@ -356,52 +165,28 @@ class t_Operations (v_Self: Type0) = { -> Prims.Pure (t_Array u8 (sz 22)) (f_serialize_11_pre x0) (fun result -> f_serialize_11_post x0 result); - f_deserialize_11_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 22 ==> pred}; + f_deserialize_11_pre:t_Slice u8 -> Type0; f_deserialize_11_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_11_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_11_pre x0) (fun result -> f_deserialize_11_post x0 result); - f_serialize_12_pre:a: v_Self -> pred: Type0{Spec.MLKEM.serialize_pre 12 (f_repr a) ==> pred}; - f_serialize_12_post:a: v_Self -> result: t_Array u8 (sz 24) - -> pred: - Type0 - { pred ==> - Spec.MLKEM.serialize_pre 12 (f_repr a) ==> Spec.MLKEM.serialize_post 12 (f_repr a) result - }; + f_serialize_12_pre:v_Self -> Type0; + f_serialize_12_post:v_Self -> t_Array u8 (sz 24) -> Type0; f_serialize_12_:x0: v_Self -> Prims.Pure (t_Array u8 (sz 24)) (f_serialize_12_pre x0) (fun result -> f_serialize_12_post x0 result); - f_deserialize_12_pre:a: t_Slice u8 - -> pred: Type0{(Core.Slice.impl__len #u8 a <: usize) =. sz 24 ==> pred}; - f_deserialize_12_post:a: t_Slice u8 -> result: v_Self - -> pred: - Type0 - {pred ==> sz (Seq.length a) =. sz 24 ==> Spec.MLKEM.deserialize_post 12 a (f_repr result)}; + f_deserialize_12_pre:t_Slice u8 -> Type0; + f_deserialize_12_post:t_Slice u8 -> v_Self -> Type0; f_deserialize_12_:x0: t_Slice u8 -> Prims.Pure v_Self (f_deserialize_12_pre x0) (fun result -> f_deserialize_12_post x0 result); - f_rej_sample_pre:a: t_Slice u8 -> out: t_Slice i16 - -> pred: - Type0 - { (Core.Slice.impl__len #u8 a <: usize) =. sz 24 && - (Core.Slice.impl__len #i16 out <: usize) =. sz 16 ==> - pred }; - f_rej_sample_post:a: t_Slice u8 -> out: t_Slice i16 -> x: (t_Slice i16 & usize) - -> pred: - Type0 - { pred ==> - (let out_future, result:(t_Slice i16 & usize) = x in - Seq.length out_future == Seq.length out /\ v result <= 16) }; + f_rej_sample_pre:t_Slice u8 -> t_Slice i16 -> Type0; + f_rej_sample_post:t_Slice u8 -> t_Slice i16 -> (t_Slice i16 & usize) -> Type0; f_rej_sample:x0: t_Slice u8 -> x1: t_Slice i16 -> Prims.Pure (t_Slice i16 & usize) (f_rej_sample_pre x0 x1) (fun result -> f_rej_sample_post x0 x1 result) } -let v_BARRETT_SHIFT: i32 = 26l - -let v_BARRETT_R: i32 = 1l < v (Seq.index coef i) > -(v $FIELD_MODULUS) /\\ - v (Seq.index coef i) < v $FIELD_MODULUS")] + forall (i:nat). i < 16 ==> v (Seq.index coef i) > -3329 /\\ + v (Seq.index coef i) < 3329")] #[hax_lib::fstar::verification_status(panic_free)] #[hax_lib::requires(fstar!("field_modulus_range $a"))] #[hax_lib::ensures(|result| fstar!("forall (i:nat). i < 16 ==> v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) >= 0 /\\ - v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < v $FIELD_MODULUS"))] + v (Seq.index (Libcrux_ml_kem.Vector.Traits.f_to_i16_array $result) i) < 3329"))] pub(super) fn to_unsigned_field_element( a: Vector, ) -> Vector { diff --git a/libcrux-ml-kem/src/vector/avx2.rs b/libcrux-ml-kem/src/vector/avx2.rs index f673b39b1..049f518ab 100644 --- a/libcrux-ml-kem/src/vector/avx2.rs +++ b/libcrux-ml-kem/src/vector/avx2.rs @@ -35,6 +35,7 @@ fn from_i16_array(array: &[i16]) -> SIMD256Vector { } } +#[hax_lib::attributes] impl Operations for SIMD256Vector { #[inline(always)] #[ensures(|out| fstar!("impl.f_repr out == Seq.create 16 0s"))] diff --git a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti index 95dad6932..e8713dad5 100644 --- a/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti +++ b/sys/platform/proofs/fstar/extraction/Libcrux_platform.Platform.fsti @@ -1,5 +1,5 @@ module Libcrux_platform.Platform -#set-options "--fuel 0 --ifuel 1 --z3rlimit 80" +#set-options "--fuel 0 --ifuel 1 --z3rlimit 15" open Core open FStar.Mul From 78a4b19c12c3d52484c37d8889ba0b5a53b8f4d0 Mon Sep 17 00:00:00 2001 From: karthikbhargavan Date: Fri, 8 Nov 2024 15:41:08 +0000 Subject: [PATCH 74/74] c code refresh --- libcrux-ml-kem/c/code_gen.txt | 8 +- libcrux-ml-kem/c/internal/libcrux_core.h | 8 +- .../c/internal/libcrux_mlkem_avx2.h | 44 +- .../c/internal/libcrux_mlkem_portable.h | 44 +- libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h | 8 +- .../c/internal/libcrux_sha3_internal.h | 8 +- libcrux-ml-kem/c/libcrux_core.c | 8 +- libcrux-ml-kem/c/libcrux_core.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.c | 18 +- libcrux-ml-kem/c/libcrux_mlkem1024_portable.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem512.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.c | 18 +- libcrux-ml-kem/c/libcrux_mlkem512_portable.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem768.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.c | 18 +- libcrux-ml-kem/c/libcrux_mlkem768_portable.h | 8 +- libcrux-ml-kem/c/libcrux_mlkem_avx2.c | 1321 ++++++----------- libcrux-ml-kem/c/libcrux_mlkem_avx2.h | 136 +- libcrux-ml-kem/c/libcrux_mlkem_portable.c | 638 ++------ libcrux-ml-kem/c/libcrux_mlkem_portable.h | 8 +- libcrux-ml-kem/c/libcrux_sha3.h | 8 +- libcrux-ml-kem/c/libcrux_sha3_avx2.c | 8 +- libcrux-ml-kem/c/libcrux_sha3_avx2.h | 8 +- libcrux-ml-kem/c/libcrux_sha3_internal.h | 8 +- libcrux-ml-kem/c/libcrux_sha3_neon.c | 8 +- libcrux-ml-kem/c/libcrux_sha3_neon.h | 8 +- libcrux-ml-kem/cg/code_gen.txt | 8 +- libcrux-ml-kem/cg/libcrux_core.h | 8 +- libcrux-ml-kem/cg/libcrux_ct_ops.h | 8 +- libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h | 1005 +++++-------- .../cg/libcrux_mlkem768_avx2_types.h | 8 +- libcrux-ml-kem/cg/libcrux_mlkem768_portable.h | 523 ++----- .../cg/libcrux_mlkem768_portable_types.h | 8 +- libcrux-ml-kem/cg/libcrux_sha3_avx2.h | 8 +- libcrux-ml-kem/cg/libcrux_sha3_portable.h | 8 +- 42 files changed, 1359 insertions(+), 2662 deletions(-) diff --git a/libcrux-ml-kem/c/code_gen.txt b/libcrux-ml-kem/c/code_gen.txt index 8499b9238..a05d71620 100644 --- a/libcrux-ml-kem/c/code_gen.txt +++ b/libcrux-ml-kem/c/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 +Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c -Karamel: 8c3612018c25889288da6857771be3ad03b75bcd -F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty -Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 +Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 +F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc +Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 diff --git a/libcrux-ml-kem/c/internal/libcrux_core.h b/libcrux-ml-kem/c/internal/libcrux_core.h index 7f5862bfb..d22ca4534 100644 --- a/libcrux-ml-kem/c/internal/libcrux_core.h +++ b/libcrux-ml-kem/c/internal/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_core_H diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h index 57c7e9008..c24314383 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_mlkem_avx2_H @@ -69,14 +69,6 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_12( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext); -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -86,7 +78,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -106,7 +98,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -178,14 +170,6 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_b9( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *_ciphertext); -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -195,7 +179,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- BYTES_PER_RING_ELEMENT= 1536 +- RANKED_BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -215,7 +199,7 @@ with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- VECTOR_U_BLOCK_LEN= 352 +- C1_BLOCK_SIZE= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -287,14 +271,6 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_ad( libcrux_ml_kem_types_MlKemPrivateKey_fa *private_key, libcrux_ml_kem_types_MlKemCiphertext_1a *_ciphertext); -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -304,7 +280,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- BYTES_PER_RING_ELEMENT= 768 +- RANKED_BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ @@ -324,7 +300,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 diff --git a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h index 59bc0be6d..9fca2cfa0 100644 --- a/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/internal/libcrux_mlkem_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_mlkem_portable_H @@ -74,14 +74,6 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_b5( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *_ciphertext); -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -91,7 +83,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- BYTES_PER_RING_ELEMENT= 1536 +- RANKED_BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -111,7 +103,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- VECTOR_U_BLOCK_LEN= 352 +- C1_BLOCK_SIZE= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -183,14 +175,6 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_fb( libcrux_ml_kem_types_MlKemPrivateKey_fa *private_key, libcrux_ml_kem_types_MlKemCiphertext_1a *_ciphertext); -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -200,7 +184,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- BYTES_PER_RING_ELEMENT= 768 +- RANKED_BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ @@ -220,7 +204,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 @@ -292,14 +276,6 @@ bool libcrux_ml_kem_ind_cca_validate_private_key_37( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *_ciphertext); -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -309,7 +285,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -329,7 +305,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h index 4154d969b..4ece01c07 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h index ee6a37d9b..36114b5bd 100644 --- a/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/internal/libcrux_sha3_internal.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __internal_libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_core.c b/libcrux-ml-kem/c/libcrux_core.c index 1ca124a33..44bb82cfb 100644 --- a/libcrux-ml-kem/c/libcrux_core.c +++ b/libcrux-ml-kem/c/libcrux_core.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_core.h" diff --git a/libcrux-ml-kem/c/libcrux_core.h b/libcrux-ml-kem/c/libcrux_core.h index c6e16c759..ad32ee35d 100644 --- a/libcrux-ml-kem/c/libcrux_core.h +++ b/libcrux-ml-kem/c/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024.h b/libcrux-ml-kem/c/libcrux_mlkem1024.h index 17224c4b8..a0f95f0c5 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem1024_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c index 90ad418e8..bb22e0ab3 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem1024_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h index 7793d845c..ea4a4d335 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem1024_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c index 777087e3e..a9a24e5cd 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem1024_portable.h" @@ -135,9 +135,6 @@ libcrux_ml_kem_mlkem1024_portable_generate_key_pair(uint8_t randomness[64U]) { return generate_keypair_c9(copy_of_randomness); } -/** - Portable private key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_private_key with const @@ -146,7 +143,7 @@ generics - SECRET_KEY_SIZE= 3168 - CIPHERTEXT_SIZE= 1568 */ -static bool validate_private_key_6b( +static KRML_MUSTINLINE bool validate_private_key_6b( libcrux_ml_kem_types_MlKemPrivateKey_83 *private_key, libcrux_ml_kem_types_MlKemCiphertext_64 *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_b5(private_key, @@ -164,9 +161,6 @@ bool libcrux_ml_kem_mlkem1024_portable_validate_private_key( return validate_private_key_6b(private_key, ciphertext); } -/** - Portable public key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_public_key with const @@ -175,7 +169,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1536 - PUBLIC_KEY_SIZE= 1568 */ -static bool validate_public_key_6b(uint8_t *public_key) { +static KRML_MUSTINLINE bool validate_public_key_6b(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_00(public_key); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h index 0d385ff7f..26015c028 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem1024_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem1024_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512.h b/libcrux-ml-kem/c/libcrux_mlkem512.h index 8b9ba74b4..8a8d55669 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem512_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c index 6e7b7232a..3e99b3ea9 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem512_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h index 0cfb59f30..e9a9e55e0 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem512_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c index be7835ad5..00289e810 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem512_portable.h" @@ -135,9 +135,6 @@ libcrux_ml_kem_mlkem512_portable_generate_key_pair(uint8_t randomness[64U]) { return generate_keypair_a8(copy_of_randomness); } -/** - Portable private key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_private_key with const @@ -146,7 +143,7 @@ generics - SECRET_KEY_SIZE= 1632 - CIPHERTEXT_SIZE= 768 */ -static bool validate_private_key_1c( +static KRML_MUSTINLINE bool validate_private_key_1c( libcrux_ml_kem_types_MlKemPrivateKey_fa *private_key, libcrux_ml_kem_types_MlKemCiphertext_1a *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_fb(private_key, @@ -164,9 +161,6 @@ bool libcrux_ml_kem_mlkem512_portable_validate_private_key( return validate_private_key_1c(private_key, ciphertext); } -/** - Portable public key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_public_key with const @@ -175,7 +169,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 768 - PUBLIC_KEY_SIZE= 800 */ -static bool validate_public_key_1c(uint8_t *public_key) { +static KRML_MUSTINLINE bool validate_public_key_1c(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_86(public_key); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h index 948e81ea1..0f19e1950 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem512_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem512_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem512_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768.h b/libcrux-ml-kem/c/libcrux_mlkem768.h index f6e24fa88..0caa6791d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c index a45904109..bcf8914e3 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem768_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h index 1487a3e64..2b84eaa9a 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c index 1396149db..3b8ae8945 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_mlkem768_portable.h" @@ -135,9 +135,6 @@ libcrux_ml_kem_mlkem768_portable_generate_key_pair(uint8_t randomness[64U]) { return generate_keypair_c6(copy_of_randomness); } -/** - Portable private key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_private_key with const @@ -146,7 +143,7 @@ generics - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -static bool validate_private_key_31( +static KRML_MUSTINLINE bool validate_private_key_31( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { return libcrux_ml_kem_ind_cca_validate_private_key_37(private_key, @@ -164,9 +161,6 @@ bool libcrux_ml_kem_mlkem768_portable_validate_private_key( return validate_private_key_31(private_key, ciphertext); } -/** - Portable public key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_public_key with const @@ -175,7 +169,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static bool validate_public_key_31(uint8_t *public_key) { +static KRML_MUSTINLINE bool validate_public_key_31(uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_6c(public_key); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h index 89e860721..913f5271d 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem768_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_portable_H diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c index dd14a27bf..f53d6f5c4 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_mlkem_avx2.h" @@ -39,9 +39,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_zero(void) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_ea(void) { +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_09(void) { return libcrux_ml_kem_vector_avx2_zero(); } @@ -52,10 +52,10 @@ libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice array) { +libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice array) { return libcrux_ml_kem_vector_avx2_from_i16_array(array); } @@ -69,9 +69,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_09( __m256i x, int16_t ret[16U]) { libcrux_ml_kem_vector_avx2_to_i16_array(x, ret); } @@ -83,9 +83,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_ea(__m256i lhs, +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_09(__m256i lhs, __m256i *rhs) { return libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs[0U]); } @@ -97,9 +97,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs, +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_09(__m256i lhs, __m256i *rhs) { return libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs[0U]); } @@ -112,11 +112,11 @@ libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(__m256i v, int16_t c) { - return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(v, c); +libcrux_ml_kem_vector_avx2_multiply_by_constant_09(__m256i vec, int16_t c) { + return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c); } KRML_MUSTINLINE __m256i @@ -127,9 +127,9 @@ libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09( __m256i vector, int16_t constant) { return libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( vector, constant); @@ -154,10 +154,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector) { +libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector) { return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); } @@ -179,10 +179,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_barrett_reduce_ea(__m256i vector) { +libcrux_ml_kem_vector_avx2_barrett_reduce_09(__m256i vector) { return libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vector); } @@ -204,10 +204,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( +libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( __m256i vector, int16_t constant) { return libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( vector, constant); @@ -230,10 +230,10 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_1_ea(__m256i vector) { +libcrux_ml_kem_vector_avx2_compress_1_09(__m256i vector) { return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( vector); } @@ -279,9 +279,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1, @@ -303,9 +303,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( __m256i vector, int16_t zeta0, int16_t zeta1) { return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1); } @@ -341,10 +341,10 @@ libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(__m256i vector, int16_t zeta) { +libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09(__m256i vector, int16_t zeta) { return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta); } @@ -371,9 +371,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09( __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( @@ -401,9 +401,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09( __m256i vector, int16_t zeta0, int16_t zeta1) { return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0, zeta1); @@ -425,9 +425,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( __m256i vector, int16_t zeta) { return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta); } @@ -511,9 +511,9 @@ KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea( +KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_09( __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0, @@ -568,9 +568,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_09( __m256i vector, uint8_t ret[2U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret); } @@ -622,10 +622,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); } @@ -692,9 +692,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_09( __m256i vector, uint8_t ret[8U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret); } @@ -751,10 +751,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_4_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_4_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes); } @@ -848,9 +848,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_09( __m256i vector, uint8_t ret[10U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret); } @@ -899,10 +899,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_5_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes); } @@ -996,9 +996,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_09( __m256i vector, uint8_t ret[20U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret); } @@ -1031,10 +1031,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_10_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_10_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes); } @@ -1053,9 +1053,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_09( __m256i vector, uint8_t ret[22U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_11(vector, ret); } @@ -1072,10 +1072,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_11(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_11_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_11(bytes); } @@ -1125,9 +1125,9 @@ KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_ea( +KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_09( __m256i vector, uint8_t ret[24U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret); } @@ -1160,10 +1160,10 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_12_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_12_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes); } @@ -1248,18 +1248,18 @@ KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_ea( +KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_09( Eurydice_slice input, Eurydice_slice output) { return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, output); } /** This function found in impl {(core::clone::Clone for -libcrux_ml_kem::vector::avx2::SIMD256Vector)#1} +libcrux_ml_kem::vector::avx2::SIMD256Vector)} */ -inline __m256i libcrux_ml_kem_vector_avx2_clone_3a(__m256i *self) { +inline __m256i libcrux_ml_kem_vector_avx2_clone_78(__m256i *self) { return self[0U]; } @@ -1274,24 +1274,24 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_d6_79(void) { +static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ZERO_d6_61(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; - lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); + lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_09(); return lit; } @@ -1308,23 +1308,20 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_to_reduced_ring_element_79(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_to_reduced_ring_element_61(Eurydice_slice serialized) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(coefficient); + libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(coefficient); } return re; } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -1346,7 +1343,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b1( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_reduced_ring_element_79(ring_element); + deserialize_to_reduced_ring_element_61(ring_element); deserialized_pk[i0] = uu____0; } } @@ -1369,7 +1366,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_b1( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - deserialized_pk[i] = ZERO_d6_79();); + deserialized_pk[i] = ZERO_d6_61();); deserialize_ring_elements_reduced_b1(public_key, deserialized_pk); memcpy( ret, deserialized_pk, @@ -1387,14 +1384,14 @@ static KRML_MUSTINLINE __m256i shift_right_ef(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_09 with const generics - SHIFT_BY= 15 */ -static KRML_MUSTINLINE __m256i shift_right_ea_ef(__m256i vector) { +static KRML_MUSTINLINE __m256i shift_right_09_ef(__m256i vector) { return shift_right_ef(vector); } @@ -1404,11 +1401,21 @@ libcrux_ml_kem.vector.traits.to_unsigned_representative with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE __m256i to_unsigned_representative_79(__m256i a) { - __m256i t = shift_right_ea_ef(a); - __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( +static KRML_MUSTINLINE __m256i to_unsigned_representative_61(__m256i a) { + __m256i t = shift_right_09_ef(a); + __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_avx2_add_ea(a, &fm); + return libcrux_ml_kem_vector_avx2_add_09(a, &fm); +} + +/** +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics + +*/ +static KRML_MUSTINLINE __m256i to_unsigned_field_element_61(__m256i a) { + return to_unsigned_representative_61(a); } /** @@ -1417,26 +1424,25 @@ libcrux_ml_kem.serialize.serialize_uncompressed_ring_element with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void serialize_uncompressed_ring_element_79( +static KRML_MUSTINLINE void serialize_uncompressed_ring_element_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[384U]) { uint8_t serialized[384U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = to_unsigned_representative_79(re->coefficients[i0]); + __m256i coefficient = to_unsigned_field_element_61(re->coefficients[i0]); uint8_t bytes[24U]; - libcrux_ml_kem_vector_avx2_serialize_12_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_12_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); + uint8_t result[384U]; + memcpy(result, serialized, (size_t)384U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)384U * sizeof(uint8_t)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1462,16 +1468,13 @@ static KRML_MUSTINLINE void serialize_secret_key_ed( (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); uint8_t ret0[384U]; - serialize_uncompressed_ring_element_79(&re, ret0); + serialize_uncompressed_ring_element_61(&re, ret0); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1495,9 +1498,6 @@ static KRML_MUSTINLINE void serialize_public_key_mut_ed( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1616,9 +1616,9 @@ with const generics */ static IndCpaPrivateKeyUnpacked_63 default_1a_ab(void) { IndCpaPrivateKeyUnpacked_63 lit; - lit.secret_as_ntt[0U] = ZERO_d6_79(); - lit.secret_as_ntt[1U] = ZERO_d6_79(); - lit.secret_as_ntt[2U] = ZERO_d6_79(); + lit.secret_as_ntt[0U] = ZERO_d6_61(); + lit.secret_as_ntt[1U] = ZERO_d6_61(); + lit.secret_as_ntt[2U] = ZERO_d6_61(); return lit; } @@ -1648,22 +1648,22 @@ with const generics static IndCpaPublicKeyUnpacked_63 default_8d_ab(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - uu____0[i] = ZERO_d6_79();); + uu____0[i] = ZERO_d6_61();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_63 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_d6_79(); - lit.A[0U][1U] = ZERO_d6_79(); - lit.A[0U][2U] = ZERO_d6_79(); - lit.A[1U][0U] = ZERO_d6_79(); - lit.A[1U][1U] = ZERO_d6_79(); - lit.A[1U][2U] = ZERO_d6_79(); - lit.A[2U][0U] = ZERO_d6_79(); - lit.A[2U][1U] = ZERO_d6_79(); - lit.A[2U][2U] = ZERO_d6_79(); + lit.A[0U][0U] = ZERO_d6_61(); + lit.A[0U][1U] = ZERO_d6_61(); + lit.A[0U][2U] = ZERO_d6_61(); + lit.A[1U][0U] = ZERO_d6_61(); + lit.A[1U][1U] = ZERO_d6_61(); + lit.A[1U][2U] = ZERO_d6_61(); + lit.A[2U][0U] = ZERO_d6_61(); + lit.A[2U][1U] = ZERO_d6_61(); + lit.A[2U][2U] = ZERO_d6_61(); return lit; } @@ -1844,7 +1844,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed( Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -1967,7 +1967,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_ed0( Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -1999,13 +1999,13 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -from_i16_array_d6_79(Eurydice_slice a) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); +from_i16_array_d6_61(Eurydice_slice a) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; result.coefficients[i0] = - libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice_subslice2( + libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice_subslice2( a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t)); } return result; @@ -2019,7 +2019,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c1( int16_t s[272U]) { - return from_i16_array_d6_79( + return from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -2222,7 +2222,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -sample_from_binomial_distribution_2_79(Eurydice_slice randomness) { +sample_from_binomial_distribution_2_61(Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)4U; i0++) { @@ -2256,7 +2256,7 @@ sample_from_binomial_distribution_2_79(Eurydice_slice randomness) { sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_d6_79( + return from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -2267,7 +2267,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -sample_from_binomial_distribution_3_79(Eurydice_slice randomness) { +sample_from_binomial_distribution_3_61(Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len(randomness, uint8_t) / (size_t)3U; i0++) { @@ -2300,7 +2300,7 @@ sample_from_binomial_distribution_3_79(Eurydice_slice randomness) { sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return from_i16_array_d6_79( + return from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -2312,7 +2312,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample_from_binomial_distribution_89(Eurydice_slice randomness) { - return sample_from_binomial_distribution_2_79(randomness); + return sample_from_binomial_distribution_2_61(randomness); } /** @@ -2321,7 +2321,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_7_79( +static KRML_MUSTINLINE void ntt_at_layer_7_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; @@ -2331,12 +2331,12 @@ static KRML_MUSTINLINE void ntt_at_layer_7_79( step; i++) { size_t j = i; - __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_ea( + __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_09( re->coefficients[j + step], (int16_t)-1600); re->coefficients[j + step] = - libcrux_ml_kem_vector_avx2_sub_ea(re->coefficients[j], &t); + libcrux_ml_kem_vector_avx2_sub_09(re->coefficients[j], &t); re->coefficients[j] = - libcrux_ml_kem_vector_avx2_add_ea(re->coefficients[j], &t); + libcrux_ml_kem_vector_avx2_add_09(re->coefficients[j], &t); } } @@ -2351,9 +2351,9 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE __m256i montgomery_multiply_fe_79(__m256i v, +static KRML_MUSTINLINE __m256i montgomery_multiply_fe_61(__m256i v, int16_t fer) { - return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(v, fer); + return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(v, fer); } /** @@ -2363,10 +2363,10 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -ntt_layer_int_vec_step_79(__m256i a, __m256i b, int16_t zeta_r) { - __m256i t = montgomery_multiply_fe_79(b, zeta_r); - b = libcrux_ml_kem_vector_avx2_sub_ea(a, &t); - a = libcrux_ml_kem_vector_avx2_add_ea(a, &t); +ntt_layer_int_vec_step_61(__m256i a, __m256i b, int16_t zeta_r) { + __m256i t = montgomery_multiply_fe_61(b, zeta_r); + b = libcrux_ml_kem_vector_avx2_sub_09(a, &t); + a = libcrux_ml_kem_vector_avx2_add_09(a, &t); return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a, .snd = b}); } @@ -2377,7 +2377,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_4_plus_79( +static KRML_MUSTINLINE void ntt_at_layer_4_plus_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t layer) { size_t step = (size_t)1U << (uint32_t)layer; @@ -2390,7 +2390,7 @@ static KRML_MUSTINLINE void ntt_at_layer_4_plus_79( for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { size_t j = i; libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - ntt_layer_int_vec_step_79( + ntt_layer_int_vec_step_61( re->coefficients[j], re->coefficients[j + step_vec], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; @@ -2407,12 +2407,12 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_3_79( +static KRML_MUSTINLINE void ntt_at_layer_3_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea( + re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);); } @@ -2423,12 +2423,12 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_2_79( +static KRML_MUSTINLINE void ntt_at_layer_2_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea( + re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + @@ -2442,12 +2442,12 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void ntt_at_layer_1_79( +static KRML_MUSTINLINE void ntt_at_layer_1_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea( + re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + @@ -2470,7 +2470,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void poly_barrett_reduce_d6_79( +static KRML_MUSTINLINE void poly_barrett_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { for (size_t i = (size_t)0U; i < @@ -2480,7 +2480,7 @@ static KRML_MUSTINLINE void poly_barrett_reduce_d6_79( i++) { size_t i0 = i; self->coefficients[i0] = - libcrux_ml_kem_vector_avx2_barrett_reduce_ea(self->coefficients[i0]); + libcrux_ml_kem_vector_avx2_barrett_reduce_09(self->coefficients[i0]); } } @@ -2490,25 +2490,21 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_79( +static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { - ntt_at_layer_7_79(/* Due to the small coefficient bound, we can skip the first + ntt_at_layer_7_61(/* Due to the small coefficient bound, we can skip the first round of Montgomery reductions. */ re); size_t zeta_i = (size_t)1U; - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U); - ntt_at_layer_3_79(&zeta_i, re); - ntt_at_layer_2_79(&zeta_i, re); - ntt_at_layer_1_79(&zeta_i, re); - poly_barrett_reduce_d6_79(re); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); + ntt_at_layer_3_61(&zeta_i, re); + ntt_at_layer_2_61(&zeta_i, re); + ntt_at_layer_1_61(&zeta_i, re); + poly_barrett_reduce_d6_61(re); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -2527,6 +2523,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b41( KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -2536,7 +2534,7 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b41( i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; re_as_ntt[i0] = sample_from_binomial_distribution_89( Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - ntt_binomially_sampled_ring_element_79(&re_as_ntt[i0]);); + ntt_binomially_sampled_ring_element_61(&re_as_ntt[i0]);); return domain_separator; } @@ -2563,7 +2561,7 @@ static KRML_MUSTINLINE tuple_23 sample_vector_cbd_then_ntt_out_b41( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - re_as_ntt[i] = ZERO_d6_79();); + re_as_ntt[i] = ZERO_d6_61();); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -2621,15 +2619,15 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -ntt_multiply_d6_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, +ntt_multiply_d6_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { /* hax_debug_debug_assert!(lhs .coefficients .into_iter() .all(|coefficient| * coefficient >= 0 && coefficient < 4096)); */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_ea( + out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_09( &self->coefficients[i0], &rhs->coefficients[i0], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + (size_t)4U * i0], @@ -2675,7 +2673,7 @@ static KRML_MUSTINLINE void add_to_ring_element_d6_ab( __m256i); i++) { size_t i0 = i; - self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( + self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09( self->coefficients[i0], &rhs->coefficients[i0]); } } @@ -2686,8 +2684,8 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE __m256i to_standard_domain_79(__m256i v) { - return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( +static KRML_MUSTINLINE __m256i to_standard_domain_61(__m256i v) { + return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -2702,7 +2700,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void add_standard_error_reduce_d6_79( +static KRML_MUSTINLINE void add_standard_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; @@ -2712,20 +2710,17 @@ static KRML_MUSTINLINE void add_standard_error_reduce_d6_79( LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t j = i; - __m256i coefficient_normal_form = to_standard_domain_79( + __m256i coefficient_normal_form = to_standard_domain_61( self->coefficients[/* The coefficients are of the form aR^{-1} mod q, which means calling to_montgomery_domain() on them should return a mod q. */ j]); - self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, + self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &error->coefficients[j])); } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2748,7 +2743,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -2761,54 +2756,13 @@ static KRML_MUSTINLINE void compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(matrix_element, &s_as_ntt[j]); + ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); add_to_ring_element_d6_ab(&t_as_ntt[i0], &product); } - add_standard_error_reduce_d6_79(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_61(&t_as_ntt[i0], &error_as_ntt[i0]); } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -2959,14 +2913,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_ae( memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -2976,7 +2922,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -3032,9 +2978,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_be(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -3056,14 +2999,11 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_98( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_reduced_ring_element_79(ring_element); + deserialize_to_reduced_ring_element_61(ring_element); deserialized_pk[i0] = uu____0; } } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3076,7 +3016,7 @@ static KRML_MUSTINLINE tuple_23 sample_ring_element_cbd_b41(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - error_1[i] = ZERO_d6_79();); + error_1[i] = ZERO_d6_61();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -3084,6 +3024,8 @@ sample_ring_element_cbd_b41(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -3141,13 +3083,13 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_1_79( +static KRML_MUSTINLINE void invert_ntt_at_layer_1_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea( + libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - @@ -3165,13 +3107,13 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_2_79( +static KRML_MUSTINLINE void invert_ntt_at_layer_2_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea( + libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - @@ -3185,13 +3127,13 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_3_79( +static KRML_MUSTINLINE void invert_ntt_at_layer_3_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea( + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]);); } @@ -3203,11 +3145,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -inv_ntt_layer_int_vec_step_reduce_79(__m256i a, __m256i b, int16_t zeta_r) { - __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_ea(b, &a); - a = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_add_ea(a, &b)); - b = montgomery_multiply_fe_79(a_minus_b, zeta_r); +inv_ntt_layer_int_vec_step_reduce_61(__m256i a, __m256i b, int16_t zeta_r) { + __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_09(b, &a); + a = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_add_09(a, &b)); + b = montgomery_multiply_fe_61(a_minus_b, zeta_r); return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a, .snd = b}); } @@ -3218,7 +3160,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_79( +static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t layer) { size_t step = (size_t)1U << (uint32_t)layer; @@ -3239,7 +3181,7 @@ static KRML_MUSTINLINE void invert_ntt_at_layer_4_plus_79( for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { size_t j = i; libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - inv_ntt_layer_int_vec_step_reduce_79( + inv_ntt_layer_int_vec_step_reduce_61( re->coefficients[j], re->coefficients[j + step_vec], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; @@ -3263,14 +3205,14 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_ab( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1_79(&zeta_i, re); - invert_ntt_at_layer_2_79(&zeta_i, re); - invert_ntt_at_layer_3_79(&zeta_i, re); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_d6_79(re); + invert_ntt_at_layer_1_61(&zeta_i, re); + invert_ntt_at_layer_2_61(&zeta_i, re); + invert_ntt_at_layer_3_61(&zeta_i, re); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); + poly_barrett_reduce_d6_61(re); } /** @@ -3284,7 +3226,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void add_error_reduce_d6_79( +static KRML_MUSTINLINE void add_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; @@ -3295,10 +3237,10 @@ static KRML_MUSTINLINE void add_error_reduce_d6_79( i++) { size_t j = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( self->coefficients[j], (int16_t)1441); - self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, + self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &error->coefficients[j])); } } @@ -3319,7 +3261,7 @@ static KRML_MUSTINLINE void compute_vector_u_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - result[i] = ZERO_d6_79();); + result[i] = ZERO_d6_61();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -3339,11 +3281,11 @@ static KRML_MUSTINLINE void compute_vector_u_ab( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(a_element, &r_as_ntt[j]); + ntt_multiply_d6_61(a_element, &r_as_ntt[j]); add_to_ring_element_d6_ab(&result[i1], &product); } invert_ntt_montgomery_ab(&result[i1]); - add_error_reduce_d6_79(&result[i1], &error_1[i1]); + add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -3356,11 +3298,11 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE __m256i decompress_1_79(__m256i v) { - return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( - libcrux_ml_kem_vector_avx2_sub_ea(libcrux_ml_kem_vector_avx2_ZERO_ea(), - &v), - (int16_t)1665); +static KRML_MUSTINLINE __m256i decompress_1_61(__m256i vec) { + __m256i z = libcrux_ml_kem_vector_avx2_ZERO_09(); + __m256i s = libcrux_ml_kem_vector_avx2_sub_09(z, &vec); + return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09(s, + (int16_t)1665); } /** @@ -3370,16 +3312,16 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_then_decompress_message_79(uint8_t serialized[32U]) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_then_decompress_message_61(uint8_t serialized[32U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_deserialize_1_ea( + libcrux_ml_kem_vector_avx2_deserialize_1_09( Eurydice_array_to_subslice2(serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t)); - re.coefficients[i0] = decompress_1_79(coefficient_compressed);); + re.coefficients[i0] = decompress_1_61(coefficient_compressed);); return re; } @@ -3395,7 +3337,7 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -add_message_error_reduce_d6_79( +add_message_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { @@ -3403,9 +3345,9 @@ add_message_error_reduce_d6_79( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( result.coefficients[i0], (int16_t)1441); - __m256i tmp = libcrux_ml_kem_vector_avx2_add_ea( + __m256i tmp = libcrux_ml_kem_vector_avx2_add_09( self->coefficients [/* FIXME: Eurydice crashes with: Warning 11: in top-level declaration @@ -3426,9 +3368,9 @@ add_message_error_reduce_d6_79( i0], &message->coefficients[i0]); __m256i tmp0 = - libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, &tmp); + libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &tmp); result.coefficients[i0] = - libcrux_ml_kem_vector_avx2_barrett_reduce_ea(tmp0); + libcrux_ml_kem_vector_avx2_barrett_reduce_09(tmp0); } return result; } @@ -3448,13 +3390,13 @@ compute_ring_element_v_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(&t_as_ntt[i0], &r_as_ntt[i0]); + ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); add_to_ring_element_d6_ab(&result, &product);); invert_ntt_montgomery_ab(&result); - result = add_message_error_reduce_d6_79(error_2, message, result); + result = add_message_error_reduce_d6_61(error_2, message, result); return result; } @@ -3533,14 +3475,14 @@ compress_ciphertext_coefficient_ef(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 10 */ -static KRML_MUSTINLINE __m256i compress_ea_ef(__m256i vector) { +static KRML_MUSTINLINE __m256i compress_09_ef(__m256i vector) { return compress_ciphertext_coefficient_ef(vector); } @@ -3557,9 +3499,9 @@ static KRML_MUSTINLINE void compress_then_serialize_10_0e0( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_ea_ef(to_unsigned_representative_79(re->coefficients[i0])); + compress_09_ef(to_unsigned_field_element_61(re->coefficients[i0])); uint8_t bytes[20U]; - libcrux_ml_kem_vector_avx2_serialize_10_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_10_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t); Eurydice_slice_copy( @@ -3643,14 +3585,14 @@ compress_ciphertext_coefficient_c4(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 11 */ -static KRML_MUSTINLINE __m256i compress_ea_c4(__m256i vector) { +static KRML_MUSTINLINE __m256i compress_09_c4(__m256i vector) { return compress_ciphertext_coefficient_c4(vector); } @@ -3663,14 +3605,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_a4( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - compress_then_serialize_10_0e0(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + uint8_t result[320U]; + compress_then_serialize_10_0e0(re, result); + memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -3783,14 +3722,14 @@ compress_ciphertext_coefficient_d1(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 4 */ -static KRML_MUSTINLINE __m256i compress_ea_d1(__m256i vector) { +static KRML_MUSTINLINE __m256i compress_09_d1(__m256i vector) { return compress_ciphertext_coefficient_d1(vector); } @@ -3800,7 +3739,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_4_79( +static KRML_MUSTINLINE void compress_then_serialize_4_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; @@ -3811,9 +3750,9 @@ static KRML_MUSTINLINE void compress_then_serialize_4_79( i++) { size_t i0 = i; __m256i coefficient = - compress_ea_d1(to_unsigned_representative_79(re.coefficients[i0])); + compress_09_d1(to_unsigned_field_element_61(re.coefficients[i0])); uint8_t bytes[8U]; - libcrux_ml_kem_vector_avx2_serialize_4_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_4_09(coefficient, bytes); Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t), @@ -3896,14 +3835,14 @@ compress_ciphertext_coefficient_f4(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 5 */ -static KRML_MUSTINLINE __m256i compress_ea_f4(__m256i vector) { +static KRML_MUSTINLINE __m256i compress_09_f4(__m256i vector) { return compress_ciphertext_coefficient_f4(vector); } @@ -3913,7 +3852,7 @@ with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_5_79( +static KRML_MUSTINLINE void compress_then_serialize_5_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; @@ -3924,9 +3863,9 @@ static KRML_MUSTINLINE void compress_then_serialize_5_79( i++) { size_t i0 = i; __m256i coefficients = - compress_ea_f4(to_unsigned_representative_79(re.coefficients[i0])); + compress_09_f4(to_unsigned_field_element_61(re.coefficients[i0])); uint8_t bytes[10U]; - libcrux_ml_kem_vector_avx2_serialize_5_ea(coefficients, bytes); + libcrux_ml_kem_vector_avx2_serialize_5_09(coefficients, bytes); Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)10U * i0, (size_t)10U * i0 + (size_t)10U, uint8_t), @@ -3943,50 +3882,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_78( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) { - compress_then_serialize_4_79(re, out); + compress_then_serialize_4_61(re, out); } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -4048,7 +3946,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_741( /* v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1) */ memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message_as_ring_element = - deserialize_then_decompress_message_79(copy_of_message); + deserialize_then_decompress_message_61(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = compute_ring_element_v_ab(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -4147,7 +4045,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -4212,21 +4110,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_to_uncompressed_ring_element_79(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_to_uncompressed_ring_element_61(Eurydice_slice serialized) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); - re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); + re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_09(bytes); } return re; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4238,7 +4133,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - secret_as_ntt[i] = ZERO_d6_79();); + secret_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -4250,7 +4145,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_ab( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_uncompressed_ring_element_79(secret_bytes); + deserialize_to_uncompressed_ring_element_61(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -4321,16 +4216,16 @@ decompress_ciphertext_coefficient_ef(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 10 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_ea_ef(__m256i vector) { +decompress_ciphertext_coefficient_09_ef(__m256i vector) { return decompress_ciphertext_coefficient_ef(vector); } @@ -4341,15 +4236,15 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_then_decompress_10_79(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_then_decompress_10_61(Eurydice_slice serialized) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_ea(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_ea_ef(coefficient); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_09(bytes); + re.coefficients[i0] = decompress_ciphertext_coefficient_09_ef(coefficient); } return re; } @@ -4417,16 +4312,16 @@ decompress_ciphertext_coefficient_c4(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 11 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_ea_c4(__m256i vector) { +decompress_ciphertext_coefficient_09_c4(__m256i vector) { return decompress_ciphertext_coefficient_c4(vector); } @@ -4437,15 +4332,15 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_then_decompress_11_79(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_then_decompress_11_61(Eurydice_slice serialized) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_ea(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_ea_c4(coefficient); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_09(bytes); + re.coefficients[i0] = decompress_ciphertext_coefficient_09_c4(coefficient); } return re; } @@ -4458,7 +4353,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_ring_element_u_ee(Eurydice_slice serialized) { - return deserialize_then_decompress_10_79(serialized); + return deserialize_then_decompress_10_61(serialized); } /** @@ -4470,20 +4365,16 @@ with const generics static KRML_MUSTINLINE void ntt_vector_u_ee( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { size_t zeta_i = (size_t)0U; - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U); - ntt_at_layer_3_79(&zeta_i, re); - ntt_at_layer_2_79(&zeta_i, re); - ntt_at_layer_1_79(&zeta_i, re); - poly_barrett_reduce_d6_79(re); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); + ntt_at_layer_3_61(&zeta_i, re); + ntt_at_layer_2_61(&zeta_i, re); + ntt_at_layer_1_61(&zeta_i, re); + poly_barrett_reduce_d6_61(re); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4497,7 +4388,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, - u_as_ntt[i] = ZERO_d6_79();); + u_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1088U, ciphertext, uint8_t), @@ -4586,16 +4477,16 @@ decompress_ciphertext_coefficient_d1(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 4 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_ea_d1(__m256i vector) { +decompress_ciphertext_coefficient_09_d1(__m256i vector) { return decompress_ciphertext_coefficient_d1(vector); } @@ -4606,15 +4497,15 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_then_decompress_4_79(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_then_decompress_4_61(Eurydice_slice serialized) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_ea(bytes); - re.coefficients[i0] = decompress_ciphertext_coefficient_ea_d1(coefficient); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_09(bytes); + re.coefficients[i0] = decompress_ciphertext_coefficient_09_d1(coefficient); } return re; } @@ -4682,16 +4573,16 @@ decompress_ciphertext_coefficient_f4(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 5 */ static KRML_MUSTINLINE __m256i -decompress_ciphertext_coefficient_ea_f4(__m256i vector) { +decompress_ciphertext_coefficient_09_f4(__m256i vector) { return decompress_ciphertext_coefficient_f4(vector); } @@ -4702,16 +4593,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -deserialize_then_decompress_5_79(Eurydice_slice serialized) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_79(); +deserialize_then_decompress_5_61(Eurydice_slice serialized) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); - re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_ea(bytes); + re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_09(bytes); re.coefficients[i0] = - decompress_ciphertext_coefficient_ea_f4(re.coefficients[i0]); + decompress_ciphertext_coefficient_09_f4(re.coefficients[i0]); } return re; } @@ -4724,7 +4615,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_ring_element_v_42(Eurydice_slice serialized) { - return deserialize_then_decompress_4_79(serialized); + return deserialize_then_decompress_4_61(serialized); } /** @@ -4739,16 +4630,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -subtract_reduce_d6_79(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, +subtract_reduce_d6_61(libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( b.coefficients[i0], (int16_t)1441); - b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_sub_ea(self->coefficients[i0], + b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_sub_09(self->coefficients[i0], &coefficient_normal_form)); } return b; @@ -4771,13 +4662,13 @@ compute_message_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(&secret_as_ntt[i0], &u_as_ntt[i0]); + ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_d6_ab(&result, &product);); invert_ntt_montgomery_ab(&result); - result = subtract_reduce_d6_79(v, result); + result = subtract_reduce_d6_61(v, result); return result; } @@ -4787,48 +4678,26 @@ libcrux_ml_kem.serialize.compress_then_serialize_message with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ -static KRML_MUSTINLINE void compress_then_serialize_message_79( +static KRML_MUSTINLINE void compress_then_serialize_message_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; - __m256i coefficient = to_unsigned_representative_79(re.coefficients[i0]); + __m256i coefficient = to_unsigned_field_element_61(re.coefficients[i0]); __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_compress_1_ea(coefficient); + libcrux_ml_kem_vector_avx2_compress_1_09(coefficient); uint8_t bytes[2U]; - libcrux_ml_kem_vector_avx2_serialize_1_ea(coefficient_compressed, bytes); + libcrux_ml_kem_vector_avx2_serialize_1_09(coefficient_compressed, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t); Eurydice_slice_copy(uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t);); - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, serialized, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4854,7 +4723,7 @@ static KRML_MUSTINLINE void decrypt_unpacked_2f( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message = compute_message_ab(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_79(message, ret0); + compress_then_serialize_message_61(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -5004,9 +4873,6 @@ void libcrux_ml_kem_ind_cca_decapsulate_a11( memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -5028,7 +4894,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_88( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_reduced_ring_element_79(ring_element); + deserialize_to_reduced_ring_element_61(ring_element); deserialized_pk[i0] = uu____0; } } @@ -5051,16 +4917,13 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_88( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - deserialized_pk[i] = ZERO_d6_79();); + deserialized_pk[i] = ZERO_d6_61();); deserialize_ring_elements_reduced_88(public_key, deserialized_pk); memcpy( ret, deserialized_pk, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5086,16 +4949,13 @@ static KRML_MUSTINLINE void serialize_secret_key_78( (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); uint8_t ret0[384U]; - serialize_uncompressed_ring_element_79(&re, ret0); + serialize_uncompressed_ring_element_61(&re, ret0); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1536U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5119,9 +4979,6 @@ static KRML_MUSTINLINE void serialize_public_key_mut_1e( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5240,10 +5097,10 @@ with const generics */ static IndCpaPrivateKeyUnpacked_39 default_1a_42(void) { IndCpaPrivateKeyUnpacked_39 lit; - lit.secret_as_ntt[0U] = ZERO_d6_79(); - lit.secret_as_ntt[1U] = ZERO_d6_79(); - lit.secret_as_ntt[2U] = ZERO_d6_79(); - lit.secret_as_ntt[3U] = ZERO_d6_79(); + lit.secret_as_ntt[0U] = ZERO_d6_61(); + lit.secret_as_ntt[1U] = ZERO_d6_61(); + lit.secret_as_ntt[2U] = ZERO_d6_61(); + lit.secret_as_ntt[3U] = ZERO_d6_61(); return lit; } @@ -5273,29 +5130,29 @@ with const generics static IndCpaPublicKeyUnpacked_39 default_8d_42(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - uu____0[i] = ZERO_d6_79();); + uu____0[i] = ZERO_d6_61();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_39 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)4U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_d6_79(); - lit.A[0U][1U] = ZERO_d6_79(); - lit.A[0U][2U] = ZERO_d6_79(); - lit.A[0U][3U] = ZERO_d6_79(); - lit.A[1U][0U] = ZERO_d6_79(); - lit.A[1U][1U] = ZERO_d6_79(); - lit.A[1U][2U] = ZERO_d6_79(); - lit.A[1U][3U] = ZERO_d6_79(); - lit.A[2U][0U] = ZERO_d6_79(); - lit.A[2U][1U] = ZERO_d6_79(); - lit.A[2U][2U] = ZERO_d6_79(); - lit.A[2U][3U] = ZERO_d6_79(); - lit.A[3U][0U] = ZERO_d6_79(); - lit.A[3U][1U] = ZERO_d6_79(); - lit.A[3U][2U] = ZERO_d6_79(); - lit.A[3U][3U] = ZERO_d6_79(); + lit.A[0U][0U] = ZERO_d6_61(); + lit.A[0U][1U] = ZERO_d6_61(); + lit.A[0U][2U] = ZERO_d6_61(); + lit.A[0U][3U] = ZERO_d6_61(); + lit.A[1U][0U] = ZERO_d6_61(); + lit.A[1U][1U] = ZERO_d6_61(); + lit.A[1U][2U] = ZERO_d6_61(); + lit.A[1U][3U] = ZERO_d6_61(); + lit.A[2U][0U] = ZERO_d6_61(); + lit.A[2U][1U] = ZERO_d6_61(); + lit.A[2U][2U] = ZERO_d6_61(); + lit.A[2U][3U] = ZERO_d6_61(); + lit.A[3U][0U] = ZERO_d6_61(); + lit.A[3U][1U] = ZERO_d6_61(); + lit.A[3U][2U] = ZERO_d6_61(); + lit.A[3U][3U] = ZERO_d6_61(); return lit; } @@ -5479,7 +5336,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_78( Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -5605,7 +5462,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_780( Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -5633,7 +5490,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c( int16_t s[272U]) { - return from_i16_array_d6_79( + return from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -5783,10 +5640,6 @@ static KRML_MUSTINLINE void PRFxN_a9_44(uint8_t (*input)[33U], PRFxN_44(input, ret); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5805,6 +5658,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b4( KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[4U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)4U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -5814,7 +5669,7 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b4( i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; re_as_ntt[i0] = sample_from_binomial_distribution_89( Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - ntt_binomially_sampled_ring_element_79(&re_as_ntt[i0]);); + ntt_binomially_sampled_ring_element_61(&re_as_ntt[i0]);); return domain_separator; } @@ -5841,7 +5696,7 @@ static KRML_MUSTINLINE tuple_dd sample_vector_cbd_then_ntt_out_b4( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - re_as_ntt[i] = ZERO_d6_79();); + re_as_ntt[i] = ZERO_d6_61();); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -5889,14 +5744,11 @@ static KRML_MUSTINLINE void add_to_ring_element_d6_42( __m256i); i++) { size_t i0 = i; - self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( + self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09( self->coefficients[i0], &rhs->coefficients[i0]); } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5919,7 +5771,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -5932,54 +5784,13 @@ static KRML_MUSTINLINE void compute_As_plus_e_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(matrix_element, &s_as_ntt[j]); + ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); add_to_ring_element_d6_42(&t_as_ntt[i0], &product); } - add_standard_error_reduce_d6_79(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_61(&t_as_ntt[i0], &error_as_ntt[i0]); } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6130,14 +5941,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_5e( memcpy(ret, out, (size_t)3168U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6147,7 +5950,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- BYTES_PER_RING_ELEMENT= 1536 +- RANKED_BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -6203,9 +6006,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_6a(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6227,14 +6027,11 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_3c( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_reduced_ring_element_79(ring_element); + deserialize_to_reduced_ring_element_61(ring_element); deserialized_pk[i0] = uu____0; } } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6247,7 +6044,7 @@ static KRML_MUSTINLINE tuple_dd sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - error_1[i] = ZERO_d6_79();); + error_1[i] = ZERO_d6_61();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -6255,6 +6052,8 @@ sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[4U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)4U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -6307,14 +6106,14 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_42( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1_79(&zeta_i, re); - invert_ntt_at_layer_2_79(&zeta_i, re); - invert_ntt_at_layer_3_79(&zeta_i, re); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_d6_79(re); + invert_ntt_at_layer_1_61(&zeta_i, re); + invert_ntt_at_layer_2_61(&zeta_i, re); + invert_ntt_at_layer_3_61(&zeta_i, re); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); + poly_barrett_reduce_d6_61(re); } /** @@ -6333,7 +6132,7 @@ static KRML_MUSTINLINE void compute_vector_u_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - result[i] = ZERO_d6_79();); + result[i] = ZERO_d6_61();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -6353,11 +6152,11 @@ static KRML_MUSTINLINE void compute_vector_u_42( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(a_element, &r_as_ntt[j]); + ntt_multiply_d6_61(a_element, &r_as_ntt[j]); add_to_ring_element_d6_42(&result[i1], &product); } invert_ntt_montgomery_42(&result[i1]); - add_error_reduce_d6_79(&result[i1], &error_1[i1]); + add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -6379,13 +6178,13 @@ compute_ring_element_v_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(&t_as_ntt[i0], &r_as_ntt[i0]); + ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); add_to_ring_element_d6_42(&result, &product);); invert_ntt_montgomery_42(&result); - result = add_message_error_reduce_d6_79(error_2, message, result); + result = add_message_error_reduce_d6_61(error_2, message, result); return result; } @@ -6402,9 +6201,9 @@ static KRML_MUSTINLINE void compress_then_serialize_11_0e( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient = - compress_ea_c4(to_unsigned_representative_79(re->coefficients[i0])); + compress_09_c4(to_unsigned_field_element_61(re->coefficients[i0])); uint8_t bytes[22U]; - libcrux_ml_kem_vector_avx2_serialize_11_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_11_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t); Eurydice_slice_copy( @@ -6422,14 +6221,11 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_6f( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[352U]) { - uint8_t uu____0[352U]; - compress_then_serialize_11_0e(re, uu____0); - memcpy(ret, uu____0, (size_t)352U * sizeof(uint8_t)); + uint8_t result[352U]; + compress_then_serialize_11_0e(re, result); + memcpy(ret, result, (size_t)352U * sizeof(uint8_t)); } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6476,50 +6272,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_ff( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) { - compress_then_serialize_5_79(re, out); + compress_then_serialize_5_61(re, out); } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6581,7 +6336,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_74( /* v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1) */ memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message_as_ring_element = - deserialize_then_decompress_message_79(copy_of_message); + deserialize_then_decompress_message_61(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = compute_ring_element_v_42(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -6680,7 +6435,7 @@ with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- VECTOR_U_BLOCK_LEN= 352 +- C1_BLOCK_SIZE= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -6738,9 +6493,6 @@ tuple_fa libcrux_ml_kem_ind_cca_encapsulate_700( return lit; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6752,7 +6504,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - secret_as_ntt[i] = ZERO_d6_79();); + secret_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -6764,7 +6516,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_42( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_uncompressed_ring_element_79(secret_bytes); + deserialize_to_uncompressed_ring_element_61(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -6780,7 +6532,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_ring_element_u_85(Eurydice_slice serialized) { - return deserialize_then_decompress_11_79(serialized); + return deserialize_then_decompress_11_61(serialized); } /** @@ -6792,20 +6544,16 @@ with const generics static KRML_MUSTINLINE void ntt_vector_u_85( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { size_t zeta_i = (size_t)0U; - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U); - ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U); - ntt_at_layer_3_79(&zeta_i, re); - ntt_at_layer_2_79(&zeta_i, re); - ntt_at_layer_1_79(&zeta_i, re); - poly_barrett_reduce_d6_79(re); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); + ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); + ntt_at_layer_3_61(&zeta_i, re); + ntt_at_layer_2_61(&zeta_i, re); + ntt_at_layer_1_61(&zeta_i, re); + poly_barrett_reduce_d6_61(re); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6819,7 +6567,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_1e( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[4U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[4U]; KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, - u_as_ntt[i] = ZERO_d6_79();); + u_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)1568U, ciphertext, uint8_t), @@ -6853,7 +6601,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialize_then_decompress_ring_element_v_b4(Eurydice_slice serialized) { - return deserialize_then_decompress_5_79(serialized); + return deserialize_then_decompress_5_61(serialized); } /** @@ -6873,40 +6621,16 @@ compute_message_42( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(&secret_as_ntt[i0], &u_as_ntt[i0]); + ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_d6_42(&result, &product);); invert_ntt_montgomery_42(&result); - result = subtract_reduce_d6_79(v, result); + result = subtract_reduce_d6_61(v, result); return result; } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -6932,7 +6656,7 @@ static KRML_MUSTINLINE void decrypt_unpacked_37( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message = compute_message_42(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_79(message, ret0); + compress_then_serialize_message_61(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -7070,9 +6794,6 @@ void libcrux_ml_kem_ind_cca_decapsulate_a10( memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -7094,7 +6815,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_bc( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_reduced_ring_element_79(ring_element); + deserialize_to_reduced_ring_element_61(ring_element); deserialized_pk[i0] = uu____0; } } @@ -7117,16 +6838,13 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_bc( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - deserialized_pk[i] = ZERO_d6_79();); + deserialized_pk[i] = ZERO_d6_61();); deserialize_ring_elements_reduced_bc(public_key, deserialized_pk); memcpy( ret, deserialized_pk, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7152,16 +6870,13 @@ static KRML_MUSTINLINE void serialize_secret_key_29( (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); uint8_t ret0[384U]; - serialize_uncompressed_ring_element_79(&re, ret0); + serialize_uncompressed_ring_element_61(&re, ret0); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)768U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7185,9 +6900,6 @@ static KRML_MUSTINLINE void serialize_public_key_mut_ba( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7306,8 +7018,8 @@ with const generics */ static IndCpaPrivateKeyUnpacked_94 default_1a_89(void) { IndCpaPrivateKeyUnpacked_94 lit; - lit.secret_as_ntt[0U] = ZERO_d6_79(); - lit.secret_as_ntt[1U] = ZERO_d6_79(); + lit.secret_as_ntt[0U] = ZERO_d6_61(); + lit.secret_as_ntt[1U] = ZERO_d6_61(); return lit; } @@ -7337,17 +7049,17 @@ with const generics static IndCpaPublicKeyUnpacked_94 default_8d_89(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - uu____0[i] = ZERO_d6_79();); + uu____0[i] = ZERO_d6_61();); uint8_t uu____1[32U] = {0U}; IndCpaPublicKeyUnpacked_94 lit; memcpy( lit.t_as_ntt, uu____0, (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = ZERO_d6_79(); - lit.A[0U][1U] = ZERO_d6_79(); - lit.A[1U][0U] = ZERO_d6_79(); - lit.A[1U][1U] = ZERO_d6_79(); + lit.A[0U][0U] = ZERO_d6_61(); + lit.A[0U][1U] = ZERO_d6_61(); + lit.A[1U][0U] = ZERO_d6_61(); + lit.A[1U][1U] = ZERO_d6_61(); return lit; } @@ -7525,7 +7237,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_29( Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -7645,7 +7357,7 @@ static KRML_MUSTINLINE bool sample_from_uniform_distribution_next_290( Eurydice_slice uu____0 = Eurydice_array_to_subslice2( randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -7673,7 +7385,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics */ static libcrux_ml_kem_polynomial_PolynomialRingElement_f6 closure_6c0( int16_t s[272U]) { - return from_i16_array_d6_79( + return from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -7825,13 +7537,9 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 sample_from_binomial_distribution_ab(Eurydice_slice randomness) { - return sample_from_binomial_distribution_3_79(randomness); + return sample_from_binomial_distribution_3_61(randomness); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -7850,6 +7558,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b40( KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[2U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)2U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -7859,7 +7569,7 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_b40( i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; re_as_ntt[i0] = sample_from_binomial_distribution_ab( Eurydice_array_to_slice((size_t)192U, prf_outputs[i0], uint8_t)); - ntt_binomially_sampled_ring_element_79(&re_as_ntt[i0]);); + ntt_binomially_sampled_ring_element_61(&re_as_ntt[i0]);); return domain_separator; } @@ -7886,7 +7596,7 @@ static KRML_MUSTINLINE tuple_40 sample_vector_cbd_then_ntt_out_b40( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - re_as_ntt[i] = ZERO_d6_79();); + re_as_ntt[i] = ZERO_d6_61();); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; memcpy(uu____1, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -7934,14 +7644,11 @@ static KRML_MUSTINLINE void add_to_ring_element_d6_89( __m256i); i++) { size_t i0 = i; - self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( + self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09( self->coefficients[i0], &rhs->coefficients[i0]); } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -7964,7 +7671,7 @@ static KRML_MUSTINLINE void compute_As_plus_e_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *row = matrix_A[i0]; /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -7977,54 +7684,13 @@ static KRML_MUSTINLINE void compute_As_plus_e_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(matrix_element, &s_as_ntt[j]); + ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); add_to_ring_element_d6_89(&t_as_ntt[i0], &product); } - add_standard_error_reduce_d6_79(&t_as_ntt[i0], &error_as_ntt[i0]); + add_standard_error_reduce_d6_61(&t_as_ntt[i0], &error_as_ntt[i0]); } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -8175,14 +7841,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_4d( memcpy(ret, out, (size_t)1632U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -8192,7 +7850,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- BYTES_PER_RING_ELEMENT= 768 +- RANKED_BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ @@ -8248,9 +7906,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_f8(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -8272,7 +7927,7 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_09( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_reduced_ring_element_79(ring_element); + deserialize_to_reduced_ring_element_61(ring_element); deserialized_pk[i0] = uu____0; } } @@ -8323,9 +7978,6 @@ static KRML_MUSTINLINE void PRFxN_a9_490(uint8_t (*input)[33U], PRFxN_490(input, ret); } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -8338,7 +7990,7 @@ static KRML_MUSTINLINE tuple_40 sample_ring_element_cbd_b40(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - error_1[i] = ZERO_d6_79();); + error_1[i] = ZERO_d6_61();); /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; memcpy(copy_of_prf_input, prf_input, (size_t)33U * sizeof(uint8_t)); @@ -8346,6 +7998,8 @@ sample_ring_element_cbd_b40(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[2U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)2U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -8398,14 +8052,14 @@ static KRML_MUSTINLINE void invert_ntt_montgomery_89( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - invert_ntt_at_layer_1_79(&zeta_i, re); - invert_ntt_at_layer_2_79(&zeta_i, re); - invert_ntt_at_layer_3_79(&zeta_i, re); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U); - invert_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U); - poly_barrett_reduce_d6_79(re); + invert_ntt_at_layer_1_61(&zeta_i, re); + invert_ntt_at_layer_2_61(&zeta_i, re); + invert_ntt_at_layer_3_61(&zeta_i, re); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); + invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); + poly_barrett_reduce_d6_61(re); } /** @@ -8424,7 +8078,7 @@ static KRML_MUSTINLINE void compute_vector_u_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - result[i] = ZERO_d6_79();); + result[i] = ZERO_d6_61();); for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( Eurydice_array_to_slice( @@ -8444,11 +8098,11 @@ static KRML_MUSTINLINE void compute_vector_u_89( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(a_element, &r_as_ntt[j]); + ntt_multiply_d6_61(a_element, &r_as_ntt[j]); add_to_ring_element_d6_89(&result[i1], &product); } invert_ntt_montgomery_89(&result[i1]); - add_error_reduce_d6_79(&result[i1], &error_1[i1]); + add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -8470,19 +8124,16 @@ compute_ring_element_v_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *r_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(&t_as_ntt[i0], &r_as_ntt[i0]); + ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); add_to_ring_element_d6_89(&result, &product);); invert_ntt_montgomery_89(&result); - result = add_message_error_reduce_d6_79(error_2, message, result); + result = add_message_error_reduce_d6_61(error_2, message, result); return result; } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8520,47 +8171,6 @@ static KRML_MUSTINLINE void compress_then_serialize_u_2d( } } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -8622,7 +8232,7 @@ static KRML_MUSTINLINE void encrypt_unpacked_740( /* v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1) */ memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message_as_ring_element = - deserialize_then_decompress_message_79(copy_of_message); + deserialize_then_decompress_message_61(copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = compute_ring_element_v_89(public_key->t_as_ntt, r_as_ntt, &error_2, &message_as_ring_element); @@ -8721,7 +8331,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 @@ -8779,9 +8389,6 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_70( return lit; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8793,7 +8400,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - secret_as_ntt[i] = ZERO_d6_79();); + secret_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT; @@ -8805,7 +8412,7 @@ static KRML_MUSTINLINE void deserialize_secret_key_89( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - deserialize_to_uncompressed_ring_element_79(secret_bytes); + deserialize_to_uncompressed_ring_element_61(secret_bytes); secret_as_ntt[i0] = uu____0; } memcpy( @@ -8813,10 +8420,6 @@ static KRML_MUSTINLINE void deserialize_secret_key_89( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8830,7 +8433,7 @@ static KRML_MUSTINLINE void deserialize_then_decompress_u_ba( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[2U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[2U]; KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, - u_as_ntt[i] = ZERO_d6_79();); + u_as_ntt[i] = ZERO_d6_61();); for (size_t i = (size_t)0U; i < Eurydice_slice_len( Eurydice_array_to_slice((size_t)768U, ciphertext, uint8_t), @@ -8873,40 +8476,16 @@ compute_message_89( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *v, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_79(); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = ZERO_d6_61(); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - ntt_multiply_d6_79(&secret_as_ntt[i0], &u_as_ntt[i0]); + ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); add_to_ring_element_d6_89(&result, &product);); invert_ntt_montgomery_89(&result); - result = subtract_reduce_d6_79(v, result); + result = subtract_reduce_d6_61(v, result); return result; } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -8932,7 +8511,7 @@ static KRML_MUSTINLINE void decrypt_unpacked_4b( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message = compute_message_89(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - compress_then_serialize_message_79(message, ret0); + compress_then_serialize_message_61(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h index 81fceac23..6e8e447de 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_avx2.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem_avx2_H @@ -34,50 +34,50 @@ __m256i libcrux_ml_kem_vector_avx2_zero(void); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_ZERO_ea(void); +__m256i libcrux_ml_kem_vector_avx2_ZERO_09(void); __m256i libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice array); +__m256i libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice array); void libcrux_ml_kem_vector_avx2_to_i16_array(__m256i v, int16_t ret[16U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_to_i16_array_ea(__m256i x, int16_t ret[16U]); +void libcrux_ml_kem_vector_avx2_to_i16_array_09(__m256i x, int16_t ret[16U]); __m256i libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, __m256i rhs); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_add_ea(__m256i lhs, __m256i *rhs); +__m256i libcrux_ml_kem_vector_avx2_add_09(__m256i lhs, __m256i *rhs); __m256i libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, __m256i rhs); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs, __m256i *rhs); +__m256i libcrux_ml_kem_vector_avx2_sub_09(__m256i lhs, __m256i *rhs); __m256i libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant( __m256i vector, int16_t constant); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(__m256i v, +__m256i libcrux_ml_kem_vector_avx2_multiply_by_constant_09(__m256i vec, int16_t c); __m256i libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( @@ -85,9 +85,9 @@ __m256i libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( +__m256i libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09( __m256i vector, int16_t constant); __m256i libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329( @@ -95,9 +95,9 @@ __m256i libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector); +__m256i libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector); #define LIBCRUX_ML_KEM_VECTOR_AVX2_ARITHMETIC_BARRETT_MULTIPLIER \ ((int16_t)20159) @@ -110,18 +110,18 @@ __m256i libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_barrett_reduce_ea(__m256i vector); +__m256i libcrux_ml_kem_vector_avx2_barrett_reduce_09(__m256i vector); __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( __m256i vector, int16_t constant); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( +__m256i libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( __m256i vector, int16_t constant); __m256i libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( @@ -129,9 +129,9 @@ __m256i libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_compress_1_ea(__m256i vector); +__m256i libcrux_ml_kem_vector_avx2_compress_1_09(__m256i vector); __m256i libcrux_ml_kem_vector_avx2_compress_mulhi_mm256_epi32(__m256i lhs, __m256i rhs); @@ -144,9 +144,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea( +__m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(__m256i vector, @@ -155,9 +155,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea(__m256i vector, +__m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09(__m256i vector, int16_t zeta0, int16_t zeta1); @@ -170,9 +170,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(__m256i vector, +__m256i libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09(__m256i vector, int16_t zeta); __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( @@ -180,9 +180,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea( +__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09( __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, @@ -191,9 +191,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(__m256i vector, +__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09(__m256i vector, int16_t zeta0, int16_t zeta1); @@ -202,9 +202,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(__m256i vector, +__m256i libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09(__m256i vector, int16_t zeta); __m256i libcrux_ml_kem_vector_avx2_arithmetic_montgomery_reduce_i32s(__m256i v); @@ -217,9 +217,9 @@ __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(__m256i lhs, __m256i rhs, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea(__m256i *lhs, __m256i *rhs, +__m256i libcrux_ml_kem_vector_avx2_ntt_multiply_09(__m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3); @@ -229,45 +229,45 @@ void libcrux_ml_kem_vector_avx2_serialize_serialize_1(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_serialize_1_ea(__m256i vector, uint8_t ret[2U]); +void libcrux_ml_kem_vector_avx2_serialize_1_09(__m256i vector, uint8_t ret[2U]); __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_1( Eurydice_slice bytes); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_slice bytes); +__m256i libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes); void libcrux_ml_kem_vector_avx2_serialize_serialize_4(__m256i vector, uint8_t ret[8U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_serialize_4_ea(__m256i vector, uint8_t ret[8U]); +void libcrux_ml_kem_vector_avx2_serialize_4_09(__m256i vector, uint8_t ret[8U]); __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_4( Eurydice_slice bytes); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_deserialize_4_ea(Eurydice_slice bytes); +__m256i libcrux_ml_kem_vector_avx2_deserialize_4_09(Eurydice_slice bytes); void libcrux_ml_kem_vector_avx2_serialize_serialize_5(__m256i vector, uint8_t ret[10U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_serialize_5_ea(__m256i vector, +void libcrux_ml_kem_vector_avx2_serialize_5_09(__m256i vector, uint8_t ret[10U]); __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5( @@ -275,18 +275,18 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_5( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_deserialize_5_ea(Eurydice_slice bytes); +__m256i libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes); void libcrux_ml_kem_vector_avx2_serialize_serialize_10(__m256i vector, uint8_t ret[20U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_serialize_10_ea(__m256i vector, +void libcrux_ml_kem_vector_avx2_serialize_10_09(__m256i vector, uint8_t ret[20U]); __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10( @@ -294,18 +294,18 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_10( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_deserialize_10_ea(Eurydice_slice bytes); +__m256i libcrux_ml_kem_vector_avx2_deserialize_10_09(Eurydice_slice bytes); void libcrux_ml_kem_vector_avx2_serialize_serialize_11(__m256i vector, uint8_t ret[22U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_serialize_11_ea(__m256i vector, +void libcrux_ml_kem_vector_avx2_serialize_11_09(__m256i vector, uint8_t ret[22U]); __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_11( @@ -313,18 +313,18 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_11( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_deserialize_11_ea(Eurydice_slice bytes); +__m256i libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes); void libcrux_ml_kem_vector_avx2_serialize_serialize_12(__m256i vector, uint8_t ret[24U]); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -void libcrux_ml_kem_vector_avx2_serialize_12_ea(__m256i vector, +void libcrux_ml_kem_vector_avx2_serialize_12_09(__m256i vector, uint8_t ret[24U]); __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12( @@ -332,25 +332,25 @@ __m256i libcrux_ml_kem_vector_avx2_serialize_deserialize_12( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -__m256i libcrux_ml_kem_vector_avx2_deserialize_12_ea(Eurydice_slice bytes); +__m256i libcrux_ml_kem_vector_avx2_deserialize_12_09(Eurydice_slice bytes); size_t libcrux_ml_kem_vector_avx2_sampling_rejection_sample( Eurydice_slice input, Eurydice_slice output); /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ -size_t libcrux_ml_kem_vector_avx2_rej_sample_ea(Eurydice_slice input, +size_t libcrux_ml_kem_vector_avx2_rej_sample_09(Eurydice_slice input, Eurydice_slice output); /** This function found in impl {(core::clone::Clone for -libcrux_ml_kem::vector::avx2::SIMD256Vector)#1} +libcrux_ml_kem::vector::avx2::SIMD256Vector)} */ -__m256i libcrux_ml_kem_vector_avx2_clone_3a(__m256i *self); +__m256i libcrux_ml_kem_vector_avx2_clone_78(__m256i *self); #if defined(__cplusplus) } diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.c b/libcrux-ml-kem/c/libcrux_mlkem_portable.c index 5cd8bb2ee..8016d2805 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.c +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_mlkem_portable.h" @@ -1168,13 +1168,14 @@ uint8_t libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( >> 15U; int16_t shifted_to_positive = mask ^ shifted; int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832; - return (uint8_t)(/* If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which - means the most significant bit of - shifted_positive_in_range will be 1. */ - shifted_positive_in_range + int16_t r0 = + /* If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which means the + most significant bit of shifted_positive_in_range will be 1. */ + shifted_positive_in_range - >> 15U & - (int16_t)1); + >> 15U; + int16_t r1 = r0 & (int16_t)1; + return (uint8_t)r1; } KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2338,9 +2339,6 @@ deserialize_to_reduced_ring_element_8c(Eurydice_slice serialized) { return re; } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -2438,6 +2436,20 @@ to_unsigned_representative_8c( return libcrux_ml_kem_vector_portable_add_0d(a, &fm); } +/** +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +to_unsigned_field_element_8c( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + to_unsigned_representative_8c(a); + return result; +} + /** A monomorphic instance of libcrux_ml_kem.serialize.serialize_uncompressed_ring_element with types @@ -2451,7 +2463,7 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_8c( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - to_unsigned_representative_8c(re->coefficients[i0]); + to_unsigned_field_element_8c(re->coefficients[i0]); uint8_t bytes[24U]; libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -2459,12 +2471,11 @@ static KRML_MUSTINLINE void serialize_uncompressed_ring_element_8c( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); + uint8_t result[384U]; + memcpy(result, serialized, (size_t)384U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)384U * sizeof(uint8_t)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2497,9 +2508,6 @@ static KRML_MUSTINLINE void serialize_secret_key_ff( memcpy(ret, out, (size_t)1536U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2523,9 +2531,6 @@ static KRML_MUSTINLINE void serialize_public_key_mut_00( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3539,10 +3544,6 @@ static KRML_MUSTINLINE void ntt_binomially_sampled_ring_element_8c( poly_barrett_reduce_d6_8c(re); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -3562,6 +3563,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b( KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[4U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)4U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -3769,9 +3772,6 @@ static KRML_MUSTINLINE void add_standard_error_reduce_d6_8c( } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3814,47 +3814,6 @@ static KRML_MUSTINLINE void compute_As_plus_e_d0( } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4005,14 +3964,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_60( memcpy(ret, out, (size_t)3168U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4022,7 +3973,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 1536 - PRIVATE_KEY_SIZE= 3168 - PUBLIC_KEY_SIZE= 1568 -- BYTES_PER_RING_ELEMENT= 1536 +- RANKED_BYTES_PER_RING_ELEMENT= 1536 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -4078,9 +4029,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_03(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -4107,9 +4055,6 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_0d( } } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4131,6 +4076,8 @@ sample_ring_element_cbd_3b(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR4( i, (size_t)0U, (size_t)4U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[4U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)4U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR4(i, (size_t)0U, (size_t)4U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -4414,11 +4361,15 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -decompress_1_8c(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = +decompress_1_8c(libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector z = libcrux_ml_kem_vector_portable_ZERO_0d(); - return libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( - libcrux_ml_kem_vector_portable_sub_0d(uu____0, &v), (int16_t)1665); + libcrux_ml_kem_vector_portable_vector_type_PortableVector s = + libcrux_ml_kem_vector_portable_sub_0d(z, &vec); + libcrux_ml_kem_vector_portable_vector_type_PortableVector res = + libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( + s, (int16_t)1665); + return res; } /** @@ -4529,16 +4480,16 @@ with const generics - COEFFICIENT_BITS= 10 */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { +compress_ef(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)10, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -4561,16 +4512,16 @@ with const generics - COEFFICIENT_BITS= 11 */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_c4(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { +compress_c4(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)11, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -4600,7 +4551,7 @@ static KRML_MUSTINLINE void compress_then_serialize_11_54( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_0d_c4(to_unsigned_representative_8c(re->coefficients[i0])); + compress_0d_c4(to_unsigned_field_element_8c(re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -4620,14 +4571,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_82( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[352U]) { - uint8_t uu____0[352U]; - compress_then_serialize_11_54(re, uu____0); - memcpy(ret, uu____0, (size_t)352U * sizeof(uint8_t)); + uint8_t result[352U]; + compress_then_serialize_11_54(re, result); + memcpy(ret, result, (size_t)352U * sizeof(uint8_t)); } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -4671,16 +4619,16 @@ with const generics - COEFFICIENT_BITS= 4 */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_d1(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { +compress_d1(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)4, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -4714,7 +4662,7 @@ static KRML_MUSTINLINE void compress_then_serialize_4_8c( i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_0d_d1(to_unsigned_representative_8c(re.coefficients[i0])); + compress_0d_d1(to_unsigned_field_element_8c(re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes); Eurydice_slice_copy( @@ -4730,16 +4678,16 @@ with const generics - COEFFICIENT_BITS= 5 */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector -compress_f4(libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { +compress_f4(libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)5, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -4773,7 +4721,7 @@ static KRML_MUSTINLINE void compress_then_serialize_5_8c( i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients = - compress_0d_f4(to_unsigned_representative_8c(re.coefficients[i0])); + compress_0d_f4(to_unsigned_field_element_8c(re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes); Eurydice_slice_copy( @@ -4795,47 +4743,6 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_8e( compress_then_serialize_5_8c(re, out); } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4998,7 +4905,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 160 - VECTOR_U_COMPRESSION_FACTOR= 11 - VECTOR_V_COMPRESSION_FACTOR= 5 -- VECTOR_U_BLOCK_LEN= 352 +- C1_BLOCK_SIZE= 352 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -5077,9 +4984,6 @@ deserialize_to_uncompressed_ring_element_8c(Eurydice_slice serialized) { return re; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5119,21 +5023,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector decompress_ciphertext_coefficient_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10); decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -5183,21 +5083,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector decompress_ciphertext_coefficient_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)11); decompressed = decompressed >> (uint32_t)((int32_t)11 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -5269,10 +5165,6 @@ static KRML_MUSTINLINE void ntt_vector_u_5e( poly_barrett_reduce_d6_8c(re); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5320,21 +5212,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector decompress_ciphertext_coefficient_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4); decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -5384,21 +5272,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector decompress_ciphertext_coefficient_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)5); decompressed = decompressed >> (uint32_t)((int32_t)5 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -5520,7 +5404,7 @@ static KRML_MUSTINLINE void compress_then_serialize_message_8c( KRML_MAYBE_FOR16( i, (size_t)0U, (size_t)16U, (size_t)1U, size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - to_unsigned_representative_8c(re.coefficients[i0]); + to_unsigned_field_element_8c(re.coefficients[i0]); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_compressed = libcrux_ml_kem_vector_portable_compress_1_0d(coefficient); @@ -5531,33 +5415,11 @@ static KRML_MUSTINLINE void compress_then_serialize_message_8c( Eurydice_slice_copy(uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t);); - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, serialized, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5733,9 +5595,6 @@ void libcrux_ml_kem_ind_cca_decapsulate_621( memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -5787,9 +5646,6 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_1e( (size_t)2U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5822,9 +5678,6 @@ static KRML_MUSTINLINE void serialize_secret_key_64( memcpy(ret, out, (size_t)768U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5848,9 +5701,6 @@ static KRML_MUSTINLINE void serialize_public_key_mut_86( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6480,10 +6330,6 @@ sample_from_binomial_distribution_1b(Eurydice_slice randomness) { return sample_from_binomial_distribution_3_8c(randomness); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6503,6 +6349,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b0( KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[2U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)2U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -6596,9 +6444,6 @@ static KRML_MUSTINLINE void add_to_ring_element_d6_a0( } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6641,47 +6486,6 @@ static KRML_MUSTINLINE void compute_As_plus_e_a0( } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6832,14 +6636,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_30( memcpy(ret, out, (size_t)1632U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6849,7 +6645,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 768 - PRIVATE_KEY_SIZE= 1632 - PUBLIC_KEY_SIZE= 800 -- BYTES_PER_RING_ELEMENT= 768 +- RANKED_BYTES_PER_RING_ELEMENT= 768 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 */ @@ -6905,9 +6701,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_10(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6966,9 +6759,6 @@ static KRML_MUSTINLINE void PRFxN_f1_490(uint8_t (*input)[33U], PRFxN_490(input, ret); } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6990,6 +6780,8 @@ sample_ring_element_cbd_3b0(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR2( i, (size_t)0U, (size_t)2U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[2U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)2U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR2(i, (size_t)0U, (size_t)2U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -7137,7 +6929,7 @@ static KRML_MUSTINLINE void compress_then_serialize_10_ff( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - compress_0d_ef(to_unsigned_representative_8c(re->coefficients[i0])); + compress_0d_ef(to_unsigned_field_element_8c(re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( @@ -7157,14 +6949,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics */ static KRML_MUSTINLINE void compress_then_serialize_ring_element_u_fe( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - compress_then_serialize_10_ff(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + uint8_t result[320U]; + compress_then_serialize_10_ff(re, result); + memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7214,47 +7003,6 @@ static KRML_MUSTINLINE void compress_then_serialize_ring_element_v_ff0( compress_then_serialize_4_8c(re, out); } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -7418,7 +7166,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 3 - ETA1_RANDOMNESS_SIZE= 192 - ETA2= 2 @@ -7476,9 +7224,6 @@ tuple_41 libcrux_ml_kem_ind_cca_encapsulate_ca0( return lit; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7540,10 +7285,6 @@ static KRML_MUSTINLINE void ntt_vector_u_0a( poly_barrett_reduce_d6_8c(re); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7621,30 +7362,6 @@ compute_message_a0( return result; } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7808,9 +7525,6 @@ void libcrux_ml_kem_ind_cca_decapsulate_620( memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -7862,9 +7576,6 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_out_c0( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7897,9 +7608,6 @@ static KRML_MUSTINLINE void serialize_secret_key_89( memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -7923,9 +7631,6 @@ static KRML_MUSTINLINE void serialize_public_key_mut_6c( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8550,10 +8255,6 @@ static KRML_MUSTINLINE void PRFxN_f1_41(uint8_t (*input)[33U], PRFxN_41(input, ret); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8573,6 +8274,8 @@ static KRML_MUSTINLINE uint8_t sample_vector_cbd_then_ntt_3b1( KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -8666,9 +8369,6 @@ static KRML_MUSTINLINE void add_to_ring_element_d6_1b( } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -8711,47 +8411,6 @@ static KRML_MUSTINLINE void compute_As_plus_e_1b( } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8902,14 +8561,6 @@ static KRML_MUSTINLINE void serialize_kem_secret_key_d6( memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -8919,7 +8570,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -8975,9 +8626,6 @@ static KRML_MUSTINLINE void entropy_preprocess_d8_9c(Eurydice_slice randomness, memcpy(ret, out, (size_t)32U * sizeof(uint8_t)); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -9004,9 +8652,6 @@ static KRML_MUSTINLINE void deserialize_ring_elements_reduced_b3( } } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -9028,6 +8673,8 @@ sample_ring_element_cbd_3b1(uint8_t prf_input[33U], uint8_t domain_separator) { KRML_MAYBE_FOR3( i, (size_t)0U, (size_t)3U, (size_t)1U, memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t));); + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); KRML_MAYBE_FOR3(i, (size_t)0U, (size_t)3U, (size_t)1U, size_t i0 = i; prf_inputs[i0][32U] = domain_separator; domain_separator = (uint32_t)domain_separator + 1U;); @@ -9162,9 +8809,6 @@ compute_ring_element_v_1b( return result; } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -9202,47 +8846,6 @@ static KRML_MUSTINLINE void compress_then_serialize_u_43( } } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -9406,7 +9009,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -9464,9 +9067,6 @@ tuple_c2 libcrux_ml_kem_ind_cca_encapsulate_ca( return lit; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -9498,10 +9098,6 @@ static KRML_MUSTINLINE void deserialize_secret_key_1b( (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d)); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -9568,30 +9164,6 @@ compute_message_1b( return result; } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector diff --git a/libcrux-ml-kem/c/libcrux_mlkem_portable.h b/libcrux-ml-kem/c/libcrux_mlkem_portable.h index 0ed288fba..08beb8605 100644 --- a/libcrux-ml-kem/c/libcrux_mlkem_portable.h +++ b/libcrux-ml-kem/c/libcrux_mlkem_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem_portable_H diff --git a/libcrux-ml-kem/c/libcrux_sha3.h b/libcrux-ml-kem/c/libcrux_sha3.h index ae0487c65..824f5182b 100644 --- a/libcrux-ml-kem/c/libcrux_sha3.h +++ b/libcrux-ml-kem/c/libcrux_sha3.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.c b/libcrux-ml-kem/c/libcrux_sha3_avx2.c index 6bb8c32bd..2b6b4bb8e 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.c +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "internal/libcrux_sha3_avx2.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_avx2.h b/libcrux-ml-kem/c/libcrux_sha3_avx2.h index 6abfa8697..b60413063 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/c/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_internal.h b/libcrux-ml-kem/c/libcrux_sha3_internal.h index f204ff714..f9b77fd80 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_internal.h +++ b/libcrux-ml-kem/c/libcrux_sha3_internal.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_internal_H diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.c b/libcrux-ml-kem/c/libcrux_sha3_neon.c index ab9ae179a..fde734013 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.c +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.c @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #include "libcrux_sha3_neon.h" diff --git a/libcrux-ml-kem/c/libcrux_sha3_neon.h b/libcrux-ml-kem/c/libcrux_sha3_neon.h index e53786c98..1816675a7 100644 --- a/libcrux-ml-kem/c/libcrux_sha3_neon.h +++ b/libcrux-ml-kem/c/libcrux_sha3_neon.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_neon_H diff --git a/libcrux-ml-kem/cg/code_gen.txt b/libcrux-ml-kem/cg/code_gen.txt index 8499b9238..a05d71620 100644 --- a/libcrux-ml-kem/cg/code_gen.txt +++ b/libcrux-ml-kem/cg/code_gen.txt @@ -1,6 +1,6 @@ This code was generated with the following revisions: -Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 +Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c -Karamel: 8c3612018c25889288da6857771be3ad03b75bcd -F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty -Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 +Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 +F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc +Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 diff --git a/libcrux-ml-kem/cg/libcrux_core.h b/libcrux-ml-kem/cg/libcrux_core.h index 0855ea040..ed3aa1808 100644 --- a/libcrux-ml-kem/cg/libcrux_core.h +++ b/libcrux-ml-kem/cg/libcrux_core.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_core_H diff --git a/libcrux-ml-kem/cg/libcrux_ct_ops.h b/libcrux-ml-kem/cg/libcrux_ct_ops.h index e5c8b4a89..ac9ffe798 100644 --- a/libcrux-ml-kem/cg/libcrux_ct_ops.h +++ b/libcrux-ml-kem/cg/libcrux_ct_ops.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_ct_ops_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h index 178061ffb..628649fb8 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_avx2_H @@ -53,10 +53,10 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_zero(void) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_ea(void) { +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ZERO_09(void) { return libcrux_ml_kem_vector_avx2_zero(); } @@ -68,11 +68,11 @@ libcrux_ml_kem_vector_avx2_from_i16_array(Eurydice_slice array) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice array) { +libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice array) { return libcrux_ml_kem_vector_avx2_from_i16_array(array); } @@ -87,10 +87,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_to_i16_array_09( __m256i x, int16_t ret[16U]) { libcrux_ml_kem_vector_avx2_to_i16_array(x, ret); } @@ -103,10 +103,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_add(__m256i lhs, __m256i rhs) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_ea(__m256i lhs, +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_add_09(__m256i lhs, __m256i *rhs) { return libcrux_ml_kem_vector_avx2_arithmetic_add(lhs, rhs[0U]); } @@ -119,10 +119,10 @@ libcrux_ml_kem_vector_avx2_arithmetic_sub(__m256i lhs, __m256i rhs) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_ea(__m256i lhs, +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_sub_09(__m256i lhs, __m256i *rhs) { return libcrux_ml_kem_vector_avx2_arithmetic_sub(lhs, rhs[0U]); } @@ -137,12 +137,12 @@ libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_multiply_by_constant_ea(__m256i v, int16_t c) { - return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(v, c); +libcrux_ml_kem_vector_avx2_multiply_by_constant_09(__m256i vec, int16_t c) { + return libcrux_ml_kem_vector_avx2_arithmetic_multiply_by_constant(vec, c); } KRML_ATTRIBUTE_TARGET("avx2") @@ -155,11 +155,11 @@ libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea(__m256i vector, +libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09(__m256i vector, int16_t constant) { return libcrux_ml_kem_vector_avx2_arithmetic_bitwise_and_with_constant( vector, constant); @@ -187,11 +187,11 @@ libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(__m256i vector) { +libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(__m256i vector) { return libcrux_ml_kem_vector_avx2_arithmetic_cond_subtract_3329(vector); } @@ -222,11 +222,11 @@ libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_barrett_reduce_ea(__m256i vector) { +libcrux_ml_kem_vector_avx2_barrett_reduce_09(__m256i vector) { return libcrux_ml_kem_vector_avx2_arithmetic_barrett_reduce(vector); } @@ -252,11 +252,11 @@ libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( +libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( __m256i vector, int16_t constant) { return libcrux_ml_kem_vector_avx2_arithmetic_montgomery_multiply_by_constant( vector, constant); @@ -285,11 +285,11 @@ libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_1_ea(__m256i vector) { +libcrux_ml_kem_vector_avx2_compress_1_09(__m256i vector) { return libcrux_ml_kem_vector_avx2_compress_compress_message_coefficient( vector); } @@ -343,10 +343,10 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea( +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( __m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_1_step(vector, zeta0, zeta1, @@ -371,10 +371,10 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea( +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( __m256i vector, int16_t zeta0, int16_t zeta1) { return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_2_step(vector, zeta0, zeta1); } @@ -415,11 +415,11 @@ libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(__m256i vector, int16_t zeta) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea(__m256i vector, int16_t zeta) { +libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09(__m256i vector, int16_t zeta) { return libcrux_ml_kem_vector_avx2_ntt_ntt_layer_3_step(vector, zeta); } @@ -454,11 +454,11 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_1_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea(__m256i vector, +libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09(__m256i vector, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { @@ -494,11 +494,11 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea(__m256i vector, +libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09(__m256i vector, int16_t zeta0, int16_t zeta1) { return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_2_step(vector, zeta0, @@ -525,11 +525,11 @@ libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(__m256i vector, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea(__m256i vector, +libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09(__m256i vector, int16_t zeta) { return libcrux_ml_kem_vector_avx2_ntt_inv_ntt_layer_3_step(vector, zeta); } @@ -626,10 +626,10 @@ static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_ntt_multiply( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_ea( +static KRML_MUSTINLINE __m256i libcrux_ml_kem_vector_avx2_ntt_multiply_09( __m256i *lhs, __m256i *rhs, int16_t zeta0, int16_t zeta1, int16_t zeta2, int16_t zeta3) { return libcrux_ml_kem_vector_avx2_ntt_ntt_multiply(lhs[0U], rhs[0U], zeta0, @@ -701,10 +701,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_1( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_1_09( __m256i vector, uint8_t ret[2U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_1(vector, ret); } @@ -757,11 +757,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_1(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_1_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_1_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_1(bytes); } @@ -860,10 +860,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_4( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_4_09( __m256i vector, uint8_t ret[8U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_4(vector, ret); } @@ -923,11 +923,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_4(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_4_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_4_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_4(bytes); } @@ -1050,10 +1050,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_5( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_5_09( __m256i vector, uint8_t ret[10U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_5(vector, ret); } @@ -1105,11 +1105,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_5(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_5_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_5_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_5(bytes); } @@ -1243,10 +1243,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_10( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_10_09( __m256i vector, uint8_t ret[20U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_10(vector, ret); } @@ -1286,11 +1286,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_10(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_10_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_10_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_10(bytes); } @@ -1310,10 +1310,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_11( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_11_09( __m256i vector, uint8_t ret[22U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_11(vector, ret); } @@ -1331,11 +1331,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_11(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_11_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_11_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_11(bytes); } @@ -1388,10 +1388,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_serialize_12( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_ea( +static KRML_MUSTINLINE void libcrux_ml_kem_vector_avx2_serialize_12_09( __m256i vector, uint8_t ret[24U]) { libcrux_ml_kem_vector_avx2_serialize_serialize_12(vector, ret); } @@ -1431,11 +1431,11 @@ libcrux_ml_kem_vector_avx2_serialize_deserialize_12(Eurydice_slice bytes) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_deserialize_12_ea(Eurydice_slice bytes) { +libcrux_ml_kem_vector_avx2_deserialize_12_09(Eurydice_slice bytes) { return libcrux_ml_kem_vector_avx2_serialize_deserialize_12(bytes); } @@ -1529,10 +1529,10 @@ libcrux_ml_kem_vector_avx2_sampling_rejection_sample(Eurydice_slice input, /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_ea( +static KRML_MUSTINLINE size_t libcrux_ml_kem_vector_avx2_rej_sample_09( Eurydice_slice input, Eurydice_slice output) { return libcrux_ml_kem_vector_avx2_sampling_rejection_sample(input, output); } @@ -1550,24 +1550,24 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ZERO_d6_79(void) { +libcrux_ml_kem_polynomial_ZERO_d6_61(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; - lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); - lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_ea(); + lit.coefficients[0U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[1U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[2U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[3U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[4U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[5U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[6U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[7U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[8U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[9U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[10U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[11U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[12U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[13U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[14U] = libcrux_ml_kem_vector_avx2_ZERO_09(); + lit.coefficients[15U] = libcrux_ml_kem_vector_avx2_ZERO_09(); return lit; } @@ -1580,7 +1580,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_deserialize_secret_key_closure_ab(size_t _) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -1591,23 +1591,20 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_79( +libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); - re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); + re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_12_09(bytes); } return re; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -1620,7 +1617,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 secret_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + secret_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } for (size_t i = (size_t)0U; i < Eurydice_slice_len(secret_key, uint8_t) / @@ -1633,7 +1630,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_deserialize_secret_key_ab( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_79( + libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_61( secret_bytes); secret_as_ntt[i0] = uu____0; } @@ -1653,7 +1650,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_closure_ed(size_t _) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -1728,17 +1725,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_ef( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_ef( __m256i vector) { return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_ef( vector); @@ -1752,18 +1749,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_10_79( +libcrux_ml_kem_serialize_deserialize_then_decompress_10_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)20U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)20U, i0 * (size_t)20U + (size_t)20U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_ea(bytes); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_10_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_ef( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_ef( coefficient); } return re; @@ -1841,17 +1838,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_c4( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 11 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_c4( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_c4( __m256i vector) { return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_c4( vector); @@ -1865,18 +1862,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_11_79( +libcrux_ml_kem_serialize_deserialize_then_decompress_11_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)22U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)22U, i0 * (size_t)22U + (size_t)22U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_ea(bytes); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_11_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_c4( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_c4( coefficient); } return re; @@ -1892,7 +1889,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_u_ee( Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_10_79(serialized); + return libcrux_ml_kem_serialize_deserialize_then_decompress_10_61(serialized); } typedef struct libcrux_ml_kem_vector_avx2_SIMD256Vector_x2_s { @@ -1908,8 +1905,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_traits_montgomery_multiply_fe_79(__m256i v, int16_t fer) { - return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea(v, fer); +libcrux_ml_kem_vector_traits_montgomery_multiply_fe_61(__m256i v, int16_t fer) { + return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09(v, fer); } /** @@ -1920,11 +1917,11 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -libcrux_ml_kem_ntt_ntt_layer_int_vec_step_79(__m256i a, __m256i b, +libcrux_ml_kem_ntt_ntt_layer_int_vec_step_61(__m256i a, __m256i b, int16_t zeta_r) { - __m256i t = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_79(b, zeta_r); - b = libcrux_ml_kem_vector_avx2_sub_ea(a, &t); - a = libcrux_ml_kem_vector_avx2_add_ea(a, &t); + __m256i t = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_61(b, zeta_r); + b = libcrux_ml_kem_vector_avx2_sub_09(a, &t); + a = libcrux_ml_kem_vector_avx2_add_09(a, &t); return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a, .snd = b}); } @@ -1936,7 +1933,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t layer, size_t _initial_coefficient_bound) { size_t step = (size_t)1U << (uint32_t)layer; @@ -1949,7 +1946,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79( for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { size_t j = i; libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - libcrux_ml_kem_ntt_ntt_layer_int_vec_step_79( + libcrux_ml_kem_ntt_ntt_layer_int_vec_step_61( re->coefficients[j], re->coefficients[j + step_vec], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; @@ -1967,13 +1964,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_79( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_3_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _layer, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_ea( + re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_3_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); } @@ -1986,13 +1983,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_79( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_2_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _layer, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_ea( + re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_2_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + @@ -2008,13 +2005,13 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_79( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_1_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _layer, size_t _initial_coefficient_bound) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] + (size_t)1U; - re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_ea( + re->coefficients[round] = libcrux_ml_kem_vector_avx2_ntt_layer_1_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] + @@ -2039,7 +2036,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { for (size_t i = (size_t)0U; i < @@ -2049,7 +2046,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79( i++) { size_t i0 = i; self->coefficients[i0] = - libcrux_ml_kem_vector_avx2_barrett_reduce_ea(self->coefficients[i0]); + libcrux_ml_kem_vector_avx2_barrett_reduce_09(self->coefficients[i0]); } } @@ -2063,24 +2060,20 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_ee( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { size_t zeta_i = (size_t)0U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)7U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_3_79(&zeta_i, re, (size_t)3U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_2_79(&zeta_i, re, (size_t)2U, (size_t)3328U); - libcrux_ml_kem_ntt_ntt_at_layer_1_79(&zeta_i, re, (size_t)1U, (size_t)3328U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(re); + libcrux_ml_kem_ntt_ntt_at_layer_3_61(&zeta_i, re, (size_t)3U, (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_2_61(&zeta_i, re, (size_t)2U, (size_t)3328U); + libcrux_ml_kem_ntt_ntt_at_layer_1_61(&zeta_i, re, (size_t)1U, (size_t)3328U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61(re); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2096,7 +2089,7 @@ libcrux_ml_kem_ind_cpa_deserialize_then_decompress_u_ed( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 u_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + u_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } for (size_t i = (size_t)0U; i < Eurydice_slice_len( @@ -2197,17 +2190,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_d1( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_d1( __m256i vector) { return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_d1( vector); @@ -2221,18 +2214,18 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_4_79( +libcrux_ml_kem_serialize_deserialize_then_decompress_4_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)8U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)8U, i0 * (size_t)8U + (size_t)8U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_ea(bytes); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_4_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_d1( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_d1( coefficient); } return re; @@ -2310,17 +2303,17 @@ libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f4( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** A monomorphic instance of -libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_ea with const +libcrux_ml_kem.vector.avx2.decompress_ciphertext_coefficient_09 with const generics - COEFFICIENT_BITS= 5 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_f4( +libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_f4( __m256i vector) { return libcrux_ml_kem_vector_avx2_compress_decompress_ciphertext_coefficient_f4( vector); @@ -2334,18 +2327,18 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_5_79( +libcrux_ml_kem_serialize_deserialize_then_decompress_5_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)10U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)10U, i0 * (size_t)10U + (size_t)10U, uint8_t); - re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_ea(bytes); + re.coefficients[i0] = libcrux_ml_kem_vector_avx2_deserialize_5_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_ea_f4( + libcrux_ml_kem_vector_avx2_decompress_ciphertext_coefficient_09_f4( re.coefficients[i0]); } return re; @@ -2361,7 +2354,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_then_decompress_ring_element_v_42( Eurydice_slice serialized) { - return libcrux_ml_kem_serialize_deserialize_then_decompress_4_79(serialized); + return libcrux_ml_kem_serialize_deserialize_then_decompress_4_61(serialized); } /** @@ -2404,17 +2397,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_ntt_multiply_d6_79( +libcrux_ml_kem_polynomial_ntt_multiply_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *rhs) { /* hax_debug_debug_assert!(lhs .coefficients .into_iter() .all(|coefficient| * coefficient >= 0 && coefficient < 4096)); */ libcrux_ml_kem_polynomial_PolynomialRingElement_f6 out = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_ea( + out.coefficients[i0] = libcrux_ml_kem_vector_avx2_ntt_multiply_09( &self->coefficients[i0], &rhs->coefficients[i0], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[(size_t)64U + (size_t)4U * i0], @@ -2461,7 +2454,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab( __m256i); i++) { size_t i0 = i; - self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_ea( + self->coefficients[i0] = libcrux_ml_kem_vector_avx2_add_09( self->coefficients[i0], &rhs->coefficients[i0]); } } @@ -2473,14 +2466,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_79( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _layer) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_ea( + libcrux_ml_kem_vector_avx2_inv_ntt_layer_1_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - @@ -2500,14 +2493,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_79( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _layer) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_ea( + libcrux_ml_kem_vector_avx2_inv_ntt_layer_2_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U] - @@ -2523,14 +2516,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_79( +static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t _layer) { for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t round = i; zeta_i[0U] = zeta_i[0U] - (size_t)1U; re->coefficients[round] = - libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_ea( + libcrux_ml_kem_vector_avx2_inv_ntt_layer_3_step_09( re->coefficients[round], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); } @@ -2544,13 +2537,13 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 -libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_79(__m256i a, +libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_61(__m256i a, __m256i b, int16_t zeta_r) { - __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_ea(b, &a); - a = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_add_ea(a, &b)); - b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_79(a_minus_b, zeta_r); + __m256i a_minus_b = libcrux_ml_kem_vector_avx2_sub_09(b, &a); + a = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_add_09(a, &b)); + b = libcrux_ml_kem_vector_traits_montgomery_multiply_fe_61(a_minus_b, zeta_r); return (CLITERAL(libcrux_ml_kem_vector_avx2_SIMD256Vector_x2){.fst = a, .snd = b}); } @@ -2563,7 +2556,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79( +libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61( size_t *zeta_i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, size_t layer) { size_t step = (size_t)1U << (uint32_t)layer; @@ -2584,7 +2577,7 @@ libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79( for (size_t i = offset_vec; i < offset_vec + step_vec; i++) { size_t j = i; libcrux_ml_kem_vector_avx2_SIMD256Vector_x2 uu____0 = - libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_79( + libcrux_ml_kem_invert_ntt_inv_ntt_layer_int_vec_step_reduce_61( re->coefficients[j], re->coefficients[j + step_vec], libcrux_ml_kem_polynomial_ZETAS_TIMES_MONTGOMERY_R[zeta_i[0U]]); __m256i x = uu____0.fst; @@ -2609,18 +2602,18 @@ static KRML_MUSTINLINE void libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab( LIBCRUX_ML_KEM_CONSTANTS_COEFFICIENTS_IN_RING_ELEMENT / (size_t)2U; - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_79(&zeta_i, re, (size_t)1U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_79(&zeta_i, re, (size_t)2U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_79(&zeta_i, re, (size_t)3U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re, + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_1_61(&zeta_i, re, (size_t)1U); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_2_61(&zeta_i, re, (size_t)2U); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_3_61(&zeta_i, re, (size_t)3U); + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re, + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re, + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U); - libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_79(&zeta_i, re, + libcrux_ml_kem_invert_ntt_invert_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)7U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(re); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61(re); } /** @@ -2636,17 +2629,17 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_subtract_reduce_d6_79( +libcrux_ml_kem_polynomial_subtract_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 b) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( b.coefficients[i0], (int16_t)1441); - b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_sub_ea(self->coefficients[i0], + b.coefficients[i0] = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_sub_09(self->coefficients[i0], &coefficient_normal_form)); } return b; @@ -2671,16 +2664,16 @@ libcrux_ml_kem_matrix_compute_message_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *secret_as_ntt, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *u_as_ntt) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_79(&secret_as_ntt[i0], + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(&secret_as_ntt[i0], &u_as_ntt[i0]); libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - result = libcrux_ml_kem_polynomial_subtract_reduce_d6_79(v, result); + result = libcrux_ml_kem_polynomial_subtract_reduce_d6_61(v, result); return result; } @@ -2697,16 +2690,16 @@ libcrux_ml_kem_vector_avx2_arithmetic_shift_right_ef(__m256i vector) { /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.shift_right_09 with const generics - SHIFT_BY= 15 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_shift_right_ea_ef(__m256i vector) { +libcrux_ml_kem_vector_avx2_shift_right_09_ef(__m256i vector) { return libcrux_ml_kem_vector_avx2_arithmetic_shift_right_ef(vector); } @@ -2718,11 +2711,23 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_traits_to_unsigned_representative_79(__m256i a) { - __m256i t = libcrux_ml_kem_vector_avx2_shift_right_ea_ef(a); - __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( +libcrux_ml_kem_vector_traits_to_unsigned_representative_61(__m256i a) { + __m256i t = libcrux_ml_kem_vector_avx2_shift_right_09_ef(a); + __m256i fm = libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09( t, LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS); - return libcrux_ml_kem_vector_avx2_add_ea(a, &fm); + return libcrux_ml_kem_vector_avx2_add_09(a, &fm); +} + +/** +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics + +*/ +KRML_ATTRIBUTE_TARGET("avx2") +static KRML_MUSTINLINE __m256i +libcrux_ml_kem_serialize_to_unsigned_field_element_61(__m256i a) { + return libcrux_ml_kem_vector_traits_to_unsigned_representative_61(a); } /** @@ -2733,50 +2738,27 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_message_79( +libcrux_ml_kem_serialize_compress_then_serialize_message_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, uint8_t ret[32U]) { uint8_t serialized[32U] = {0U}; for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; - __m256i coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative_79( - re.coefficients[i0]); + __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_element_61( + re.coefficients[i0]); __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_compress_1_ea(coefficient); + libcrux_ml_kem_vector_avx2_compress_1_09(coefficient); uint8_t bytes[2U]; - libcrux_ml_kem_vector_avx2_serialize_1_ea(coefficient_compressed, bytes); + libcrux_ml_kem_vector_avx2_serialize_1_09(coefficient_compressed, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); } - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, serialized, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -2806,7 +2788,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_decrypt_unpacked_2f( libcrux_ml_kem_matrix_compute_message_ab(&v, secret_key->secret_as_ntt, u_as_ntt); uint8_t ret0[32U]; - libcrux_ml_kem_serialize_compress_then_serialize_message_79(message, ret0); + libcrux_ml_kem_serialize_compress_then_serialize_message_61(message, ret0); memcpy(ret, ret0, (size_t)32U * sizeof(uint8_t)); } @@ -2903,7 +2885,7 @@ static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(void) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + uu____0[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } uint8_t uu____1[32U] = {0U}; libcrux_ml_kem_ind_cpa_unpacked_IndCpaPublicKeyUnpacked_63 lit; @@ -2911,15 +2893,15 @@ libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(void) { lit.t_as_ntt, uu____0, (size_t)3U * sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6)); memcpy(lit.seed_for_A, uu____1, (size_t)32U * sizeof(uint8_t)); - lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + lit.A[0U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[0U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[0U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[1U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[1U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[1U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[2U][0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[2U][1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.A[2U][2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); return lit; } @@ -2937,25 +2919,22 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_79( +libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_61( Eurydice_slice serialized) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < Eurydice_slice_len(serialized, uint8_t) / (size_t)24U; i++) { size_t i0 = i; Eurydice_slice bytes = Eurydice_slice_subslice2( serialized, i0 * (size_t)24U, i0 * (size_t)24U + (size_t)24U, uint8_t); - __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_ea(bytes); + __m256i coefficient = libcrux_ml_kem_vector_avx2_deserialize_12_09(bytes); re.coefficients[i0] = - libcrux_ml_kem_vector_avx2_cond_subtract_3329_ea(coefficient); + libcrux_ml_kem_vector_avx2_cond_subtract_3329_09(coefficient); } return re; } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -2979,7 +2958,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_98( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_79( + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_61( ring_element); deserialized_pk[i0] = uu____0; } @@ -3139,7 +3118,7 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed( Eurydice_slice uu____0 = Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -3271,7 +3250,7 @@ libcrux_ml_kem_sampling_sample_from_uniform_distribution_next_ed0( Eurydice_slice uu____0 = Eurydice_array_to_subslice2(randomness[i1], r * (size_t)24U, r * (size_t)24U + (size_t)24U, uint8_t); - size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_ea( + size_t sampled = libcrux_ml_kem_vector_avx2_rej_sample_09( uu____0, Eurydice_array_to_subslice2( out[i1], sampled_coefficients[i1], sampled_coefficients[i1] + (size_t)16U, int16_t)); @@ -3307,14 +3286,14 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_from_i16_array_d6_79(Eurydice_slice a) { +libcrux_ml_kem_polynomial_from_i16_array_d6_61(Eurydice_slice a) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; result.coefficients[i0] = - libcrux_ml_kem_vector_avx2_from_i16_array_ea(Eurydice_slice_subslice2( + libcrux_ml_kem_vector_avx2_from_i16_array_09(Eurydice_slice_subslice2( a, i0 * (size_t)16U, (i0 + (size_t)1U) * (size_t)16U, int16_t)); } return result; @@ -3329,7 +3308,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_sampling_sample_from_xof_closure_6c(int16_t s[272U]) { - return libcrux_ml_kem_polynomial_from_i16_array_d6_79( + return libcrux_ml_kem_polynomial_from_i16_array_d6_61( Eurydice_array_to_subslice2(s, (size_t)0U, (size_t)256U, int16_t)); } @@ -3462,7 +3441,7 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_closure_b4(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -3573,7 +3552,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_79( +libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_61( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; @@ -3608,7 +3587,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_79( sampled_i16s[(size_t)8U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_d6_79( + return libcrux_ml_kem_polynomial_from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -3620,7 +3599,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_79( +libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_61( Eurydice_slice randomness) { int16_t sampled_i16s[256U] = {0U}; for (size_t i0 = (size_t)0U; @@ -3654,7 +3633,7 @@ libcrux_ml_kem_sampling_sample_from_binomial_distribution_3_79( sampled_i16s[(size_t)4U * chunk_number + offset] = outcome_1 - outcome_2; } } - return libcrux_ml_kem_polynomial_from_i16_array_d6_79( + return libcrux_ml_kem_polynomial_from_i16_array_d6_61( Eurydice_array_to_slice((size_t)256U, sampled_i16s, int16_t)); } @@ -3668,7 +3647,7 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( Eurydice_slice randomness) { - return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_79( + return libcrux_ml_kem_sampling_sample_from_binomial_distribution_2_61( randomness); } @@ -3679,7 +3658,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_79( +static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { size_t step = LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT / (size_t)2U; for (size_t i = (size_t)0U; @@ -3689,12 +3668,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_at_layer_7_79( step; i++) { size_t j = i; - __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_ea( + __m256i t = libcrux_ml_kem_vector_avx2_multiply_by_constant_09( re->coefficients[j + step], (int16_t)-1600); re->coefficients[j + step] = - libcrux_ml_kem_vector_avx2_sub_ea(re->coefficients[j], &t); + libcrux_ml_kem_vector_avx2_sub_09(re->coefficients[j], &t); re->coefficients[j] = - libcrux_ml_kem_vector_avx2_add_ea(re->coefficients[j], &t); + libcrux_ml_kem_vector_avx2_add_09(re->coefficients[j], &t); } } @@ -3706,29 +3685,25 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_79( +libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re) { - libcrux_ml_kem_ntt_ntt_at_layer_7_79(/* Due to the small coefficient bound, we + libcrux_ml_kem_ntt_ntt_at_layer_7_61(/* Due to the small coefficient bound, we can skip the first round of Montgomery reductions. */ re); size_t zeta_i = (size_t)1U; - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)6U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)6U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)5U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)5U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_4_plus_79(&zeta_i, re, (size_t)4U, + libcrux_ml_kem_ntt_ntt_at_layer_4_plus_61(&zeta_i, re, (size_t)4U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_3_79(&zeta_i, re, (size_t)3U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_2_79(&zeta_i, re, (size_t)2U, (size_t)3U); - libcrux_ml_kem_ntt_ntt_at_layer_1_79(&zeta_i, re, (size_t)1U, (size_t)3U); - libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_79(re); + libcrux_ml_kem_ntt_ntt_at_layer_3_61(&zeta_i, re, (size_t)3U, (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_2_61(&zeta_i, re, (size_t)2U, (size_t)3U); + libcrux_ml_kem_ntt_ntt_at_layer_1_61(&zeta_i, re, (size_t)1U, (size_t)3U); + libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_61(re); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3749,6 +3724,8 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( for (size_t i = (size_t)0U; i < (size_t)3U; i++) { memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; prf_inputs[i0][32U] = domain_separator; @@ -3761,7 +3738,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_b4( re_as_ntt[i0] = libcrux_ml_kem_sampling_sample_from_binomial_distribution_89( Eurydice_array_to_slice((size_t)128U, prf_outputs[i0], uint8_t)); - libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_79(&re_as_ntt[i0]); + libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_61(&re_as_ntt[i0]); } return domain_separator; } @@ -3780,7 +3757,7 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_out_b4( uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re_as_ntt[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + re_as_ntt[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *uu____0 = re_as_ntt; uint8_t uu____1[33U]; @@ -3811,12 +3788,9 @@ libcrux_ml_kem_hash_functions_avx2_Simd256Hash with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_b4(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -3831,7 +3805,7 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4(uint8_t prf_input[33U], uint8_t domain_separator) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 error_1[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - error_1[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + error_1[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } /* Passing arrays by value in Rust generates a copy in C */ uint8_t copy_of_prf_input[33U]; @@ -3840,6 +3814,8 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_b4(uint8_t prf_input[33U], for (size_t i = (size_t)0U; i < (size_t)3U; i++) { memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; prf_inputs[i0][32U] = domain_separator; @@ -3906,7 +3882,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_matrix_compute_vector_u_closure_ab(size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** @@ -3921,7 +3897,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") -static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_79( +static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; @@ -3932,10 +3908,10 @@ static KRML_MUSTINLINE void libcrux_ml_kem_polynomial_add_error_reduce_d6_79( i++) { size_t j = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( self->coefficients[j], (int16_t)1441); - self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, + self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &error->coefficients[j])); } } @@ -3957,7 +3933,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - result[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + result[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } for (size_t i0 = (size_t)0U; i0 < Eurydice_slice_len( @@ -3978,12 +3954,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_vector_u_ab( size_t j = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *a_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_79(a_element, &r_as_ntt[j]); + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(a_element, &r_as_ntt[j]); libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result[i1], &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result[i1]); - libcrux_ml_kem_polynomial_add_error_reduce_d6_79(&result[i1], &error_1[i1]); + libcrux_ml_kem_polynomial_add_error_reduce_d6_61(&result[i1], &error_1[i1]); } memcpy( ret, result, @@ -3998,11 +3974,11 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_traits_decompress_1_79(__m256i v) { - return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_ea( - libcrux_ml_kem_vector_avx2_sub_ea(libcrux_ml_kem_vector_avx2_ZERO_ea(), - &v), - (int16_t)1665); +libcrux_ml_kem_vector_traits_decompress_1_61(__m256i vec) { + __m256i z = libcrux_ml_kem_vector_avx2_ZERO_09(); + __m256i s = libcrux_ml_kem_vector_avx2_sub_09(z, &vec); + return libcrux_ml_kem_vector_avx2_bitwise_and_with_constant_09(s, + (int16_t)1665); } /** @@ -4013,18 +3989,18 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_serialize_deserialize_then_decompress_message_79( +libcrux_ml_kem_serialize_deserialize_then_decompress_message_61( uint8_t serialized[32U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; __m256i coefficient_compressed = - libcrux_ml_kem_vector_avx2_deserialize_1_ea( + libcrux_ml_kem_vector_avx2_deserialize_1_09( Eurydice_array_to_subslice2(serialized, (size_t)2U * i0, (size_t)2U * i0 + (size_t)2U, uint8_t)); re.coefficients[i0] = - libcrux_ml_kem_vector_traits_decompress_1_79(coefficient_compressed); + libcrux_ml_kem_vector_traits_decompress_1_61(coefficient_compressed); } return re; } @@ -4042,7 +4018,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_add_message_error_reduce_d6_79( +libcrux_ml_kem_polynomial_add_message_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result) { @@ -4050,9 +4026,9 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_d6_79( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( + libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( result.coefficients[i0], (int16_t)1441); - __m256i tmp = libcrux_ml_kem_vector_avx2_add_ea( + __m256i tmp = libcrux_ml_kem_vector_avx2_add_09( self->coefficients [/* FIXME: Eurydice crashes with: Warning 11: in top-level declaration @@ -4073,9 +4049,9 @@ libcrux_ml_kem_polynomial_add_message_error_reduce_d6_79( i0], &message->coefficients[i0]); __m256i tmp0 = - libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, &tmp); + libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &tmp); result.coefficients[i0] = - libcrux_ml_kem_vector_avx2_barrett_reduce_ea(tmp0); + libcrux_ml_kem_vector_avx2_barrett_reduce_09(tmp0); } return result; } @@ -4097,16 +4073,16 @@ libcrux_ml_kem_matrix_compute_ring_element_v_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error_2, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *message) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 result = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_79(&t_as_ntt[i0], + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(&t_as_ntt[i0], &r_as_ntt[i0]); libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&result, &product); } libcrux_ml_kem_invert_ntt_invert_ntt_montgomery_ab(&result); - result = libcrux_ml_kem_polynomial_add_message_error_reduce_d6_79( + result = libcrux_ml_kem_polynomial_add_message_error_reduce_d6_61( error_2, message, result); return result; } @@ -4199,16 +4175,16 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 10 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_ea_ef(__m256i vector) { +libcrux_ml_kem_vector_avx2_compress_09_ef(__m256i vector) { return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_ef( vector); } @@ -4227,11 +4203,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_0e( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_ea_ef( - libcrux_ml_kem_vector_traits_to_unsigned_representative_79( + __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_ef( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re->coefficients[i0])); uint8_t bytes[20U]; - libcrux_ml_kem_vector_avx2_serialize_10_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_10_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)20U * i0, (size_t)20U * i0 + (size_t)20U, uint8_t); Eurydice_slice_copy( @@ -4328,16 +4304,16 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 11 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_ea_c4(__m256i vector) { +libcrux_ml_kem_vector_avx2_compress_09_c4(__m256i vector) { return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_c4( vector); } @@ -4356,11 +4332,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_0e( for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_ea_c4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_79( + __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_c4( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re->coefficients[i0])); uint8_t bytes[22U]; - libcrux_ml_kem_vector_avx2_serialize_11_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_11_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)22U * i0, (size_t)22U * i0 + (size_t)22U, uint8_t); Eurydice_slice_copy( @@ -4380,14 +4356,11 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_a4( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10_0e(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + uint8_t result[320U]; + libcrux_ml_kem_serialize_compress_then_serialize_10_0e(re, result); + memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -4514,16 +4487,16 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 4 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_ea_d1(__m256i vector) { +libcrux_ml_kem_vector_avx2_compress_09_d1(__m256i vector) { return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_d1( vector); } @@ -4536,7 +4509,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_4_79( +libcrux_ml_kem_serialize_compress_then_serialize_4_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; @@ -4546,11 +4519,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_79( LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_ea_d1( - libcrux_ml_kem_vector_traits_to_unsigned_representative_79( + __m256i coefficient = libcrux_ml_kem_vector_avx2_compress_09_d1( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re.coefficients[i0])); uint8_t bytes[8U]; - libcrux_ml_kem_vector_avx2_serialize_4_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_4_09(coefficient, bytes); Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)8U * i0, (size_t)8U * i0 + (size_t)8U, uint8_t), @@ -4646,16 +4619,16 @@ libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4( /** This function found in impl {(libcrux_ml_kem::vector::traits::Operations for -libcrux_ml_kem::vector::avx2::SIMD256Vector)} +libcrux_ml_kem::vector::avx2::SIMD256Vector)#2} */ /** -A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_ea +A monomorphic instance of libcrux_ml_kem.vector.avx2.compress_09 with const generics - COEFFICIENT_BITS= 5 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_avx2_compress_ea_f4(__m256i vector) { +libcrux_ml_kem_vector_avx2_compress_09_f4(__m256i vector) { return libcrux_ml_kem_vector_avx2_compress_compress_ciphertext_coefficient_f4( vector); } @@ -4668,7 +4641,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_compress_then_serialize_5_79( +libcrux_ml_kem_serialize_compress_then_serialize_5_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice serialized) { for (size_t i = (size_t)0U; @@ -4678,11 +4651,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_79( LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_ea_f4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_79( + __m256i coefficients = libcrux_ml_kem_vector_avx2_compress_09_f4( + libcrux_ml_kem_serialize_to_unsigned_field_element_61( re.coefficients[i0])); uint8_t bytes[10U]; - libcrux_ml_kem_vector_avx2_serialize_5_ea(coefficients, bytes); + libcrux_ml_kem_vector_avx2_serialize_5_09(coefficients, bytes); Eurydice_slice_copy( Eurydice_slice_subslice2(serialized, (size_t)10U * i0, (size_t)10U * i0 + (size_t)10U, uint8_t), @@ -4701,50 +4674,9 @@ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_78( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 re, Eurydice_slice out) { - libcrux_ml_kem_serialize_compress_then_serialize_4_79(re, out); + libcrux_ml_kem_serialize_compress_then_serialize_4_61(re, out); } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -4808,7 +4740,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_encrypt_unpacked_74( /* v := NTT^{−1}(tˆT ◦ rˆ) + e_2 + Decompress_q(Decode_1(m),1) */ memcpy(copy_of_message, message, (size_t)32U * sizeof(uint8_t)); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 message_as_ring_element = - libcrux_ml_kem_serialize_deserialize_then_decompress_message_79( + libcrux_ml_kem_serialize_deserialize_then_decompress_message_61( copy_of_message); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 v = libcrux_ml_kem_matrix_compute_ring_element_v_ab( @@ -5113,7 +5045,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -5269,9 +5201,9 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 libcrux_ml_kem_ind_cpa_unpacked_default_1a_ab(void) { libcrux_ml_kem_ind_cpa_unpacked_IndCpaPrivateKeyUnpacked_63 lit; - lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); - lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + lit.secret_as_ntt[0U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.secret_as_ntt[1U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); + lit.secret_as_ntt[2U] = libcrux_ml_kem_polynomial_ZERO_d6_61(); return lit; } @@ -5310,8 +5242,8 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE __m256i -libcrux_ml_kem_vector_traits_to_standard_domain_79(__m256i v) { - return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_ea( +libcrux_ml_kem_vector_traits_to_standard_domain_61(__m256i v) { + return libcrux_ml_kem_vector_avx2_montgomery_multiply_by_constant_09( v, LIBCRUX_ML_KEM_VECTOR_TRAITS_MONTGOMERY_R_SQUARED_MOD_FIELD_MODULUS); } @@ -5328,7 +5260,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_79( +libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *error) { for (size_t i = (size_t)0U; @@ -5339,20 +5271,17 @@ libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_79( i++) { size_t j = i; __m256i coefficient_normal_form = - libcrux_ml_kem_vector_traits_to_standard_domain_79( + libcrux_ml_kem_vector_traits_to_standard_domain_61( self->coefficients[/* The coefficients are of the form aR^{-1} mod q, which means calling to_montgomery_domain() on them should return a mod q. */ j]); - self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_ea( - libcrux_ml_kem_vector_avx2_add_ea(coefficient_normal_form, + self->coefficients[j] = libcrux_ml_kem_vector_avx2_barrett_reduce_09( + libcrux_ml_kem_vector_avx2_add_09(coefficient_normal_form, &error->coefficients[j])); } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5377,7 +5306,7 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab( /* This may be externally provided memory. Ensure that `t_as_ntt` is all 0. */ libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_ZERO_d6_79(); + libcrux_ml_kem_polynomial_ZERO_d6_61(); t_as_ntt[i0] = uu____0; for (size_t i1 = (size_t)0U; i1 < Eurydice_slice_len( @@ -5390,57 +5319,16 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_ab( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *matrix_element = &row[j]; libcrux_ml_kem_polynomial_PolynomialRingElement_f6 product = - libcrux_ml_kem_polynomial_ntt_multiply_d6_79(matrix_element, + libcrux_ml_kem_polynomial_ntt_multiply_d6_61(matrix_element, &s_as_ntt[j]); libcrux_ml_kem_polynomial_add_to_ring_element_d6_ab(&t_as_ntt[i0], &product); } - libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_79( + libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_61( &t_as_ntt[i0], &error_as_ntt[i0]); } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5508,28 +5396,26 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_79( +libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *re, uint8_t ret[384U]) { uint8_t serialized[384U] = {0U}; for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; - __m256i coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative_79( - re->coefficients[i0]); + __m256i coefficient = libcrux_ml_kem_serialize_to_unsigned_field_element_61( + re->coefficients[i0]); uint8_t bytes[24U]; - libcrux_ml_kem_vector_avx2_serialize_12_ea(coefficient, bytes); + libcrux_ml_kem_vector_avx2_serialize_12_09(coefficient, bytes); Eurydice_slice uu____0 = Eurydice_array_to_subslice2( serialized, (size_t)24U * i0, (size_t)24U * i0 + (size_t)24U, uint8_t); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); + uint8_t result[384U]; + memcpy(result, serialized, (size_t)384U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)384U * sizeof(uint8_t)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5556,16 +5442,13 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_secret_key_ed( (i0 + (size_t)1U) * LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); uint8_t ret0[384U]; - libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_79(&re, ret0); + libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_61(&re, ret0); Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)384U, ret0, uint8_t), uint8_t); } memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5590,9 +5473,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_avx2_SIMD256Vector @@ -5715,14 +5595,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_ae( memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -5732,7 +5604,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -6063,7 +5935,7 @@ with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -6221,47 +6093,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_33_be( libcrux_ml_kem_hash_functions_avx2_G_a9_e0(key_generation_seed, ret); } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6374,14 +6205,6 @@ libcrux_ml_kem_ind_cpa_generate_keypair_bb0( return lit; } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -6391,7 +6214,7 @@ with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -6581,12 +6404,9 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_b1( size_t _i) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6610,7 +6430,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1( LIBCRUX_ML_KEM_CONSTANTS_BYTES_PER_RING_ELEMENT, uint8_t); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_79( + libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_61( ring_element); deserialized_pk[i0] = uu____0; } @@ -6636,7 +6456,7 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_b1( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 deserialized_pk[3U]; for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + deserialized_pk[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_b1( public_key, deserialized_pk); @@ -7040,43 +6860,27 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_avx2_unpacked_encapsulate( /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure.closure with types -libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem -with const generics +libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.closure with types +libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 -- CPA_PRIVATE_KEY_SIZE= 1152 -- PRIVATE_KEY_SIZE= 2400 -- PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_closure_d6(size_t _j) { - return libcrux_ml_kem_polynomial_ZERO_d6_79(); +libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_closure_ab(size_t _j) { + return libcrux_ml_kem_polynomial_ZERO_d6_61(); } /** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure with types -libcrux_ml_kem_vector_avx2_SIMD256Vector, -libcrux_ml_kem_hash_functions_avx2_Simd256Hash, libcrux_ml_kem_variant_MlKem +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure +with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 -- CPA_PRIVATE_KEY_SIZE= 1152 -- PRIVATE_KEY_SIZE= 2400 -- PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 */ KRML_ATTRIBUTE_TARGET("avx2") -static inline void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_d6( +static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_ab( size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U]) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_79(); + ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_61(); } } @@ -7093,7 +6897,7 @@ with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_polynomial_PolynomialRingElement_f6 -libcrux_ml_kem_polynomial_clone_17_79( +libcrux_ml_kem_polynomial_clone_17_61( libcrux_ml_kem_polynomial_PolynomialRingElement_f6 *self) { libcrux_ml_kem_polynomial_PolynomialRingElement_f6 lit; __m256i ret[16U]; @@ -7104,8 +6908,37 @@ libcrux_ml_kem_polynomial_clone_17_79( } /** - Generate Unpacked Keys +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a +with types libcrux_ml_kem_vector_avx2_SIMD256Vector +with const generics +- K= 3 */ +KRML_ATTRIBUTE_TARGET("avx2") +static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab( + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ind_cpa_a[3U][3U], + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 ret[3U][3U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_ab(i, A[i]); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 _a_i[3U][3U]; + memcpy(_a_i, A, + (size_t)3U * + sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); + for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { + size_t j = i1; + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = + libcrux_ml_kem_polynomial_clone_17_61(&ind_cpa_a[j][i0]); + A[i0][j] = uu____0; + } + } + memcpy(ret, A, + (size_t)3U * + sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); +} + /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.generate_keypair with types libcrux_ml_kem_vector_avx2_SIMD256Vector, @@ -7133,20 +6966,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_d6( libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_22( ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key, &out->public_key.ind_cpa_public_key); + libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0[3U][3U]; + memcpy(uu____0, out->public_key.ind_cpa_public_key.A, + (size_t)3U * + sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_f6[3U])); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 A[3U][3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_d6(i, A[i]); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { - size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____0 = - libcrux_ml_kem_polynomial_clone_17_79( - &out->public_key.ind_cpa_public_key.A[j][i1]); - A[i1][j] = uu____0; - } - } + libcrux_ml_kem_ind_cca_unpacked_transpose_a_ab(uu____0, A); libcrux_ml_kem_polynomial_PolynomialRingElement_f6 uu____1[3U][3U]; memcpy(uu____1, A, (size_t)3U * @@ -7241,17 +7066,17 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_generate_key_pair( /** This function found in impl {(core::default::Default for libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1])#1} +K>[TraitClause@0, TraitClause@1])} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_1c +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_09 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cca_unpacked_default_1c_ab(void) { +libcrux_ml_kem_ind_cca_unpacked_default_09_ab(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 lit; lit.ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_ab(); lit.public_key_hash[0U] = 0U; @@ -7292,10 +7117,10 @@ libcrux_ml_kem_ind_cca_unpacked_default_1c_ab(void) { /** This function found in impl {(core::default::Default for libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1])#3} +K>[TraitClause@0, TraitClause@1])#1} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_07 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_53 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 @@ -7303,7 +7128,7 @@ with const generics KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_07_ab(void) { + libcrux_ml_kem_ind_cca_unpacked_default_53_ab(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_63 uu____0; uu____0.ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_1a_ab(); uu____0.implicit_rejection_value[0U] = 0U; @@ -7341,7 +7166,7 @@ static KRML_MUSTINLINE return ( CLITERAL(libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked){ .private_key = uu____0, - .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_ab()}); + .public_key = libcrux_ml_kem_ind_cca_unpacked_default_09_ab()}); } /** @@ -7350,7 +7175,7 @@ static KRML_MUSTINLINE KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_07_ab(); + return libcrux_ml_kem_ind_cca_unpacked_default_53_ab(); } /** @@ -7359,20 +7184,17 @@ libcrux_ml_kem_mlkem768_avx2_unpacked_init_key_pair(void) { KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 libcrux_ml_kem_mlkem768_avx2_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_1c_ab(); + return libcrux_ml_kem_ind_cca_unpacked_default_09_ab(); } -/** - Get the serialized public key. -*/ /** This function found in impl {libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +K>[TraitClause@0, TraitClause@1]#3} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_dd with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_30 with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 - RANKED_BYTES_PER_RING_ELEMENT= 1152 @@ -7380,7 +7202,7 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_30_ed( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { libcrux_ml_kem_ind_cpa_serialize_public_key_mut_ed( @@ -7390,17 +7212,14 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_ed( serialized->value); } -/** - Get the serialized public key. -*/ /** This function found in impl {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]#2} +K>[TraitClause@0, TraitClause@1]#4} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_de with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_fc with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 - RANKED_BYTES_PER_RING_ELEMENT= 1152 @@ -7408,10 +7227,10 @@ libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_ed( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_ed( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_ed( + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_30_ed( &self->public_key, serialized); } @@ -7423,7 +7242,7 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_ed(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_ed(key_pair, serialized); } @@ -7467,17 +7286,17 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_ef_ab( /** This function found in impl {(core::clone::Clone for libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2])#4} +K>[TraitClause@0, TraitClause@2])#2} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_28 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_dd with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 -libcrux_ml_kem_ind_cca_unpacked_clone_28_ab( +libcrux_ml_kem_ind_cca_unpacked_clone_dd_ab( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *self) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 lit; lit.ind_cpa_public_key = @@ -7489,23 +7308,20 @@ libcrux_ml_kem_ind_cca_unpacked_clone_28_ab( return lit; } -/** - Get the serialized public key. -*/ /** This function found in impl {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]#2} +K>[TraitClause@0, TraitClause@1]#4} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_de +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_fc with types libcrux_ml_kem_vector_avx2_SIMD256Vector with const generics - K= 3 */ KRML_ATTRIBUTE_TARGET("avx2") static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 * -libcrux_ml_kem_ind_cca_unpacked_public_key_de_ab( +libcrux_ml_kem_ind_cca_unpacked_public_key_fc_ab( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -7518,8 +7334,8 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_public_key( libcrux_ml_kem_mlkem768_avx2_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *pk) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_28_ab( - libcrux_ml_kem_ind_cca_unpacked_public_key_de_ab(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_clone_dd_ab( + libcrux_ml_kem_ind_cca_unpacked_public_key_fc_ab(key_pair)); pk[0U] = uu____0; } @@ -7530,13 +7346,10 @@ KRML_ATTRIBUTE_TARGET("avx2") static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_serialized_public_key( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_63 *public_key, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_ed(public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_30_ed(public_key, serialized); } -/** - Generate an unpacked key from a serialized key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.unpack_public_key with types libcrux_ml_kem_hash_functions_avx2_Simd256Hash, @@ -7639,10 +7452,10 @@ static inline void libcrux_ml_kem_mlkem768_avx2_unpacked_unpacked_public_key( /** This function found in impl {(core::clone::Clone for -libcrux_ml_kem::vector::avx2::SIMD256Vector)#1} +libcrux_ml_kem::vector::avx2::SIMD256Vector)} */ KRML_ATTRIBUTE_TARGET("avx2") -static inline __m256i libcrux_ml_kem_vector_avx2_clone_3a(__m256i *self) { +static inline __m256i libcrux_ml_kem_vector_avx2_clone_78(__m256i *self) { return self[0U]; } diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h index 7c6012c47..39353b1a5 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_avx2_types.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_avx2_types_H diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h index ed2d45bf4..84c23b668 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_portable_H @@ -1249,13 +1249,14 @@ libcrux_ml_kem_vector_portable_compress_compress_message_coefficient( >> 15U; int16_t shifted_to_positive = mask ^ shifted; int16_t shifted_positive_in_range = shifted_to_positive - (int16_t)832; - return (uint8_t)(/* If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which - means the most significant bit of - shifted_positive_in_range will be 1. */ - shifted_positive_in_range + int16_t r0 = + /* If x <= 831, then x - 832 <= -1, and so x - 832 < 0, which means the + most significant bit of shifted_positive_in_range will be 1. */ + shifted_positive_in_range - >> 15U & - (int16_t)1); + >> 15U; + int16_t r1 = r0 & (int16_t)1; + return (uint8_t)r1; } static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2516,9 +2517,6 @@ libcrux_ml_kem_serialize_deserialize_to_uncompressed_ring_element_8c( return re; } -/** - Call [`deserialize_to_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2573,21 +2571,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)10); decompressed = decompressed >> (uint32_t)((int32_t)10 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -2641,21 +2635,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)11); decompressed = decompressed >> (uint32_t)((int32_t)11 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -2900,10 +2890,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ntt_ntt_vector_u_0a( libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re); } -/** - Call [`deserialize_then_decompress_ring_element_u`] on each ring element - in the `ciphertext`. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.deserialize_then_decompress_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -2955,21 +2941,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)4); decompressed = decompressed >> (uint32_t)((int32_t)4 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -3023,21 +3005,17 @@ const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_decompress_ciphertext_coefficient_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; - i < - /* debug_assert!(to_i16_array(v) .into_iter() .all(|coefficient| - coefficient.abs() < 1 << COEFFICIENT_BITS)); */ - LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; - i++) { + i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; - int32_t decompressed = (int32_t)v.elements[i0] * + int32_t decompressed = (int32_t)a.elements[i0] * (int32_t)LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_MODULUS; decompressed = (decompressed << 1U) + ((int32_t)1 << (uint32_t)(int32_t)5); decompressed = decompressed >> (uint32_t)((int32_t)5 + (int32_t)1); - v.elements[i0] = (int16_t)decompressed; + a.elements[i0] = (int16_t)decompressed; } - return v; + return a; } /** @@ -3466,6 +3444,20 @@ libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( return libcrux_ml_kem_vector_portable_add_0d(a, &fm); } +/** +A monomorphic instance of libcrux_ml_kem.serialize.to_unsigned_field_element +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics + +*/ +static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector +libcrux_ml_kem_serialize_to_unsigned_field_element_8c( + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector result = + libcrux_ml_kem_vector_traits_to_unsigned_representative_8c(a); + return result; +} + /** A monomorphic instance of libcrux_ml_kem.serialize.compress_then_serialize_message with types @@ -3479,7 +3471,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_8c( for (size_t i = (size_t)0U; i < (size_t)16U; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re.coefficients[i0]); libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient_compressed = @@ -3492,33 +3484,11 @@ libcrux_ml_kem_serialize_compress_then_serialize_message_8c( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)2U, bytes, uint8_t), uint8_t); } - memcpy(ret, serialized, (size_t)32U * sizeof(uint8_t)); + uint8_t result[32U]; + memcpy(result, serialized, (size_t)32U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)32U * sizeof(uint8_t)); } -/** - This function implements Algorithm 14 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE decryption algorithm. - - Algorithm 14 is reproduced below: - - ```plaintext - Input: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - Input: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - Output: message m ∈ 𝔹^{32}. - - c₁ ← c[0 : 32dᵤk] - c₂ ← c[32dᵤk : 32(dᵤk + dᵥ)] - u ← Decompress_{dᵤ}(ByteDecode_{dᵤ}(c₁)) - v ← Decompress_{dᵥ}(ByteDecode_{dᵥ}(c₂)) - ŝ ← ByteDecode₁₂(dkₚₖₑ) - w ← v - NTT-¹(ŝᵀ ◦ NTT(u)) - m ← ByteEncode₁(Compress₁(w)) - return m - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.decrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -3690,9 +3660,6 @@ libcrux_ml_kem_serialize_deserialize_to_reduced_ring_element_8c( return re; } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -4432,10 +4399,6 @@ libcrux_ml_kem_ntt_ntt_binomially_sampled_ring_element_8c( libcrux_ml_kem_polynomial_poly_barrett_reduce_d6_8c(re); } -/** - Sample a vector of ring elements from a centered binomial distribution and - convert them into their NTT representations. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_vector_cbd_then_ntt with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4456,6 +4419,8 @@ libcrux_ml_kem_ind_cpa_sample_vector_cbd_then_ntt_3b( for (size_t i = (size_t)0U; i < (size_t)3U; i++) { memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; prf_inputs[i0][32U] = domain_separator; @@ -4521,9 +4486,6 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_closure_3b(size_t _i) { return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } -/** - Sample a vector of ring elements from a centered binomial distribution. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.sample_ring_element_cbd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -4547,6 +4509,8 @@ libcrux_ml_kem_ind_cpa_sample_ring_element_cbd_3b(uint8_t prf_input[33U], for (size_t i = (size_t)0U; i < (size_t)3U; i++) { memcpy(prf_inputs[i], copy_of_prf_input, (size_t)33U * sizeof(uint8_t)); } + uint8_t _prf_inputs_init[3U][33U]; + memcpy(_prf_inputs_init, prf_inputs, (size_t)3U * sizeof(uint8_t[33U])); for (size_t i = (size_t)0U; i < (size_t)3U; i++) { size_t i0 = i; prf_inputs[i0][32U] = domain_separator; @@ -4703,11 +4667,15 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_traits_decompress_1_8c( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { - libcrux_ml_kem_vector_portable_vector_type_PortableVector uu____0 = + libcrux_ml_kem_vector_portable_vector_type_PortableVector vec) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector z = libcrux_ml_kem_vector_portable_ZERO_0d(); - return libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( - libcrux_ml_kem_vector_portable_sub_0d(uu____0, &v), (int16_t)1665); + libcrux_ml_kem_vector_portable_vector_type_PortableVector s = + libcrux_ml_kem_vector_portable_sub_0d(z, &vec); + libcrux_ml_kem_vector_portable_vector_type_PortableVector res = + libcrux_ml_kem_vector_portable_bitwise_and_with_constant_0d( + s, (int16_t)1665); + return res; } /** @@ -4828,16 +4796,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_ef( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)10, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)10, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -4870,7 +4838,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_10_ff( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_compress_0d_ef( - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re->coefficients[i0])); uint8_t bytes[20U]; libcrux_ml_kem_vector_portable_serialize_10_0d(coefficient, bytes); @@ -4889,16 +4857,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_c4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)11, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)11, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -4931,7 +4899,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_11_ff( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_compress_0d_c4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re->coefficients[i0])); uint8_t bytes[22U]; libcrux_ml_kem_vector_portable_serialize_11_0d(coefficient, bytes); @@ -4953,14 +4921,11 @@ libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics static KRML_MUSTINLINE void libcrux_ml_kem_serialize_compress_then_serialize_ring_element_u_fe( libcrux_ml_kem_polynomial_PolynomialRingElement_1d *re, uint8_t ret[320U]) { - uint8_t uu____0[320U]; - libcrux_ml_kem_serialize_compress_then_serialize_10_ff(re, uu____0); - memcpy(ret, uu____0, (size_t)320U * sizeof(uint8_t)); + uint8_t result[320U]; + libcrux_ml_kem_serialize_compress_then_serialize_10_ff(re, result); + memcpy(ret, result, (size_t)320U * sizeof(uint8_t)); } -/** - Call [`compress_then_serialize_ring_element_u`] on each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.compress_then_serialize_u with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5005,16 +4970,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_d1( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)4, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)4, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -5051,7 +5016,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_4_8c( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = libcrux_ml_kem_vector_portable_compress_0d_d1( - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re.coefficients[i0])); uint8_t bytes[8U]; libcrux_ml_kem_vector_portable_serialize_4_0d(coefficient, bytes); @@ -5069,16 +5034,16 @@ with const generics */ static KRML_MUSTINLINE libcrux_ml_kem_vector_portable_vector_type_PortableVector libcrux_ml_kem_vector_portable_compress_compress_f4( - libcrux_ml_kem_vector_portable_vector_type_PortableVector v) { + libcrux_ml_kem_vector_portable_vector_type_PortableVector a) { for (size_t i = (size_t)0U; i < LIBCRUX_ML_KEM_VECTOR_TRAITS_FIELD_ELEMENTS_IN_VECTOR; i++) { size_t i0 = i; int16_t uu____0 = libcrux_ml_kem_vector_portable_compress_compress_ciphertext_coefficient( - (uint8_t)(int32_t)5, (uint16_t)v.elements[i0]); - v.elements[i0] = uu____0; + (uint8_t)(int32_t)5, (uint16_t)a.elements[i0]); + a.elements[i0] = uu____0; } - return v; + return a; } /** @@ -5115,7 +5080,7 @@ libcrux_ml_kem_serialize_compress_then_serialize_5_8c( size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficients = libcrux_ml_kem_vector_portable_compress_0d_f4( - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re.coefficients[i0])); uint8_t bytes[10U]; libcrux_ml_kem_vector_portable_serialize_5_0d(coefficients, bytes); @@ -5139,47 +5104,6 @@ libcrux_ml_kem_serialize_compress_then_serialize_ring_element_v_ff( libcrux_ml_kem_serialize_compress_then_serialize_4_8c(re, out); } -/** - This function implements Algorithm 13 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE encryption algorithm. - - Algorithm 13 is reproduced below: - - ```plaintext - Input: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Input: message m ∈ 𝔹^{32}. - Input: encryption randomness r ∈ 𝔹^{32}. - Output: ciphertext c ∈ 𝔹^{32(dᵤk + dᵥ)}. - - N ← 0 - t̂ ← ByteDecode₁₂(ekₚₖₑ[0:384k]) - ρ ← ekₚₖₑ[384k: 384k + 32] - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - r[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(r,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e₁[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - N ← N + 1 - end for - e₂ ← SamplePolyCBD_{η₂}(PRF_{η₂}(r,N)) - r̂ ← NTT(r) - u ← NTT-¹(Âᵀ ◦ r̂) + e₁ - μ ← Decompress₁(ByteDecode₁(m))) - v ← NTT-¹(t̂ᵀ ◦ rˆ) + e₂ + μ - c₁ ← ByteEncode_{dᵤ}(Compress_{dᵤ}(u)) - c₂ ← ByteEncode_{dᵥ}(Compress_{dᵥ}(v)) - return c ← (c₁ ‖ c₂) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.encrypt_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -5517,7 +5441,7 @@ libcrux_ml_kem_variant_MlKem with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -5722,9 +5646,6 @@ libcrux_ml_kem_polynomial_add_standard_error_reduce_d6_8c( } } -/** - Compute  ◦ ŝ + ê -*/ /** A monomorphic instance of libcrux_ml_kem.matrix.compute_As_plus_e with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5771,47 +5692,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_matrix_compute_As_plus_e_1b( } } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -5884,7 +5764,7 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_8c( i < LIBCRUX_ML_KEM_POLYNOMIAL_VECTORS_IN_RING_ELEMENT; i++) { size_t i0 = i; libcrux_ml_kem_vector_portable_vector_type_PortableVector coefficient = - libcrux_ml_kem_vector_traits_to_unsigned_representative_8c( + libcrux_ml_kem_serialize_to_unsigned_field_element_8c( re->coefficients[i0]); uint8_t bytes[24U]; libcrux_ml_kem_vector_portable_serialize_12_0d(coefficient, bytes); @@ -5893,12 +5773,11 @@ libcrux_ml_kem_serialize_serialize_uncompressed_ring_element_8c( Eurydice_slice_copy( uu____0, Eurydice_array_to_slice((size_t)24U, bytes, uint8_t), uint8_t); } - memcpy(ret, serialized, (size_t)384U * sizeof(uint8_t)); + uint8_t result[384U]; + memcpy(result, serialized, (size_t)384U * sizeof(uint8_t)); + memcpy(ret, result, (size_t)384U * sizeof(uint8_t)); } -/** - Call [`serialize_uncompressed_ring_element`] for each ring element. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_secret_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5931,9 +5810,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_secret_key_89( memcpy(ret, out, (size_t)1152U * sizeof(uint8_t)); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key_mut with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -5957,9 +5833,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cpa_serialize_public_key_mut_6c( seed_for_a, uint8_t); } -/** - Concatenate `t` and `ρ` into the public key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.serialize_public_key with types libcrux_ml_kem_vector_portable_vector_type_PortableVector @@ -6079,14 +5952,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_serialize_kem_secret_key_d6( memcpy(ret, out, (size_t)2400U * sizeof(uint8_t)); } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6096,7 +5961,7 @@ libcrux_ml_kem_variant_MlKem with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -6371,7 +6236,7 @@ libcrux_ml_kem_variant_Kyber with const generics - C2_SIZE= 128 - VECTOR_U_COMPRESSION_FACTOR= 10 - VECTOR_V_COMPRESSION_FACTOR= 4 -- VECTOR_U_BLOCK_LEN= 320 +- C1_BLOCK_SIZE= 320 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 - ETA2= 2 @@ -6498,47 +6363,6 @@ static KRML_MUSTINLINE void libcrux_ml_kem_variant_cpa_keygen_seed_33_9c( libcrux_ml_kem_hash_functions_portable_G_f1_e0(key_generation_seed, ret); } -/** - This function implements most of Algorithm 12 of the - NIST FIPS 203 specification; this is the Kyber CPA-PKE key generation - algorithm. - - We say "most of" since Algorithm 12 samples the required randomness within - the function itself, whereas this implementation expects it to be provided - through the `key_generation_seed` parameter. - - Algorithm 12 is reproduced below: - - ```plaintext - Output: encryption key ekₚₖₑ ∈ 𝔹^{384k+32}. - Output: decryption key dkₚₖₑ ∈ 𝔹^{384k}. - - d ←$ B - (ρ,σ) ← G(d) - N ← 0 - for (i ← 0; i < k; i++) - for(j ← 0; j < k; j++) - Â[i,j] ← SampleNTT(XOF(ρ, i, j)) - end for - end for - for(i ← 0; i < k; i++) - s[i] ← SamplePolyCBD_{η₁}(PRF_{η₁}(σ,N)) - N ← N + 1 - end for - for(i ← 0; i < k; i++) - e[i] ← SamplePolyCBD_{η₂}(PRF_{η₂}(σ,N)) - N ← N + 1 - end for - ŝ ← NTT(s) - ê ← NTT(e) - t̂ ← Â◦ŝ + ê - ekₚₖₑ ← ByteEncode₁₂(t̂) ‖ ρ - dkₚₖₑ ← ByteEncode₁₂(ŝ) - ``` - - The NIST FIPS 203 standard can be found at - . -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cpa.generate_keypair_unpacked with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6649,14 +6473,6 @@ libcrux_ml_kem_ind_cpa_generate_keypair_150( return lit; } -/** - Packed API - - Generate a key pair. - - Depending on the `Vector` and `Hasher` used, this requires different hardware - features -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -6666,7 +6482,7 @@ libcrux_ml_kem_variant_Kyber with const generics - CPA_PRIVATE_KEY_SIZE= 1152 - PRIVATE_KEY_SIZE= 2400 - PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 +- RANKED_BYTES_PER_RING_ELEMENT= 1152 - ETA1= 2 - ETA1_RANDOMNESS_SIZE= 128 */ @@ -6772,9 +6588,6 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_private_key_37( (size_t)32U, t, &expected, uint8_t, uint8_t, bool); } -/** - Portable private key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_private_key with const @@ -6783,7 +6596,7 @@ generics - SECRET_KEY_SIZE= 2400 - CIPHERTEXT_SIZE= 1088 */ -static inline bool +static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_private_key_31( libcrux_ml_kem_types_MlKemPrivateKey_d9 *private_key, libcrux_ml_kem_mlkem768_MlKem768Ciphertext *ciphertext) { @@ -6817,9 +6630,6 @@ libcrux_ml_kem_serialize_deserialize_ring_elements_reduced_out_closure_c0( return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } -/** - See [deserialize_ring_elements_reduced_out]. -*/ /** A monomorphic instance of libcrux_ml_kem.serialize.deserialize_ring_elements_reduced with types @@ -6909,9 +6719,6 @@ static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_validate_public_key_6c( (size_t)1184U, public_key, public_key_serialized, uint8_t, uint8_t, bool); } -/** - Portable public key validation -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.instantiations.portable.validate_public_key with const @@ -6920,7 +6727,7 @@ generics - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ -static inline bool +static KRML_MUSTINLINE bool libcrux_ml_kem_ind_cca_instantiations_portable_validate_public_key_31( uint8_t *public_key) { return libcrux_ml_kem_ind_cca_validate_public_key_6c(public_key); @@ -7190,38 +6997,22 @@ static inline tuple_c2 libcrux_ml_kem_mlkem768_portable_unpacked_encapsulate( /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure.closure with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], -libcrux_ml_kem_variant_MlKem with const generics +libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure.closure with types +libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 -- CPA_PRIVATE_KEY_SIZE= 1152 -- PRIVATE_KEY_SIZE= 2400 -- PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 */ static inline libcrux_ml_kem_polynomial_PolynomialRingElement_1d -libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_closure_f8(size_t _j) { +libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_closure_1b(size_t _j) { return libcrux_ml_kem_polynomial_ZERO_d6_8c(); } /** -A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.generate_keypair.closure with types -libcrux_ml_kem_vector_portable_vector_type_PortableVector, -libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], -libcrux_ml_kem_variant_MlKem with const generics +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a.closure +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics - K= 3 -- CPA_PRIVATE_KEY_SIZE= 1152 -- PRIVATE_KEY_SIZE= 2400 -- PUBLIC_KEY_SIZE= 1184 -- BYTES_PER_RING_ELEMENT= 1152 -- ETA1= 2 -- ETA1_RANDOMNESS_SIZE= 128 */ -static inline void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_f8( +static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_1b( size_t _i, libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U]) { for (size_t i = (size_t)0U; i < (size_t)3U; i++) { ret[i] = libcrux_ml_kem_polynomial_ZERO_d6_8c(); @@ -7254,8 +7045,36 @@ libcrux_ml_kem_polynomial_clone_17_8c( } /** - Generate Unpacked Keys +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.transpose_a +with types libcrux_ml_kem_vector_portable_vector_type_PortableVector +with const generics +- K= 3 */ +static inline void libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b( + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ind_cpa_a[3U][3U], + libcrux_ml_kem_polynomial_PolynomialRingElement_1d ret[3U][3U]) { + libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + libcrux_ml_kem_ind_cca_unpacked_transpose_a_closure_1b(i, A[i]); + } + for (size_t i = (size_t)0U; i < (size_t)3U; i++) { + size_t i0 = i; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d _a_i[3U][3U]; + memcpy(_a_i, A, + (size_t)3U * + sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); + for (size_t i1 = (size_t)0U; i1 < (size_t)3U; i1++) { + size_t j = i1; + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = + libcrux_ml_kem_polynomial_clone_17_8c(&ind_cpa_a[j][i0]); + A[i0][j] = uu____0; + } + } + memcpy(ret, A, + (size_t)3U * + sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); +} + /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.generate_keypair with types libcrux_ml_kem_vector_portable_vector_type_PortableVector, @@ -7282,20 +7101,12 @@ static KRML_MUSTINLINE void libcrux_ml_kem_ind_cca_unpacked_generate_keypair_f8( libcrux_ml_kem_ind_cpa_generate_keypair_unpacked_1c( ind_cpa_keypair_randomness, &out->private_key.ind_cpa_private_key, &out->public_key.ind_cpa_public_key); + libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0[3U][3U]; + memcpy(uu____0, out->public_key.ind_cpa_public_key.A, + (size_t)3U * + sizeof(libcrux_ml_kem_polynomial_PolynomialRingElement_1d[3U])); libcrux_ml_kem_polynomial_PolynomialRingElement_1d A[3U][3U]; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - libcrux_ml_kem_ind_cca_unpacked_generate_keypair_closure_f8(i, A[i]); - } - for (size_t i0 = (size_t)0U; i0 < (size_t)3U; i0++) { - size_t i1 = i0; - for (size_t i = (size_t)0U; i < (size_t)3U; i++) { - size_t j = i; - libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____0 = - libcrux_ml_kem_polynomial_clone_17_8c( - &out->public_key.ind_cpa_public_key.A[j][i1]); - A[i1][j] = uu____0; - } - } + libcrux_ml_kem_ind_cca_unpacked_transpose_a_1b(uu____0, A); libcrux_ml_kem_polynomial_PolynomialRingElement_1d uu____1[3U][3U]; memcpy(uu____1, A, (size_t)3U * @@ -7365,16 +7176,16 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_generate_key_pair( /** This function found in impl {(core::default::Default for libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1])#1} +K>[TraitClause@0, TraitClause@1])} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_1c +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_09 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_default_1c_1b(void) { +libcrux_ml_kem_ind_cca_unpacked_default_09_1b(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit; lit.ind_cpa_public_key = libcrux_ml_kem_ind_cpa_unpacked_default_8d_1b(); lit.public_key_hash[0U] = 0U; @@ -7415,17 +7226,17 @@ libcrux_ml_kem_ind_cca_unpacked_default_1c_1b(void) { /** This function found in impl {(core::default::Default for libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1])#3} +K>[TraitClause@0, TraitClause@1])#1} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_07 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.default_53 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked - libcrux_ml_kem_ind_cca_unpacked_default_07_1b(void) { + libcrux_ml_kem_ind_cca_unpacked_default_53_1b(void) { libcrux_ml_kem_ind_cca_unpacked_MlKemPrivateKeyUnpacked_a0 uu____0; uu____0.ind_cpa_private_key = libcrux_ml_kem_ind_cpa_unpacked_default_1a_1b(); uu____0.implicit_rejection_value[0U] = 0U; @@ -7463,7 +7274,7 @@ static KRML_MUSTINLINE return (CLITERAL( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked){ .private_key = uu____0, - .public_key = libcrux_ml_kem_ind_cca_unpacked_default_1c_1b()}); + .public_key = libcrux_ml_kem_ind_cca_unpacked_default_09_1b()}); } /** @@ -7471,7 +7282,7 @@ static KRML_MUSTINLINE */ static inline libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_07_1b(); + return libcrux_ml_kem_ind_cca_unpacked_default_53_1b(); } /** @@ -7479,27 +7290,24 @@ libcrux_ml_kem_mlkem768_portable_unpacked_init_key_pair(void) { */ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 libcrux_ml_kem_mlkem768_portable_unpacked_init_public_key(void) { - return libcrux_ml_kem_ind_cca_unpacked_default_1c_1b(); + return libcrux_ml_kem_ind_cca_unpacked_default_09_1b(); } -/** - Get the serialized public key. -*/ /** This function found in impl {libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@1]} +K>[TraitClause@0, TraitClause@1]#3} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_dd with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_30 with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_6c( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_30_6c( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { libcrux_ml_kem_ind_cpa_serialize_public_key_mut_6c( @@ -7509,27 +7317,24 @@ libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_6c( serialized->value); } -/** - Get the serialized public key. -*/ /** This function found in impl {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]#2} +K>[TraitClause@0, TraitClause@1]#4} */ /** A monomorphic instance of -libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_de with types +libcrux_ml_kem.ind_cca.unpacked.serialized_public_key_mut_fc with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 - RANKED_BYTES_PER_RING_ELEMENT= 1152 - PUBLIC_KEY_SIZE= 1184 */ static KRML_MUSTINLINE void -libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_6c( +libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_6c( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_6c( + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_30_6c( &self->public_key, serialized); } @@ -7540,7 +7345,7 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_key_pair_serialized_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_de_6c(key_pair, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_fc_6c(key_pair, serialized); } @@ -7583,16 +7388,16 @@ libcrux_ml_kem_ind_cpa_unpacked_clone_ef_1b( /** This function found in impl {(core::clone::Clone for libcrux_ml_kem::ind_cca::unpacked::MlKemPublicKeyUnpacked[TraitClause@0, TraitClause@2])#4} +K>[TraitClause@0, TraitClause@2])#2} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_28 +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.clone_dd with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ static inline libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 -libcrux_ml_kem_ind_cca_unpacked_clone_28_1b( +libcrux_ml_kem_ind_cca_unpacked_clone_dd_1b( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *self) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 lit; lit.ind_cpa_public_key = @@ -7604,22 +7409,19 @@ libcrux_ml_kem_ind_cca_unpacked_clone_28_1b( return lit; } -/** - Get the serialized public key. -*/ /** This function found in impl {libcrux_ml_kem::ind_cca::unpacked::MlKemKeyPairUnpacked[TraitClause@0, TraitClause@1]#2} +K>[TraitClause@0, TraitClause@1]#4} */ /** -A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_de +A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.public_key_fc with types libcrux_ml_kem_vector_portable_vector_type_PortableVector with const generics - K= 3 */ static KRML_MUSTINLINE libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 * -libcrux_ml_kem_ind_cca_unpacked_public_key_de_1b( +libcrux_ml_kem_ind_cca_unpacked_public_key_fc_1b( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *self) { return &self->public_key; } @@ -7631,8 +7433,8 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_public_key( libcrux_ml_kem_mlkem768_portable_unpacked_MlKem768KeyPairUnpacked *key_pair, libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *pk) { libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 uu____0 = - libcrux_ml_kem_ind_cca_unpacked_clone_28_1b( - libcrux_ml_kem_ind_cca_unpacked_public_key_de_1b(key_pair)); + libcrux_ml_kem_ind_cca_unpacked_clone_dd_1b( + libcrux_ml_kem_ind_cca_unpacked_public_key_fc_1b(key_pair)); pk[0U] = uu____0; } @@ -7643,13 +7445,10 @@ static inline void libcrux_ml_kem_mlkem768_portable_unpacked_serialized_public_key( libcrux_ml_kem_ind_cca_unpacked_MlKemPublicKeyUnpacked_a0 *public_key, libcrux_ml_kem_types_MlKemPublicKey_30 *serialized) { - libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_dd_6c(public_key, + libcrux_ml_kem_ind_cca_unpacked_serialized_public_key_mut_30_6c(public_key, serialized); } -/** - Generate an unpacked key from a serialized key. -*/ /** A monomorphic instance of libcrux_ml_kem.ind_cca.unpacked.unpack_public_key with types libcrux_ml_kem_hash_functions_portable_PortableHash[[$3size_t]], diff --git a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h index 1d9e30625..295930891 100644 --- a/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h +++ b/libcrux-ml-kem/cg/libcrux_mlkem768_portable_types.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_mlkem768_portable_types_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h index 35fa95616..06d007894 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_avx2.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_avx2.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_avx2_H diff --git a/libcrux-ml-kem/cg/libcrux_sha3_portable.h b/libcrux-ml-kem/cg/libcrux_sha3_portable.h index b814c2361..85b7f55e1 100644 --- a/libcrux-ml-kem/cg/libcrux_sha3_portable.h +++ b/libcrux-ml-kem/cg/libcrux_sha3_portable.h @@ -4,11 +4,11 @@ * SPDX-License-Identifier: MIT or Apache-2.0 * * This code was generated with the following revisions: - * Charon: 45f5a34f336e35c6cc2253bc90cbdb8d812cefa9 + * Charon: 3a133fe0eee9bd3928d5bb16c24ddd2dd0f3ee7f * Eurydice: 1fff1c51ae6e6c87eafd28ec9d5594f54bc91c0c - * Karamel: 8c3612018c25889288da6857771be3ad03b75bcd - * F*: 5643e656b989aca7629723653a2570c7df6252b9-dirty - * Libcrux: a31e411ce57494f7a7e8c5962c9951a52a62c770 + * Karamel: c31a22c1e07d2118c07ee5cebb640d863e31a198 + * F*: 2c32d6e230851bbceadac7a21fc418fa2bb7e4bc + * Libcrux: 4996d487b60ebd3e41551da8c2a59653beadcb77 */ #ifndef __libcrux_sha3_portable_H